How HIPAA IT Regulations Are Changing and Five Ways to Protect your Medical Practice

HIPAA, the Health Insurance Portability and Accountability Act, passed in 1996, was designed to establish national standards for protecting confidential patient medical data. In addition, the HIPAA law also provides the medical community with a framework to compile and share medical data in the interest of public health and improve medical care in the U.S. all while protecting the privacy of patients. The Department of Health and Human Services’ Office for Civil Rights (OCR) is the federal oversight entity responsible for enforcing HIPAA standards, conducting regular audits, and executing penalties for violations. In other words, the big dog that you want to keep on your good side, always.

It’s amazing how complicated those five small letters can be for your practice and I hate to be the bearer of bad news, but it’s just going to get worse. HIPAA is broken down into two main components, the HIPAA Privacy Rule which deals with the saving, accessing, and sharing of confidential medical or personal information for any individual, and the HIPAA Security Rule which enforces specific national security standards to keep electronic protected health information (ePHI) safe and available only to those authorized for access. The security rule is a wide blanket covering any health data created, received, maintained, or transmitted electronically.

As if that weren’t enough, to tighten up HIPAA IT regulations even more, in 2009 a supplemental act was passed called the Health Information for Economic and Clinical Health (HITECH) Act which raised the penalties for any health organization in violation of HIPAA standards. The HITECH Act was developed in response to the increased method of storing and sharing health data via multiple electronic methods thereby open to greater risk of privacy invasion.

So what’s changed and how will it impact your practice? The Office for Civil Rights (OCR), the oversight entity for HIPAA, has conducted phase one audits since inception to ensure adherence to compliance guidelines. The audits, however, were more general in nature and not focused in any depth on the HIPAA Security Rule. That all changed in 2016 when OCR signed into action phase two of the audit program introducing a revamped audit protocol that puts a laser-like focus on HIPAA’s privacy, security, and breach notification rules.

The general rules for HIPAA IT regulation compliance are technology-neutral meaning there are no specific technological systems required, as long as the requirements for data protection are met. This sounds easy, but in actuality, it creates more confusion as more choices generally complicate any decision. One thing that‘s painfully clear is that the burden of proof and your ability to provide your compliance plan and execution fall squarely on the shoulders of each individual medical provider.

“No excuses accepted” is an understatement when it comes to HIPAA. There is a zero tolerance policy, and ignorance will be no excuse.

Ignoring HIPAA requirements is defined as “willful negligence” and subject to extreme penalties including fines as high as $50,000 per instance and criminal charges punishable by prison time. The Office for Civil Rights’ (OCR) website has a public “list of shame” listing all compliance violators; this is certainly not the kind of publicity your practice is going for.

Could you be selected for an audit? Most definitely. Over the next few months, OCR will notify selected entities through email that they have been selected for an audit and explain the process required. If selected the entity typically has 10 days to submit the initial documentation request via OCR’s secure portal. If you don’t have all your ducks in a row at that point you sure won’t be able to pull it together within the 10-day audit turnaround. An OCR audit may be as simple as a HIPAA desk audit which asks the entity to prove they have been in compliance with all postings, validate patients are alerted to their privacy rights, access to confidential patient data has been protected in various scenarios, confirm staff received continuing education for HIPAA compliance practices, and be able to show any compliance breaches, how you handled them, and what has been changed since to regain compliance. Totally simple right? As long as you pass the audit life is good, if not it can get pretty messy, very quickly. Start now to ensure your practice is protected in the event of an HIPAA audit, consulting an IT vendor that offers CaaS or compliance as a service is a simple way to engage experienced HIPAA experts and reduce the risk for your practice.

Five Ways to Protect your Practice and Comply with HIPAA IT Regulations

Confirm you’re adhering to the basics of HIPAA IT regulation compliance

• Update your software on a regular basis checking for system updates and patches to ensure your devices are current and minimize hacking risk.
• Protect against viruses by installing malware-scanning software across all devices.
• Monitor user logins and data access records; investigate all discrepancy reports.
• Encrypt all electronic protected data on all devices. Encryption is the simplest way to make lost data unreadable and undecipherable.
• Create procedures for identifying, documenting, and responding to security breach incidents. Follow the procedures to the letter.

Conduct an internal audit of all stored health data and authorized user access procedures.

The most important steps to verify include:

• Establish an internal unique user ID protocol to better validate those logging in are who they say they are.
• Implement a user authentication validation for login. Adding a second user verification step to the login process further reduces the chance that employees will share or guess each other’s passwords.
• Audit current user password strength; force the reset of any weak passwords identified.
• Add an automatic logoff process for users that logs them out after a specified time frame preventing other employees from working with health data under the wrong login.

Perform a technical review of your entities’ network vulnerability to hacking.

• The OCR list of shame shows that up to 23% off breaches are from hacking incidents.
• Review network security for any protected health data transmitted; look for points of failure and correct them.
• Evaluate wormholes in network security that could allow unwanted visitors access to protected health information; fix the holes.

Evaluate internal procedures for managing lost, stolen, or lease return devices.

• Any device your entity uses to access confidential patient data is subject to scrutiny if lost or stolen. This includes desktops, laptops, mobile devices, and home computers with access to ePHI.
• If your office leases copiers or anything else with a hard drive, make sure it’s wiped completely clean before release; this responsibility falls on your practice, not the leasing agent. This responsibility includes every storage source even if you don’t own it.
• Verify that all devices used to access data are password protected and include a robust user login authentication protocol.
• Encrypt all electronic protected data on all devices. Encryption is the simplest way to make lost data unreadable and undecipherable, protecting your practice no matter who gets their hands on your equipment.
• Create total device destruction procedures for ePHI data sources so no one can gain access to it. Completely destroy access to data for any device with a hard drive before releasing them from your business.

Restrict employee access to social media outlets

• Restrict employee access to social media outlets on any office device. If employees can’t access the site there’s less chance for bad judgment negatively impacting the company.
• Continuously educate staff on HIPAA policies regarding sharing protected patient information outside the office or within their private social media network.
• Document your internal HIPAA social media policies, log all violations and actions taken.

Unless you’re a new practice, by now you probably have a framework of HIPAA compliance practices in place, but the new HIPAA IT regulations passed in 2016 will require greater oversight by an experienced IT provider. Even if you have an in-house technical staff looking for an IT vendor that offers CaaS or compliance as a service is the easiest way to help guide your practice through the process of complying with the increased HIPAA IT regulations in 2017.

Let our Specialists take care of your IT Support