There were probably few, if any, birthday cakes and candles when the Health Insurance Portability and Accountability Act (HIPAA) turned 20 last year, but the milestone underscores the importance of technology and data assets in the healthcare industry.
More importantly, healthcare leaders need to expect continuing changes in HIPAA compliance requirements as healthcare becomes more digitized and personalized. These industry disruptions make it essential for the U.S. Department of Health & Human Services (HHS) to revise HIPAA Rules on a regular basis to ensure up-to-date compliance.
Twenty years ago, technology and use of data were very different than they are today, so HHS is now addressing issues and risks that were not present at the time, and implementing changes to “modernize” HIPAA compliance rules. The need to update HIPAA compliance rules and to ensure the highest level of protection for healthcare data has grown in importance as the risk to data has increased. For example, more covered entities reported data breaches affecting more than 500 individuals than in any other year since the Office of Civil Rights, a division of HHS started publishing breach reports in 2009 – 329 organizations in 2016 versus 270 in 2015. The 2016 breaches affected 16,471,765 records.
A healthcare organization must still make sure that the following steps are taken to ensure that HIPAA rules are followed within the organization:
- Conduct risk assessments regularly. Before you can take steps to protect technology and data – including protected health information (PHI) – make sure you identify and classify the locations, people, processes and systems that are collecting, storing and accessing data. Look beyond computers and servers physically located in the facilities and include mobile devices such as any smartphones, tablets or IoT [Internet of Things] devices used by staff; storage devices such as flash drives or hard drives in digital clinical equipment; and partners, service providers or other third parties used in key business processes. Assess risks using broader business criteria – such as including the impact of using third parties for critical service delivery, as well as their impact to maintaining regulatory compliance.
- Document all operational processes and procedures. Using the risk assessment, develop processes and procedures that ensure the proper handling and distribution of sensitive information. Regularly train employees and refresh that training to keep data privacy top of mind. Behaviors such as discussing patient conditions in public locations, moving data to a personal device without authorization, and accessing data not required as part of the day-to-day job duties should be addressed in protocols and training.
- Go beyond physical and technical safeguards. With the increasing adoption of mobile technologies and IoT devices in the healthcare industry, sensitive information including patient data is now collected, transmitted, stored and accessed in more than a single local building. Restricting access to this sensitive information requires more than just physical and logical controls since the data can be transmitted and/or stored in third party locations. In addition, organizations are required to maintain proper audit logs that documents when sensitive information is accessed and by whom to remain HIPAA compliant. Organizations should shift their strategy to a data-centric approach that focuses on protecting the data rather than the location of the data to ensure continuous compliance when deploying these emerging technologies.
- Implement procedures for breach notification provisions. The HIPAA Breach Notification Rule requires covered entities that experience a data breach to report the incident to the HHS Secretary. Since the timing and method of required notifications are based on the size of the breach, healthcare organizations will need to ensure their incident response procedures take into account these factors.
In addition to these steps, healthcare providers should also be aware of the three areas HHS is evaluating to update compliance requirements:
- Cybersecurity risks. HHS plans to expand investigations for cyber-attacks and data breaches along with issuing guidance for cybersecurity management by covered entities and business associates. This guidance will be based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Big data. Although healthcare organizations are encouraged to collect, use and share health data to improve care, the widespread adoption of electronic health records (EHRs) and cloud computing has greatly expanded the breadth and depth of information health organizations collect and store. HHS intends to explore options to provide protection for data without limiting the benefits of shared date; however, no specific plans have been developed to date.
- Emerging technologies. In addition to increased adoption of EHRs – as of 2015, 96 percent of hospitals and 87 percent of office-based physician practices report using EHRs – the proliferation of mobile technology means that health data can be collected and stored on smartphones, wearable devices and other non-standard computing devices to be shared with other applications. HHS is currently evaluating these new technologies to determine if and how HIPAA privacy and security rules apply to new technologies that are or can be integrated with traditional health data technologies.
Technology vendors’ role in HIPAA compliance
As healthcare organizations have expanded their physical and logical footprints, they have turned to external vendors to enable interoperability and scalability. Outdated information technology infrastructure and limited skilled resources to regularly maintain and update systems are driving the mass migration to cloud computing.
Not only does a cloud-based platform eliminate the need to invest in new infrastructure, but a predictable, subscription-based pricing model that includes managed services provides access to highly skilled technical employees who are not only knowledgeable about the technology but also up to date on compliance with HIPAA and other applicable regulations. This enables in-house IT staff to focus on their core business activities with the assurance that the cloud service provider is protecting sensitive information as required by HIPAA.
It is important to note that cloud services providers are considered business associates for the purposes of HIPAA once there is a contract for them to receive, maintain and transmit electronic PHI – even if the vendor does not directly access data. HHS has provided guidance on cloud computing and HIPAA compliance, with recommendations for items to address in a business associate agreement.
It is also important to note that HIPAA Rules address the minimum standards for protection of electronic PHI. Industry best practices call for more rigorous standards such as the Health Information Trust Alliance Common Security Framework (HITRUST-CSF) to ensure service providers are adequately safeguarding PHI.
The first question a healthcare organization should ask any vendor who will receive, store and/or transmit sensitive information is “Are you HIPAA compliant?” However, be aware that a simple “yes” when asked that question is not enough – ask for proper documentation that shows the vendor’s ability to meet HIPAA compliance requirements. Documentation should include:
- HIPAA Policies, Manuals & Training. The vendor should have formal policies and procedures for ensuring HIPAA requirements and regularly train their users on these practices just as a healthcare organization’s employees are trained. It is also critical that the vendor’s employees be up to date on changes in compliance requirements so they can also serve as a SME [subject matter expert] resource as new technologies are introduced.
- Independent HIPAA audits. Although not required by HIPAA, the vendor should engage an external audit firm on a regular basis to perform an independent audit of the vendor’s control environment based on HIPAA requirements to provide additional assurance of compliance. Vendors who assert they are HIPAA compliant should provide objective evidence of their compliance to customers rather than just their “word.”
- Services that enhance the organization’s ability to comply with HIPAA. Vendors should be able to offer services that not only support HIPAA compliance for the healthcare organization, but can improve their compliance while reducing their overall costs over time. For example, platforms that include native security and compliance features such as single-sign on (SSO), data encryption and tokenization capabilities provide organizations with enhanced security options to exceed HIPAA requirements.
- Business Associate Agreements. HIPAA requires organizations to execute Business Associate Agreements with all vendors who receive, store or transmit electronic PHI – even if the vendor does not access or manipulate individual data records. Vendors who regularly engage with healthcare organizations should be able to demonstrate their knowledge and experience with HIPAA during contract negotiations.
As HIPAA enters its third decade, healthcare organizations need to look carefully at technology decisions and ensure that HIPAA compliance stays top of mind. Choosing cloud-based technologies with a data-centric approach is one strategy to ensure compliance for all data collected and accessed. Relying on a trusted partner to supplement the healthcare organization’s effort to protect their sensitive information can also help improve compliance throughout the data life cycle.
Does your vendor offer all the services needed to be HIPAA compliant?