HIPAA Rules Could Be Changing – What Does This Mean for Your Compliance Standards?
Of all the data cybercriminals could get their hands on, medical records are one of the most dangerous. These records contain a surplus of personal data, from addresses to Social Security information and other personal data.
That’s why, in 1996, The Health Insurance Portability and Accountability Act (HIPAA) created a mandatory standard of privacy by which all healthcare providers (and their devices!) must abide.
Since the introduction of HIPAA, there have been several important updates to the act:
- The HIPAA Enforcement Rule in 2006 added additional provisions for investigation compliance, penalties for violations and standards for hearing procedures.
- The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2010, updated HIPAA rules to include electronic medical records.
- The Omnibus Final Rule, introduced in early 2013, increased the scope and liability for involved parties. This rule widened the definition of “business associates,” which must be HIPAA-compliant to include any entity that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”
Now, because of changing digital practices and the effects of COVID-19, there have been a few proposed changes to HIPAA. These could require additional security requirements, software or capabilities on your current healthcare devices.
Let’s review these potential updates and how best to prepare for these new standards.
2020 Proposed Changes
After 24 years, it’s evident that HIPAA would need to be updated to match the times, and even updates made in 2013 could not predict what protections would be necessary for 2020.
The Department of Health and Human Services is currently considering two additional addendums to HIPAA compliance laws:
Civil Monetary Penalties
The first proposed update will allow patients that have been subjected to a HIPAA violation to request money for potential damages. HIPAA violations can potentially result in identity theft or fraud, especially if a data breach exposes vulnerable personal data like banking information or Social Security numbers.
These breaches can be devastatingly expensive. In 2019, a reported $1.9 billion was lost by American consumers due to identity theft. And with an increase of remote working, cybercriminals have become more active and a growing threat to healthcare organizations.
Right now, there isn’t a procedure in place for victims of HIPAA violations to ask for monetary compensation – they only receive free credit monitoring and future identity theft protection.
If this addition is approved, it will be a win for violation victims in financial need. But, if your company was responsible, this could mean hefty charges depending on your level of neglect.
Accounting of Disclosures
This proposed addition requires that there needs to be a clear record of any time a patient’s Procured Health Information (PHI) is disclosed. Essentially, this provision wants to ensure that a patient always has thorough documentation of any time their PHI is shared (and any charges that may have accompanied it).
Currently, patients can request their full PHI under the first accounting of disclosures agreement, but this did not include any digital sharing of records – only paper ones.
As the world continues to rely on digital means more and more, this would be a welcome change for many patients and organizations alike. But, if this provision is approved, this means that healthcare organizations will have to ensure that their digital records are as thorough and accessible as their current paper records, allowing them to be easily requested and delivered.
What You Can Do to Keep Up
As a healthcare organization, you have a responsibility to keep up with changing HIPAA standards. If you’re assessing whether your devices will be able to cater to these new provisions, a good place to start is with the Department of Health and Human Services’ HIPAA Security Rule:
Here, you can find:
- General rules for HIPAA compliance
- The definition of a “covered entity,” and if your organization qualifies
- What type of information needs to be protected
- Additional information on the history of HIPAA compliance and notifications of future changes
You’ll also need to review your current devices, their capabilities and how vulnerable they are to attacks.
Discuss the following with your IT team:
- Are your devices reliably storing and protecting electronic records?
- Can these records be produced and sent quickly with the proper verifications and account access?
- What software is currently in place as a defense against data breaches? Is it doing enough to protect your patients’ information?
- If you’re using a cloud storage program, is it secure enough for HIPAA’s standards?
- Does your organization have a strong disaster recovery plan in place?
- What physical security does your organization have to avoid theft of onsite devices or external backups?
- What potential threats can your organization reasonably expect and prepare for?
- Have you provided your employees with adequate cybersecurity training to spot potential threats?
By asking these questions and addressing these changes now, you can save your company time and money by avoiding future preventable breaches. And even if these two additions aren’t added to HIPAA this year, extra protection and a review of your current cybersecurity never hurts.
As you prepare for the upcoming changes presented by these HIPAA amendments, it’s essential to make sure your IT team or managed services provider (MSP) is fluent in the complex rules of cybersecurity and HIPAA compliance.
If you’re wondering how to determine if an MSP is the right choice for you, Switchfast is here to help. Download our Managed Services Provider Checklist to learn the questions you need to ask when deciding on a potential provider.
