In 1996 the US congress passed a new regulation for the healthcare industry: The Health Insurance and Portability and Accountability Act (HIPAA), designed to protect the privacy and security of sensitive health information of patients, additionally the act also provided a national standard for electronic health care transactions as well as unique health identifiers. The regulation was further enhanced in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) act which greatly expanded upon HIPAA in areas such as privacy and security rules as well as the introduction of increased penalties for violations.
The Importance of Compliance
The regulation brought in a framework to provide a safe-guard as to who has access to the healthcare data, as well as what information can be shared. Any organization with PHI (Protected Health Information) needs physical, network and process security measures in order to be compliant.
The rules were not constrained to just organisations either, other covered entities include subcontractors and any other related business associates must also meet the compliance.
What is a HIPAA violation?
HIPAA violation occurs when a breach occurs of an organisation’s compliance program in which the integrity of protected health information or electronic health information (PHI/ePHI) has been compromised.
Examples of HIPAA violations would include:
In 2017 the Office for Civil Rights (OCR) who enforce this regulation brought about its first HIPAA settlement for violation of the regulation’s breach notification rule, a fine of $475,000 against one of America’s largest healthcare organisations - Presence Health, for not properly following the rule of reporting the breach in a specific timeframe.
HIPAA Compliance Requirements:
The compliance processes that businesses should follow include:
While the processes mentioned above are important, continuous review and improvement of systems, policies and procedures carry an equal amount of importance, so the baselines above should not be viewed from a ‘set it and forget it’ perspective, and with new technologies emerging new challenges arise in making sure health information is more than adequately protected.
The Future for HIPAA:
The growing use of social media by healthcare personnel is providing an increased risk to patient privacy. Even though the regulation clearly forbids patient information being spread on social media, there is little detail as to what measures healthcare providers can take in order to get a handle on this risk, as recently as September of 2018 a nurse at a Texas children’s hospital had been fired for posting protected health information on a social media website.
Mobile devices and unencrypted laptops continue to pose a privacy and security concern, especially in the ways health data can flow, and how covered entities can handle that data.
With HIPAA having recently marked its 20th anniversary, along with the HITECH act also further strengthening the regulation, it can be said that HIPAA’s future is assured. With an increase in scope, auditing and enforcement, the law’s influence is likely to see a lot more growth.
Healthcare organisations are dealing with increasingly sensitive data that need protecting more than ever before, there is however, a huge benefit in the meaningful use of Electronic Medical Records (EMR.) Find out more from Protegrity’s solutions brief: Healthcare Data Security Solutions which shows how with a data-first approach, PHI is secure throughout its life cycle no matter where it gets used or stored.