Important items to include in your HIPAA compliance checklist, based on the latest updates. Consider that in over 24 years since its implementation, there have been many updates. When HIPAA was first passed, most healthcare records were kept on paper and email had just begun to gain popularity.
Now, with patient records kept electronically and “everyone’s grandmother using email”, it’s time to reassess your HIPAA policies. Is your organization educated on the latest HIPAA rules? Read on to see if your new technology is keeping current with the latest HIPAA changes and update your HIPAA compliance checklist.
There are several new trends healthcare organizations need to consider when being proactive for the future. With new technology changing so rapidly, and new regulations being passed, are you aware of the changes?
National patient identifier: In 1996, HIPAA intended to include a national patient identifier. Its benefit was to match patients with their health codes, tying their health data to the code. But Congress prohibited the Department of Health and Human Services (HHS) from implementing it due to privacy concerns. The ban lasted until June 2019, when Congress overruled it. As of January 1, 2020, a requirement for an identifier for Medicare beneficiaries has gone into effect.
There is some controversy regarding the lifting of the ban. A National Patient Identifier Repeal Act was introduced to ensure HIPAA drops the patient identifier altogether. Whether this ban will continue or be lifted remains to be seen. Keep an eye out for changes on this front.
Increased enforcement by the Office for Civil Rights (OCR): Breach penalties can be devastating for a healthcare organization. The OCR enforces HIPAA rules, and lately, the violation penalties have been growing. In 2019, the OCR collected over $12 million in penalties. A new trend also began in 2019 when the OCR won its first settlement under the Rights of Access Initiative. This case held the healthcare organization accountable for not providing a patient’s medical records to the patient promptly. The settlement was not a one-time-only case, as the OCR won a second settlement regarding the Rights of Access Initiative at the end of the year. These settlements show that healthcare organizations need to provide timely access to patients’ information, based on HIPAA rules.
Need for data security: Data security is a key aspect of HIPAA compliance. With criminals constantly finding new ways to gain access to records, it’s even more important to ensure that not only is electronic protected health information (ePHI) secure but that there’s a plan and accountability in place when security fails.
Failure to report a data breach: Sentara Hospitals was fined $2.175 million for failing to report a breach of patients’ ePHI. Even after they discovered the breach, they failed to report it. They incorrectly assumed they had not committed a breach since the patient diagnosis and treatment information was not disclosed.
Failure to report within allocated time: Multiple data breaches cost Jackson Health System (JHS) $2.15 million. The OCR found JHS responsible for several breaches, including losing paper files and allowing a reporter to share a photo of an operating room that contained patient information. In addition, an employee was found to have been selling patient PHI since 2011. The OCR determined that JHS did not disclose information about the breach in time and neglected to keep a working HIPAA compliance program in effect.
Patient data was viewable online: The Texas Health and Human Services Commission was penalized $1.6 million for allowing patients’ ePHI to be openly viewed on the internet. It was determined that it had failed to conduct a proper risk analysis when moving data from a secure server to a public server.
Other emerging trends that will affect HIPAA
Medical research: The HIPAA Privacy Rule protects patient ePHI during medical research. There has been debate about whether HIPAA is hindering research progress, with some researchers arguing that their ongoing work is being impeded. Be on the lookout for further clarification of the HIPAA rules for medical research.
The shift to value-based care: In the movement away from paying per treatment and instead charging patients for outcomes, open sharing of patient data and awareness of the security risks it presents will become even more critical. Value-based care requires a holistic view of the patient’s information, and it will be interesting to see how the OCR will respond to this new way of patient care.
Artificial intelligence (AI): AI is already being used in healthcare to conduct medical imaging diagnostics. The field is continuing to grow, and it’s not hard to imagine the big changes it will create in healthcare. However, an AI system is only as HIPAA-compliant as it is programmed to be. As these new technologies are introduced, special care will need to be taken with patient privacy.
