Risk vs Reward: Weighing the Pros and Cons of HIPAA Compliance

HIPAA is an important part of healthcare today because it ensures the implementation of safeguards to protect sensitive personal and health information. Clients, Customers, and Patients are trusting you with their most precious information; their identify and health information. How are you earning trust?

HIPAA is an important part of healthcare today because it ensures the implementation of safeguards to protect sensitive personal and health information. Clients, Customers, and Patients are trusting you with their most precious information; their identify and health information.  How are you earning trust?  How are you protecting it? During this article, we try to break down why it is important, what has changed, why you should care, and how you can be prepared to protect not only your business but the trust of your patients and customers.

What’s Changed with HIPAA?

Is there a reason it matters more today than when HIPAA was introduced in 1996? Well for starters, we live in much more digital world. On April 14, 2003, the US Department of Health and Human Services released the first HIPAA privacy rule that defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

Privacy and Security Standards

On April 21, 2005, the HIPAA Security Rule was introduced. This rule directly addresses electronically stored PHI (ePHI) through three security safeguards: physical, administrative, and technical.

HIPAA Regulation Enforcement

In March of 2006, the Enforcement Rule was introduced. The Enforcement Rule allowed the Department of Health and Human Services to investigate covered entities reported for failing to comply with HIPAA regulations. In addition to an investigation, the Enforcement Rule allows the Office for Civil Rights to apply civil charges to entities that did not comply.

The Addition of ARRA and HITECH

In 2009, The American Recovery and Reinvestment Act (ARRA) was implemented and within it was a vital addition to HIPAA enforcement, the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH act introduced provisions for health information management, that included all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). In addition to the Breach Notification Rule, the HITECH act introduced the Meaningful Use incentive program to encourage healthcare organizations to move their records electronic through implementing an Electronic Health Record (EHR). Today, that incentive program is called Promoting Interoperability.

Th Omnibus Rule

In March of 2013, the Final Omnibus Rule was introduced and with it many final amendments. The Final Omnibus Rule made clarifications to regulations such as HIPAA and HITECH regarding the application of ePHI, as well as the wording within the acts themselves. The Privacy and Security Rules were also amended to modify the appropriate duration for obtaining a patient’s health information. Previously they were permitted to retain the information for 50 years, but the amendment modified this rule to extend indefinitely. Amendments included specifications for changing work practices in technological advances that were not applicable in 1996, such as mobile devices and tele-health.

HIPAA regulation identifies two types of organizations that must be HIPAA compliant: Covered Entities and Business Associates.

Most Recent Changes!

With the CARES ACT passing in March of 2020, 42 CFR Part 2 regulations now aligns more closely with HIPAA. Additionally, HR7898 amends the HITECH ACT to provide for a liability “safe harbor” to minimize the enforcement requirements OCR follows in relation to the Security Rule. There are 3 specific impacts to enforcement that it adds if you can prove you have followed what it designates as “recognized security practices”.

  1. mitigate fines issued in civil money penalty cases
  2. result in the early, favorable termination of an audit done under the random audit requirements
  3. mitigate the remedies negotiated between OCR and organizations who reach settlements and CAP arrangements

You have to show you have been following these “recognized security practices” for the prior 12 months. It isn’t something you can suddenly start doing to solve a problem that already occurred. If you want this safe harbor option you have to have it built in to your organization well in advance of problems occurring.

The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule

Now why does this matter?

IT companies have been preaching best security practices for a long time now, and now there are laws in place that allow companies to take advantage of their due diligence. With more companies working and providing services remotely, especially Healthcare, it is a no brainer why the government is jumping on board to give some rewards for companies proactively mitigating risk.

Common Triggers for an Audit

  • Patient complaints – Patients could file complaints for any number of reasons. Maybe a patient was denied access to their records, or perhaps they saw a picture on social media with their medical chart in the background.
  • Employee complaints – Often times, disgruntled employees may file a complaint following termination of employment, but that’s not always the case. If an employee feels there has been wrongdoing, they could certainly file a complaint.
  • Employee mistakes – Employee mistakes or human error account for many audits. An employee falling for a phishing email, using weak passwords, and sending a patient the incorrect records are all examples of human errors.
  • Insider wrongdoing – Sometimes employees violate company policies maliciously, and other times they may just be curious. Employees could steal patient records for personal gain or could peek at a patient’s records because they’re curious about their visit.
  • Third-party mistakes – Mistakes caused by a Business Associate (BA) could also lead to an investigation of your organization. If your (BA) suffers a data breach, you may be audited as well.
  • Security incident – Common security incidents include lost or stolen devices, especially those devices that are unencrypted, as well as unpatched software that led to malware or ransomware exploits.

Often times, whatever triggered the audit, to start with, is not the biggest problem or finding by the OCR. This is why having your HIPAA compliance program in order and continuously working towards your compliance is critical. Note: HHS is REQUIRED by law to investigate ALL HIPAA violation complaints

What will OCR look for in an audit?

What OCR may be looking for in an audit will vary, dependent on what triggered the audit initially. Below are some common items that your business or organization could expect to show an auditor in the event of an audit, all of which, are key components of a HIPAA compliance program.

  • Security Risk Assessment – The Security Risk Assessment (aka. SRA, or Security Risk Analysis) will look for gaps in your organization’s administrative, physical and technical safeguards that could pose a risk for protected health information (PHI). You must have documented proof of your SRA.
  • Remediation/Risk Management Plan – Once you’ve conducted your SRA, you’ll need to have a process in place to begin addressing your deficiencies, often referred to as a Risk Management Plan. This plan should cover how you plan to remediate all the security gaps discovered in your SRA.
  • Policies & Procedures – Not only does your organization need to have policies and procedures in place, but you also must ensure that employees understand those policies and have signed off on them. Employees can’t be expected to follow the rules if they are unaware of them, and the documented proof that they acknowledged the policies is vital in the event of a security incident.
  • Security Officer – Every organization needs to have an appointed Security Officer. This individual is responsible for ensuring policies and procedures are created, understood by all employees of the organization, and acknowledged by them with documented proof. The Security Officer should also ensure employees are trained on HIPAA routinely.
  • Routine HIPAA Training – Not only is HIPAA training a requirement, but it is also necessary to reduce the chances of an employee-error. HIPAA and cybersecurity awareness training should be conducted routinely so employees are kept updated on the latest threats, and to keep security best practices top of mind.
  • Business Associate Agreements – You must have a Business Associate Agreement (BAA) with any and all vendors that handle your patient data. A data breach caused by a Business Associate will also affect your organization, so make sure you are working with vendors who take HIPAA compliance seriously.

Proof of network vulnerability scans, penetration tests, and breach notification (in the event of a breach) are also common requests by the OCR.

I am still on the fence!

Is not complying with HIPAA against the law? Simply, yes. When you or your organization is not compliant to HIPAA , OCR can impose civil penalties up to 1.5 million dollars and possible jail time. Although jail time is very rare, it can happen.

One thing I always ask people on the fence is that if the law doesn’t scare you, does losing people’s trust scare you? Because that is what is at risk. You are held to a higher standard when you are dealing with someone identity and more specifically their PHI and people are trusting you to do what is right and lawful to protect their information. An everyday person may not know much about what is required by HIPAA, NIST or any other law or standard, but they are trusting that you are doing what is right.

“It’s always easier to carry yourself over someone else”

The truth is that we live in a very digital world and cyber threats are real. Regardless if you are required to be HIPAA compliant or not, a lot of these best practices extend to all industries. Next time you think about passing on a service because of cost, even a lawful one, think about what it cost others, not just yourself.