Hungry hungry HIPAA

August 17, 2018//Ellen Neveux

Last Updated: November 19, 2020

Healthcare organizations need to take note: not following industry implemented standards is a costly game to play. This isn’t just costly in the terms of reputation and downtime, but it can easily lead to a nasty Health Insurance Portability and Accountability Act (HIPAA) violation, and the fines attached to them are quite steep. The number of breached records in the medical field continues to increase, and it doesn’t look like there is any end in sight. Just recently, HIPAA “celebrated” the twentieth anniversary of the Security Rule and there has been chatter around making changes to the different rules. With this, it brings a question to the front of everyone’s mind: will it soon be even harder to comply with HIPAA standards?

About HIPAA
HIPAA was drafted to guard Protected Health Information (PHI) and electronic Protected Health Information (ePHI), in order to guard private information. These requirements are for individuals, organizations, and entities working with patient information. HIPAA compliance requires best practices online and off for anyone who interacts with PHI or ePHI. The Office for Civil Rights (OCR) is the governing body that works to enforce all HIPAA requirements, like the security rule, privacy rule, breach notification rule, and omnibus rule which are briefly defined below:

  • Security Rule: this rule contains the standards that must be applied to protect PHI and provide access to data. It includes technical, physical, and administrative safeguards.
  • Privacy Rule: this rule governs how ePHI can be used and disclosed while demanding that appropriate safeguards are implemented to protect the privacy of PHI.
  • Breach Notification Rule: this rule requires different notifications depending on who was breached and how large the breach was.
  • Omnibus Rule: this rule clarifies procedures, policies, and expanded the compliance checklist while introducing the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Examples of HIPAA violations
One of the biggest rules is the Breach Notification Rule, this mandates a breach must be reported no matter the size.  it must be reported to the OCR. Currently, the OCRs website has 414 active cases that are under investigation. This list only includes the breaches reported within the last 24 months. Breaches are as old as May 2016 and as recent as August 2018. Remember, the number of breached PHI and ePHI is likely higher since it doesn’t include the breaches that have yet to be discovered and reported.

According to Protenus and databreaches.net, during the second quarter of 2018, 3.14 million patient records were leaked on account of 142 disclosed breaches. To put this in perspective, the first quarter of 2018 only had 1.13 million patient records breached. Not so surprisingly, the increase in the number of breached records is causing patients to become increasingly anxious. Of that, nearly 800,000, or roughly 19% of all incidents involved a business associate or third-party vendor.

HIPAA changes?
The HIPAA Security Rule made its debut a whopping 20 years ago. Industry experts say it’s time to refresh the rule to reflect the ever-changing cyber threat landscape that has taken place over the last 20 years. Think about it: 20 years ago technology was completely different. In other words, texting, taking screenshots on a cell phone, and using the “cloud” to store information wasn’t part of our vocabulary. Security expert Tom Walsh notes that PCI DSS has been changed with different technical requirements as the security around payment cards has changed (e.g. credit and debit card chips), and how this illuminates that it should be feasible for HIPAA to be altered and enhanced. He adds that to be compliant, things like a unique login and multi-factor authentication are a must in the healthcare world.

With over 400 healthcare organizations on the OCR’s list of active cases over the past 2 years, some may argue HIPAA is already harsh enough. Whether HIPAA changes or stays the same, the OCR will continue to enforce its requirements no matter what they are. With the thought that HIPAA could change in the near future to become even more strict, don’t you think it’s time to make sure you’re compliant? Check with SecureLink’s HIPAA and HITECH Compliance Checklist.

About SecureLink
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers. SecureLink also serves many of the nation’s top hospitals and technology providers by delivering standardized, secure remote support that mitigates risk and helps you maintain compliance.

Subscribe to the SecureLink Blog.
close close