Blockchain: Blockchain is a chain of data stored in a public database. It’s used for cryptocurrency, but its possibilities are limitless. Blockchain could protect patient ePHI by keeping data decentralized. When a hacker accesses a database where all employee records are shared, the damage is immense. Blockchain can solve this problem by keeping the data out of one central database. But it’s such a new technology that HIPAA regulations have not caught up to it yet. Watch for HIPAA to address blockchain.
What’s on your HIPAA compliance checklist
For additional guidance, HHS has provided The Seven Fundamental Elements of an Effective Compiance Program. While this checklist is useful, it’s the bare minimum of what healthcare organizations and business entities need to do to comply with HIPAA. Here are a few more tips.
1. Use social media wisely
Social media has grown in leaps and bounds over the past decade. Everything seems to be on social media these days, but you don’t want your patients’ health data showing up there. Social media, like any other method of communication, needs to be regulated under HIPAA.
Here are some possible social media violations to watch out for: (1) sharing patient photos without written permission, (2) posting pictures of your medical office that have patients’ files visible in the background, (3) publishing ePHI, and (4) posting gossip, even if a patient’s name is not disclosed.
Be familiar with Crisis Communication and how to use Social Media effectively.
2. Encrypt mobile devices
Consider how your employees use mobile devices when you’re creating your HIPAA compliance checklist for 2020. The use of mobile devices is now widespread, and you need to be proactive in regard to HIPAA.
Although smartphones, tablets, and other devices can greatly increase efficiency, patient data must remain secure. In 2019, OCR won a $3 million settlement from the University of Rochester Medical Center because it failed to encrypt its mobile devices.
Take these steps when allowing employees to use mobile devices: (1) provide staff training regularly to educate employees about safe data practices, (2) use secure text messaging, (3) Allow devices to be remotely wiped of data in the event of loss or theft, (4) require secure passwords to access devices, (5) conduct risk assessments on your mobile devices regularly to ensure data is being kept secure, and (6) encrypt all data stored on mobile devices.
3. Be attentive to state regulations
It’s not just the OCR you need to be aware of; state attorney generals, under the authority of HHS, have been actively going after non-compliant entities for HIPAA violations. And for the first time ever, at the end of 2018, 12 state attorney generals banded together to create a multi-state suit against a medical records company for a data breach of patient ePHI.
It remains to be seen if the trend of states banding together to enforce HIPAA violations will become more prevalent. Further, will state attorneys interpret HIPAA compliance in the same way as the OCR, or will organizations need to ensure compliance with the state attorney generals as well as the OCR?
4. How about your Cybersecurity
Safety measures need to be put in place to protect patient data, including encryption and firewalls.
5. Administrative training
Employees must be regularly trained on written procedures regarding HIPAA compliance.
6. Physical security
A healthcare organization or business entity’s physical worksite needs to be secured with keypad locks, security cameras, or other measures.
7. Do regular audits and complete HIPAA Risk Analysis/Assessments
Healthcare organizations and business entities should conduct regular audits to prepare for a possible review from the OCR. You can self-audit internally or get outside help from a consultant for a third-party audit.
8. Incident response plan
Be sure a proper incident response plan is on your HIPAA compliance checklist for 2020. Many of the HIPAA penalties levied by the OCR occur due to the organization’s failure to respond to the breach timely or effectively. When over 500 individuals are affected, a breach must be reported to the HHS, the affected individuals, and the media within 60 days. Breaches affecting fewer than 500 individuals must be reported by the end of the calendar year to HHS and the affected individuals.
By having an incident response plan ready to go, you will reduce the delay it takes to report the breach and possibly limit the breach itself by detecting and acting on it quickly. Acting quickly once a breach is known greatly reduces the chances you will possibly mitigate fines.
Consider Outsourcing your corporate compliance activities
Outsourcing Your Corporate Compliance Program may take the stress out of trying to figure out the complex, evolving HIPAA regulations, as well as keeping up with new technologies that require you to constantly assess your organization for security risks.
Corporate compliance programs, as well as HIPAA-related regulations, may be effectively managed with the assistance of a qualified consulting firm. Whatever you plan to do, make sure your organization’s HIPAA compliance checklist is ready.