The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, is an all encompassing piece of legislation that was designed to protect protected health information (PHI) of consumers. Unfortunately, there is a lot of misunderstanding about this act and how it affects the healthcare industry. Recently, Paubox had a chance to understand HIPAA compliance better courtesy of a webinar by Brian Tuttle, of Mentorhealth.
HIPAA was actually never meant to be a privacy or security piece of legislation, but was aimed to solve insurance portability. However, with the emerging public concern over PHI, the healthcare industry moving towards a digital age, and the increasing value of healthcare data to cybercriminals, HIPAA took on the challenge of protecting the public’s PHI.
Despite the intentions of HIPAA, healthcare security is sorely lacking when it comes to data breaches. One of the reasons for the poor performance was due to the lack of enforcement and accountability by all parties involved early on. The language of HIPAA does a good job of telling covered entities (CE) and business associates (BA) what not to do when it comes to protecting PHI. However it was not very clear on how CEs and BAs should go about protecting PHI. One thing that CEs and BAs can take solace in, is that the government is not expecting anyone to spend millions of dollars on cybersecurity like the CIA. All the government asks for is reasonable and appropriate actions to minimize the risk of a breach.
Once the HIPAA Omnibus rule was passed back in 2013, everything changed. Prior to the Omnibus rule, HIPAA was a metaphorical Chihuahua, all bark but little bite. With the changes from the Omnibus rule, HIPAA became a vigilant German Shepherd. The change allows the Office of Civil Rights (OCR) with the Health and Human Services Department to audit CEs and BAs, assess fines up to $1.5 million for HIPAA violations, and even allow state attorneys to pursue legal actions that can lead to imprisonment. The point is, anyone that deals with PHI needs to take HIPAA seriously now.
The question then becomes what constitutes a HIPAA breach?
According to HIPAA rules, a breach is any impermissible use or disclosure of PHI with subsequent requirement to provide a breach notification, unless a CE and BA provides evidence that the PHI was not compromised. Just because there was a breach, does not necessarily mean that PHI was compromised. How does one tell if PHI was compromised? According to Brian, it comes down to answering the following questions:
- What the was the nature and extent of the breach?
- Was the data viewed or acquired?
- What was the extent to which the risk was mitigated?
Once you understand what constitutes a breach of PHI, there are steps to minimize your risk and meet HIPAA compliance. Some of the suggestions that was offered by Brian are listed below:
- Conduct a risk assessment, do it annually is considered best practice. Make sure the risk assessment cover aspects of the HIPAA security and privacy rule.
- Do not share passwords and change them often (every 180 days is recommended), also make sure that there are not too many admin passwords.
- Have a backup storage of your data and have that source encrypted.
- Have passwords and automated log off on all computers and mobile devices. Keep track of these devices and have remote wiping available should a theft occur with mobile devices.
- Encrypt your emails. According to HHS and HIPAA if you intend on communicating via email outside of your domain, then it is best to use a secure and encrypted source.
- Make sure that there is some kind of ambient noise (i.e. a tv) in areas where others can overhear you or your staff talking about PHI.
- Make sure that staff is adequately trained.
- Have an alarm system for your office.
- Make sure that your wifi source is secure and protected. Do not log on to public wifi sources with mobile devices that contain PHI.
- Make sure that your website is secure. If you have forms on your website that ask for patient information,it is best to have those links and landing pages secured and encrypted.
- Use whole disk encryption or at least file encryption for all computers. Most new Windows and Mac OS have pre-installed encryption software. If you do not have one available there free ones online available to use.
Overall these are some low hanging fruits that anyone dealing with HIPAA and PHI can use to boost their compliance and secure their PHI. A HIPAA audit can be scary and detrimental to your business, but it does not have to be. The best course of action for anyone who deals with PHI (and therefore HIPAA) is to be proactive, conduct a risk assessment covering both HIPAA security and privacy rules, get policies in place, train your staff well, have a good audit system, hire good people, and have reasonable and appropriate responses.