The Health Insurance Portability and Accounted Act or HIPAA for short was initially enacted by the American Congress in 1996 to improve the nation’s health care in terms of efficiency as well as effectiveness through the establishment and implementation of Federal standards . From a high-level perspective, the law focuses on two key areas:
- Health Care Access, Portability, and Renewability
- Administrative Simplation
However, within each focal point, several distinct aspects are addressed and continue to evolve each year. After all, since HIPAA’s inception, the internet and technology have matured, thus posing new questions and concerns to entities that are subject to HIPAA regulation . For context, HIPAA applies to organizations that deal with health plans, clearinghouses, and health care providers with electronic transactions . Ideally, the rules improve access and protection of health information while elevating medical care overall, though certain entities still struggle to rise to the occasion.
Specifically, data breaches across the healthcare industry are of grave concern, as well as organization-wide risk analysis. Both HIPAA regulations address emerging challenges and demand action to prevent fraud and theft and reduce risk. Compliance may not always be easy, but it is necessary.
In this article, Joel Arun Sursas, Medical Doctor and Health Informatician motivated to solve administrative problems in healthcare, provides insight into seven crucial areas relevant to those governed by the HIPAA compliance regulations in 2020.
Data input and integrity are subject to human error and could result in patient misidentification. As such, the American Health Information Management Association (AHIMA), as well as IT industry leaders, are in favor of creating a National Patient Identifier. Those in favor argue that an identifier could drastically help reduce medical errors and interoperability issues and improve patient matching. Those against raise concerns regarding patient privacy, but this viewpoint is somewhat antiquated and doesn’t reflect the current state and demands for healthcare data .
Nevertheless, the debate over a National Patient Identifier remains a hot topic, especially since Medicare integrated a healthcare identifier that went into effect in January.
The penetration of technology into the everyday lives of Americans has undoubtedly influenced the perception of privacy in the digital age, and future generations will undoubtedly debate its role in society for years to come. That being said, the Privacy Rule (PR) of HIPAA strives to protect health information by defining what data to protect and partially regulating how medical information is used and shared .
The PR sets clear guidelines for access as well as disclosure of health records, and any action outside these standards may result in a violation coupled with a financial penalty. Common violations include reviewing protected health information (PHI) without cause or for recreational purposes, disclosing PHI to unwarranted entities such as an employer, and failure to adhere to the minimum necessary standards .
Lack of safeguards that result in data breaches containing PHI continues to be an ailment for the healthcare industry. To combat this, the Security Rule (SR) works in conjunction with the Privacy Rule to secure the public’s PHI. Primarily, the SR addresses how organizations create, receive, maintain, or transmit data electronically . Think of the protocols as a baseline that should be improved upon.
While encryption is currently not mandatory under HIPAA, it remains one of the most effective and underused methods to protect PHI . However, HIPAA compliance regulations may actually encourage low adoption rates for encryption, since surprisingly, not all data breaches result in a violation. In fact, an organization does not have to report a security incident related to encryption unless the encryption key is stolen.
Should an organization elect to forgo encryption altogether, an alternative method must be implemented to ensure the security of PHI. Data breaches will continue to occur, but the key is to reduce the risk to a manageable level.
One of the most important aspects of HIPAA is guaranteeing patients access to their medical records and copies. As more medical offices transition away from paper-only systems, it’s vital for organizations to implement digital workflows that let patients easily review their health records and share them with other medical professionals or organizations seeing to their medical care. Although relatively uncommon, failure to provide patients copies of their health records within 30 days of the request is in direct violation of HIPAA . Expect strict enforcement of this regulation going forward.
Social media, though useful and entertaining at times, is also disruptive even within healthcare. Under HIPAA, social media is perceived as merely another form of communication and must abide by specific protocols. Common infractions include gossip, posting unauthorized PHI, and sharing photos of patients or files .
To avoid noncompliance when it comes to digital communication like social media, organizations should invest in adequate employee training.
Risk assessments are typically required for insurance policies that are valuable in the event of a data breach. More importantly, they can highlight potential risks, vulnerabilities, and threats that may diminish the protection of health information .
Organizations that fail to perform a risk assessment are subject to financial penalties and is one of the most common HIPAA violations. It’s possible to conduct a risk assessment internally, but it’s probably worthwhile to hire a third party or work with a HIPAA security expert. Lastly, the U.S. Department of Health and Human Services (HHS) encourages organizations to abide by NIST SP 800-30, an industry-standard risk analysis protocol .
Too often, major companies infuriatingly delay reporting data breaches to the public. Thankfully, the Breach Notification Rule (BNR) is very clear on this matter. Organizations subject to HIPAA regulations that experience a data breach affecting more than 500 individuals are required to immediately issue notifications, no later than 60 days after the attack .
Last year, the health industry accounted for 29% of reported breaches, proving HIPAA is more relevant than ever . Financial penalties are not ideal for any company and can easily be avoided by investing in workflows, systems, and personnel that meet the HIPAA security and privacy policies and best practices. Protect Health Information is too important, not to.
About Joel Arun Sursas: Joel Arun Sursas holds a Bachelor’s Degree in Medicine and Bachelor’s Degree in Surgery from the National University of Singapore, and is continuing his education to obtain Certificate in Safety, Quality, Informatics and Leadership from the Harvard Medical School, and Masters in Applied Health Science Informatics from the Johns Hopkins University (both expected in 2020). His technical skills include SPSS, RevMan, and Python.
- Infowerks, HIPAA Trends and Emerging Challenges: What to Expect in 2020, October 15, 2019. Retrieved from https://infowerks.com/2020-hipaa-trends/
- American Speech-Language-Hearing Association (ASHA), Health Insurance Portability and Accountability Act, 2020. Retrieved from https://www.asha.org/practice/reimbursement/hipaa/default/
- HIPPA Journal, The Most Common HIPAA Violations You Should Be Aware Of, April 26, 2019. Retrieved from https://www.hipaajournal.com/common-hipaa-violations/
- Alexander, A., Busy Privacy Agenda for 2020 Has Health Companies on Edge, December 31, 2019. Retrieved from https://news.bloomberglaw.com/health-law-and-business/busy-privacy-agenda-for-2020-has-health-companies-on-edge
- Compliancy Group, What is Required for HIPAA 2020?, 2020. Retrieved from https://compliancy-group.com/what-is-required-for-hipaa-2020/
- Edemekong, P.; Haydel, M.; Health Insurance Portability and Accountability Act (HIPAA). The National Center for Biotechnology Information, June 18, 2019. Retrieved from https://www.ncbi.nlm.nih.gov/books/NBK500019/
- SecurityMetrics, SecurityMetrics Guide to HIPAA Compliance: What Healthcare Covered Entities and Business Associates Need to Know, 2020. P. 183.
- SecurityMetrics, SecurityMetrics Guide to HIPAA Compliance: What Healthcare Covered Entities and Business Associates Need to Know, 2020. P: 34.
- SecurityMetrics, SecurityMetrics Guide to HIPAA Compliance: What Healthcare Covered Entities and Business Associates Need to Know, 2020. P: 155.