Imagine if everybody had access to your personal and health information. Would you be comfortable knowing that anyone can access your records?
Believe it or not, only a few years ago, there were no laws or regulations preventing your caregivers from disseminating your personal information. Your information could have gone out to anybody, and there was very little that you could do about it.
All of that changed with the HIPAA, which brought about the much-needed security. How does it benefit the average individual?
Well, the first important thing to determine is what HIPAA is.
What Is HIPAA?
Health Insurance Portability and Accountability Act of 1996 is a U.S. legislation that ensures data privacy and security provisions for safeguarding medical information. This law became more prominent after health data breaches were on the rise from cyberattacks on health insurers and care providers.
Before the HIPAA, generally accepted security standards or requirements for protecting health information did not exist in the health industry. When technology evolved in the mid-90s, the healthcare industry moved away from paper processes to rely on electronic information systems for claims, health information, and other administrative functions.
The Act required the Secretary of the U.S. Department of Health and Human Services (HHS) to enact regulations that would protect the security and privacy of health information. HHS had to publish the HIPAA Privacy Rule and HIPAA Security Rule to fulfill those requirements.
The goal of the Security Rule is to protect the privacy of an individual’s health information but also to enable covered entities to use technology that would improve the quality of patient care.
The purpose of HIPAA is to establish what the covered entity and business associates’ responsibilities are for health data of patients. The rules and regulations of HIPAA protect the health data of patients from unauthorized access.
Businesses that handle protected health information (PHI) have to have a physical network and process security measures and abide by them to ensure they’re HIPAA compliant.
Any entity that provides treatment payment or operates in healthcare, as well as any business associates, must be HIPAA compliant.
Under the Act, health care providers must have computerized operations, which includes a computerized physician order entry (CPOE) system, electronic health records (EHR), as well as pharmacy, radiology and laboratory systems.
What does a covered entity or a business associate have to do to ensure compliance physically?
Physical And Technical Safeguards
Let’s get more in-depth about the three different aspects
Due to the rise in the use and sharing of electronic patient data, healthcare organizations have to meet the demand for data security while complying with HIPAA regulations. A data protection strategy allows healthcare organizations to:
During the last nine years, statistics have revealed that there has been an increase in data breaches. Since records first started being published, the statistics have revealed that 2018 had more breaches than any other year.
The implementation of good policies and the use of encryption has helped to reduce breaches. The statistics revealed that the main causes of healthcare data breaches were hacking/ IT incidents. The most common occurrences were unauthorized access/disclosures.
Statistics gathered from 2009 until 2018 showed that there had been 2,546 healthcare data breaches, which involved more than 500 records. The result of those breaches was the theft/exposure of 189,945,874 healthcare records. That number is equal to 59% of the U.S. population.
More than one data breach is being reported per day.
Recycled Hard Drives
Health organizations have to abide by certain rules when disposing of computer hard drives that contain ePHI.
The general rule is that healthcare providers need to implement reasonable safeguards to limit the exposure of ePHI up until the point of destruction. Organizations need to follow three basic requirements.
The procedure entails the client arriving on-site to witness the destruction, recording the serial number of each hard drive, and the third step is shredding the drives to the appropriate size. After the organization has abided by the proper procedure, they can obtain a Certificate of Destruction.
The National Association of Information Destruction (NAID) is a certification body for information and data and acts as an independent auditor.
Since the government is taking HIPAA seriously and wants involved parties to do the same, the government passed a supplement act, The Health Information Technology for Economic and Clinical Health (HITECH) Act. This act raises penalties for organizations that violate the HIPAA Privacy and Security Rules.
It’s in the interest of a business to comply with HIPAA unless they want to face some heavy fines. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has obtained millions of dollars from violators.
The impact of violations is a heavy burden on small businesses. OCR stated that anybody in the value chain of providers in the healthcare segment was responsible for complying and that small businesses weren’t exempt from being penalized.
The OCR had a record year for HIPAA enforcement in 2018.
Most of the penalties for non-compliance range from $100 to $50,000. For a small business, $50,000 is significant. Violations can also lead to criminal charges, resulting in prison time.
So far in 2019, Cottage Health received a $3 million fine, Touchstone Medical Imaging also received a fine for the same amount, and Indiana Medical Records received a $100,000 fine.
OCR isn’t the only ones who can come after you if you’ve been negligent. An Arizona attorney announced a settlement with Medical Informatics Engineering, which hackers infiltrated their system and stole the records of 3.9 million individuals.
The settlement stated that Medical Informatics Engineering had to pay $900,000 to the 16 plaintiff states.
Here’s five secure communication types to keep your business compliant:
Now that you’ve discovered how much small business and large ones are paying for penalties of violating the HIPAA it’s best that you take the necessary precautions.
Not only can hackers access personal records of patients and staff, but you may be up for criminal prosecution. Besides protecting patients, healthcare providers who ensure proper HIPAA compliance also insure themselves.
The last thing that any organization wants is to have its private records disseminated. Complying with the HIPAA ensures that you are abiding by federal law and protecting the interests of individuals and your business.
Take the necessary steps to ensure that your business isn’t exposed.