Electronic Protected Health Information is no longer a foreign term in the health sector. In the last decade, technology has made many in-roads into how we view healthcare today. This is so much so that the Department of Human and Health Services introduced another act specifically to address matters IT. The Health Information Technology for Economic and Clinical Health(HITECH) Act of 2009 was formed in response to heightened health technology development.It looks to support enforcement of HIPAA rules by increasing the penalties on organizations that violate them out of will or inadvertently.
The question begs, however, of whether incorporating IT by a given entity makes it, by default, HIPAA Compliant. What many people do not understand is that being HIPAA compliant doesn’t dwell on the putting up of a data center, strong networks or any other data infrastructure. It is, in fact, more lenient towards the procedures and policies that govern how this data is handled.
What is HIPAA Compliance?
HIPAA Compliance sets the standards for ensuring data privacy and security through physical, network and process security measures. It is not restricted to electronic protected health information only. While it is quoted as ‘addressable’ when referring to how electronic means should be used, it is, as a matter of fact, a mandatory requirement to all stakeholders that handle ePHI.HIPAA Compliance is assured when the HIPAA rules, most specifically the privacy and security rules, are fully followed and exercised by an entity:
- HIPAA Privacy Rule- This rule states the standards for Privacy of Individually Identifiable Health Information (established to protect patient health information). Under this rule the organization is required to spell out administrative duties of each worker allowed to access PHI, it must state any agreements between business associates and covered entities and the privacy policies and procedures to be enforced.
- HIPAA Security Rule-Here the standards that regulate ePHI are clearly stated. It specifies a number of administrative, physical, and technical safeguards that must be put up to guarantee that ePHI is confidential, in its original form and available at all times.
Who should be compliant?
There are two main groups of people who would be held responsible were a data breach to occur due to non-compliance. These are:
- Covered entities- Health care providers who are entrusted with sensitive patient info for purposes of offering their services in one way or the other. These are the people who provide treatment or oversee payments and other operations to do with the patient info. They include doctors, dentists, pharmacies, company health plans and health insurance companies.
- Business Associates- Persons or entities whose work involves using or being exposed to protected health information. It could be IT hosting companies, Cloud computing companies, laboratories, billing and coding companies as well as attorneys. Subcontractors of business associates are also treated as business associates and are liable for non-compliance as well.
When it comes to matters compliance, the Office of Civil Rights does not take ignorance for an excuse.
Failure to comply with these rules can attract criminal charges in a court of law, civil action lawsuits and substantial fines of up to billions of dollars as stated in the HIPAA Enforcement Rule. In the case of Anthem Inc, a data breach due to the failure of compliance exposed medical records of 80 million people. As a consequence, the company suffered billions of dollars in compensation.
The place of compliance in IT
Just like in business or education, IT has fostered enormous growth in the sector making delivery of services much faster and more efficient than in the past. From networking to use of database management systems and cloud computing, healthcare providers have their jobs neatly laid out for them. The problem comes in when cybercriminals get access to electronic protected health information and either expose it against the patients’ wishes or use it on the black market.According to an IBM survey,70% of healthcare providers have experienced ransomware attacks. Phishing attacks and other manners of data breaches due to stolen mobile devices or laptops are also on the rise.
In most cases of data breaches, it has been discovered that the entity, mostly organizations, did not have a fully compliant data system in place. Sometimes the mistakes are minor but with a ripple effect: unencrypted emails, weak passwords or simply allowing intruders to access the system. The HIPAA Security rule clearly states the safeguards that should be followed to the latter to assure the patients, the covered entities and the business associates of full compliance.
- Administrative Safeguards-These are the overall action steps in development, implementation, and maintenance of strong security systems for an entity.
- Physical Safeguards-These include measures to limit facility access and unauthorized access in general. Policies and procedures should be laid down on how workstations and electronic media can be protected from natural and environmental hazards as well as intrusion
- Technical Safeguards-These are safeguarding policies that should oversee the collection, processing, retaining and any form of disclosure of electronic protected health data. Access control is a key issue here, and some of the major action steps to be implemented include creating unique user IDs for employees, data encryption, and automatic logoffs. It is also important that audit reports and logs are stored. Other technical safeguards lie in the network/transmission area where emails require encryption and strong firewalls to protect against malware.
Whether it is through offsite data backup, encryption or threat management, both covered entities, and business associates are laden with the continuous responsibility of being HIPAA compliant.
Does HIPAA Compliance necessarily mean IT integration? No, it does not. However, IT integration must apply all standards of HIPAA Compliance. All avenues that can be used as potential security risks to protected health information must be sealed at all costs. Malicious acts that affect data privacy cannot be stopped. Cyber-attacks continue to be rampant especially in the health sector where PHI is deemed more valuable than even credit social security numbers. Prevention, therefore, is better than cure.