This year is the Health Insurance Portability and Accountability Act’s (HIPAA) 25th anniversary. It’s probably not an anniversary you’re excited about celebrating, especially because this law has grown stricter and more punitive since its passing. Many healthcare organizations still scramble to keep up with evolving security, privacy, and regulatory requirements—all to avoid breaches of patient data, large fines, and regulatory investigations.
However, an IBM Security study notes that the average cost of a data breach for healthcare organizations is $7.13 million—the highest for any industry. The same study also noted that “healthcare had the highest average time to identify and contain a breach, at 329 days.” This means, despite HIPAA’s quarter century of existence, healthcare organizations are still struggling to prevent and detect data breaches.
In this article, we want to focus on HIPAA’s technical safeguards (§ 164.312) and the Health Information Technology for Economic and Clinical Health Act’s (HITECH) data breach notification requirements (Sec. 13402) that were added to HIPAA in 2009. Your organization’s compliance officer will know these laws inside and out. However, the “how” can often make even the most compliant-willing organizations stumble. We will go over a few areas of each law and how your IT can help you meet these standards.
HIPAA says that organizations must “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights…” To prevent authorized access, you need to focus on:
HIPAA says organizations must “implement a mechanism to encrypt and decrypt electronic protected health information.” This includes encryption for data “at rest” (such as sitting on your servers) and “in transit” (such as communicating back and forth with another device like a patient’s computer or smartphone). Healthcare can be challenging because there are so many communications channels (email, instant messaging, videoconferencing) and content types (documents, images, videos). Ensure that the applications you use encrypt any health information that you send electronically. If not, then you need to modernize and upgrade your applications.
The HITECH Act provides guidance that organizations must use “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” If this requirement is not met, the information is considered unsecured.
Under these definitions, the security and privacy of electronic health information is at risk if you are unable to prevent and detect cyberattacks. The more likely you can fend off a cyberattack, the less likely you will have a data breach. While cybersecurity encompasses many different components, a few of the most important tips include:
HIPAA says organizations must “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” One essential component to meet this requirement is a data backup and disaster recovery solution that includes an onsite component (for quick recovery after a small incident, like a server failure), offsite component (for a natural disaster or ransomware), and periodic testing to demonstrate your data backup will work after an incident. Such solutions will also allow you to revert to a previous version of your data if it is altered or corrupted.
In a separate section, § 164.310, HIPAA says organizations must “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” This often overlooked aspect of security should include:
You can never train your employees enough about cybersecurity best practices. Teach them about phishing attacks, ransomware, password best practices, and social engineering. All these areas—no matter your technology and tools—are human-centered vulnerabilities, leaving you open to attack. When people click on malicious links and attachments, use simple passwords, and get tricked on the phone to give away a username and password, hackers use those openings to get credentials that lead them to breach your systems.
---
While HIPAA and HITECH have existed for a long time, and the technical requirements are part of these laws, it’s clear that healthcare organizations still need a lot of help with building the right IT foundation to comply. Use this article to get a sense of where your IT foundation might need some work, and then create a plan to tackle any issues that are preventing you from complying or exposing you to great risk.
The healthcare industry is evolving fast. Practices are growing and consolidating, data security has never been more difficult or important, and IT is playing an ever-increasing role in your patient experience.
You need a single technology partner to simplify and strengthen your IT management. We offer comprehensive healthcare IT support to maintain compliance, create consistency across multiple locations, and positively impact your ability to serve patients.
Whether you’re a new practice or a mature organization aggressively pursuing growth, we can help you craft an IT plan that supports you now and into the future.
Complete the form below and we will schedule a short call to learn more about your organization’s IT compliance needs.