Did you know that as of January 2017, there have been more than 1,800 sizeable security breaches of healthcare information? Each of these 1,800 breaches disclosed the patient information of more than 500 people at a time.
All of these cases can be viewed on the U.S. Dept. of Health and Human Services (HHS) website. How can you keep your hospital/practice off this list?
Here are some HIPAA tips to keep in mind for 2017:
- Know that the HHS Office for Civil Rights (OCR) has identified two areas of focus in 2017:
- Audits: OCR is still operating in Phase 2 of its HIPAA audit process.
- Modernizing HIPAA: This addresses cybersecurity risks, big data, and new technologies.
- Consider monitoring your vendors and implementing business associate agreements. Hospital and practice vendors who can access your patients’ data are also responsible for keeping that data secure. Note, this includes cloud service providers which receive, maintain and transmit protected health information (PHI); the OCR is watching for HIPAA compliance in this area closely.
- Is your data protected? In any collection of big data, there is concern about effective de-identification. While HIPAA contains strong practices defining de-identified data, there are ongoing risks due to new technologies that can potentially re-identify information.
- The recent passage of the 21st Century Cures Act in Congress creates a working group to address the privacy challenges of how PHI can be gathered, studied and utilized. This group will likely address data analytics and regulatory obligations in connection with meaningful use. Something to watch this year.
- New technologies, apps and fitness wearables may blur the lines of what is normally considered healthcare data, outside of the usual HIPAA regulatory structure. The OCR is aware that HIPAA may not apply to this new data “beyond medical records.” However, OCR is determining the boundaries of its regulations regarding the burgeoning Internet of Things.
- If there is a data breach, then you must report it immediately. One of the first acts by the OCR this year was to find a medical practice for negligent and late reporting.
- Note that HIPAA policy can and will change throughout the year. Changes from the new administration, potential HHS OCR leadership and the FTC, who are also eyeing data security, can all mean changes to HIPAA compliance regulations. Stay current, secure, and not sorry.
According to the FY-2017 HHS OCR Justification for Estimates for Appropriations Committee document:
“There have been significant advances and innovations in health information technology, including the widespread adoption of electronic medical records and the use of cloud-based and mobile health applications by the clinical care providers, public health professionals, and individuals eager to take control of healthcare decisions for themselves and their families. The demand for accurate, real-time health information to support delivery system reform and power advances in medical research has increased exponentially.
We can realize the full potential of these innovations only if individuals and the public at large support a more robust system for the collection, use, and sharing of the personal health information and other data necessary to fuel these changes. Such support will come only to the extent the public can be assured of adequate protections for the privacy and security of their personal health information as well as of their right to access the information and gain the benefits of the initiatives underway. As a result, it is critical that the laws and policies that provide these rights and protections do so in ways that support the data sharing necessary to power innovation and that reflect both the full spectrum of entities that will have access to personal health data and the full range of data that will be collected.
HIPAA’s Privacy and Security Rules need an update, through expanded guidance and in some cases regulatory change, to reflect the information demands of the new health ecosystem.”
Get ready to check your HIPAA compliance throughout 2017, and protect your organization’s reputation and data. HIPAA compliance is an area being watched by customers, class action lawyers and news media alike. We can help conduct security risk assessments (SRA); address privacy and compliance changes, and safeguard important patient and organization data.