In 1996, Congress called for better protection and confidential handling of protected health information (PHI). Later that year, they passed the Health Insurance Portability and Accountability Act; we know it as HIPAA. 23 years later, HIPAA continues to protect patients and their information, but the way we’ve had to handle patient data has significantly changed since then.
A Look at How HIPAA Has Evolved the Last 20+ Years
In the past 20 years alone, we’ve seen numerous technological advancements that have reshaped our lives – search engines, smartphones, Wi-Fi, social media to name a few. We’re now living in a digital world. Not only has it affect our everyday personal lives, it’s also changed how we conduct business. Technology has presented new opportunities and as many obstacles for companies, including medical practices and financial institutions.
Back when HIPAA went into effect, you couldn’t find a patient’s PHI anywhere but on a piece of paper. Before we started storing everything we do on a computer or up in the cloud, businesses had to worry about physical thefts more than anything. Phishing and ransomware didn’t exist at the time. Nowadays, we rely more on electronic protected health information (ePHI) than we do paper records. While it’s certainly more convenient and organized than a drawer of files, security cameras and a guard team aren’t any match for a group of hackers.
To counter digital threats, the Office for Civil Rights (OCR) passed the Omnibus Rule in 2013 demanding healthcare providers to report non-harmful data breaches. Besides this, however, there hasn’t been many changes to HIPAA since its inception. There’s no denying it that there are many holes in the HIPAA rule, and it needs to be massively overhauled if it wants to stay relevant in an everchanging digital world.
Compliance is Mandatory – No Exceptions
One thing about HIPAA that hasn’t changed since 1996 is that its non-negotiable. Any business that handles PHI has no other option than to comply with HIPAA. It’s more important than ever that you do too. With cybercriminals constantly targeting the healthcare industry, human error accounting for most data breaches and the simplicity of filing a complaint online, an audit on your organization can happen at any given time – and you must be ready when it does.
A giant misconception about HIPPA audits is that they happen whenever the OCR – who are responsible for enforcing HIPAA – decides to ‘check in’ on an organization. No, OCR doesn’t have the staff power to audit organizations without a valid reason. There has to be something to trigger an audit before it occurs. Some of the most common audit triggers are –
- Patient Complaints – Patients will file complaints for numerous reasons. The majority of these complaints happen when an organizations denies a patient access to their personal medical records, or when a confidential medical chart pops up in a social media post.
- Employee Complaints – There are many cases where disgruntled, terminated employees will file a complaint against their past employer. Whistleblowers reporting wrongdoing happening within the organization will certainly trigger an audit.
- Employee Mistakes – Everyone makes mistakes, just making them in the health industry ends up triggering an audit. Employees, without education, are susceptible to phishing emails, using simple passwords and sending medical records to the wrong person.
- Insider Wrongdoing – Some employees may break company policy with malicious intent, others may do so out of curiosity. Whether its to steal patient records or to peak at their medical history, any instance is grounds for an audit.
- 3rd Party Mistakes – A mistake caused by a Business Associate or partner company can trigger an audit, especially if they are victims of a data breach.
- Breach of Security – Lost or stolen devices that have unencrypted business data and information is a major audit trigger, alongside any malware or ransomware incidents which affects access to patient information.
Whatever the trigger may be, many times it isn’t the biggest problem the OCR will penalize your organization for. This is why it’s of utter importance to stay on top of your HIPAA compliance at all times.
What the OCR Asks and Looks for During an Audit
You’re required by law to report a security incident affecting your business. Once you do, there’ll be many questions. Why didn’t you have a password protecting your internet access? Why aren’t your employees trained to identify and discard phishing emails? What policies are there to limit the usage of a company workstation? These are only a few questions the OCR will ask you; there’s plenty more once they begin the audit sequence.
Here’s some things that the OCR will look for during an audit.
- Security Risk Assessment – A Security Risk Assessment (SRA) is a crucial piece of the compliance program. It’s used to search for any gaps or exploits within your organization’s administration and physical/digital safeguards that may be putting PHI at risk. You must be able to show the OCR documented proof of your SRA.
- Risk Management Plan – A Risk Management Plan (RMP) is a documented outline of what your organization needs to do to cover security gaps laid out in your SRA. OCR will look at this to see if you’ve taken steps to remediate any problems.
- Policies & Procedures – Every company has policies and procedures, but not every employee understands the meaning behind them all. Make sure your employees read every policy and are able to sign off on them. This is vital in the case of a security incident, as its documented proof your employees acknowledged the policies.
- Security Officer – An organization should have a Security Officer – an individual responsible for making sure employees are following company policies and procedures. They are also the ones to make sure every employee undergoes routine HIPAA training.
- Routine HIPAA Training – HIPAA training is a requirement for all employees. Not only does it help reduce the chances of errors, employees will also stay in the loop about the latest threats and the best security measures to practice.
- Business Associate Agreements – Every organization should have a Business Associate Agreement (BAA) with any third-party vendor that handles any patient data. If a BAA experiences a data breach, it may very well affect your organization, so its important they treat HIPAA compliance as seriously as your company does.
The Key Takeaway from This
HIPAA needs an update to keep up with the evolving digital world, but despite the apparent flaws you still have to adhere to it. If someone files a complaint today that triggers an audit, you must be confident that you are HIPAA compliant. If you don’t think you are, it’s time to start working on it – before it’s too late.
Make sure you’re HIPAA compliant today! Protect your organization by contacting Biztek Solutions and scheduling your first HIPAA compliance assessment.