By Adnan Olia, Chief Operating Officer, Intradyn
HIPAA compliance is a challenge — ask anyone in the health care industry and they’ll likely tell you the same. Health-related organizations at every level, from small private practices to hospitals, struggle to stay within the scope of HIPAA compliance, in large part due to the fact that HIPAA is so broad.
For a bit of context, let’s take a look at how HIPAA is defined. Passed in 1996, the Health Insurance Portability and Accountability Act (more commonly known as HIPAA) “establishes, for the first time, a set of national standards for the protection of certain health information […] The Privacy Rule standards address the use and disclosure of individuals’ health information — called ‘protected health information’ by organizations subject to the Privacy Rule — called ‘covered entities,’ as well as standards for individuals’ privacy rights to understand and control how their health information is used.” The U.S. Department of Health & Human Services (HHS) defines Protected Health Information (PHI) as “any individually identifiable health information held or transmitted by a covered entity or its business associates.”
In summary, HIPAA exists to protect patients’ private data against fraud and theft and dictates how that data can be distributed. If it seems relatively straightforward, that’s because it is — until you factor in how HIPAA is enforced. HIPAA applies to PHI that’s transmitted electronically and “covers a large range of data transfer protocols, from handling face-to-face interactions to transferring and backing up data.” Because the channels through which we communicate have expanded to include digital platforms, such as social media, text messaging and email, it’s easy to see why it’s so challenging for organizations to maintain HIPAA compliance. In fact, many health care organizations that think they’re HIPAA compliant (or at least claim to be) actually are not.
That’s troubling for a few reasons: First and foremost, it leaves health care records (and patients’ private information) vulnerable to data breaches. Between 2009 and 2019 there have been 2,546 significant health care data breaches (those involving more than 500 records), resulting in the theft or exposure of 189,945,874 health care records. Also, health care orgs deemed non-compliant face harsh penalties. Fines for HIPAA violations can range anywhere from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year — and that’s on top of potential civil and criminal penalties.
Given the severe consequences of failure to comply with HIPAA standards, it’s imperative that health care orgs do everything within their power to get their affairs in order, starting with the following:
- Be better prepared for eDiscovery requests and HIPAA audits. When it comes to HIPAA audits, it isn’t a matter of whether you’ll be audited, but when. There are measures you can take, such as thoroughly documenting HIPAA policies and procedures within your organization, conducting routine risk assessments and creating in-depth training materials, to prepare for when that day inevitably comes. It’s also in your best interest to implement a software solution that makes it easier for your legal team to respond to eDiscovery and litigation requests to streamline the audit process.
- Properly maintain — and dispose of — patient data. The key to properly maintaining patient data is to enforce strict data security standards. The HHS defines these standards under its Security Rule; requirements include detailed administrative and technical requirements, as well as implementation specifications and organizational and documentation requirements.
As far as the disposal of patient data is concerned, PHI cannot be disposed of unless the individual identifying information is removed or destroyed. This is easier said than done in the world of electronic communications, and the HITECH government mandate complicates things further, so be sure to do your due diligence prior to disposing of anything.
- Maintain an email archive. Email archiving isn’t required under HIPAA’s Security Rule but storing all electronic communications in a single location can go a long way toward ensuring HIPAA compliance. That’s because maintaining an email archive makes it easier to screen incoming and outgoing emails, create custom retention policies, index and search emails, monitor who has access to your organization’s emails and quickly recover any emails that were accidentally deleted.
- Develop a comprehensive HIPAA disaster recovery plan. One of the administrative safeguards outlined in the HIPAA Security Rule is that health care orgs must have a contingency plan in place, one that includes a detailed disaster recovery plan.
That plan should consider the following:
- Does the plan address issues specific to my operating environment?
- Is a copy of the plan ready and accessible at more than one location?
- How will operations be conducted in the event of an emergency?
- Which members of my organization will be responsible for carrying out operations in the event of an emergency?
- How will confidential data and safeguards for that data be restored after a disaster?
Even health-related organizations that are diligent about HIPAA compliance make mistakes from time to time. Don’t let that discourage you — so long as you make a good faith effort to cover all of your bases, you can provide your patients with peace of mind and rest assured that your business is well-protected.
About the Author
Adnan A. Olia is a senior member of the Intradyn team and is responsible for keeping an eye on the regulatory and technological marketplaces. Adnan provides thought leadership in the archiving and compliance sector to help Intradyn understand the latest trends in business innovation.
can be reached online at LinkedIn: linkedin.com/in/adnanolia and at our company website /www.intradyn.com