Like anything related to federal regulations, HIPAA compliance is not exactly a lighthearted and relaxing topic. However, the Security Rule and Privacy Rule of Title II do establish strong standards to protect PHI (protected health information). Regardless our perspectives toward the law, understanding it is critical for healthcare organizations so that they can avoid fines.
Mike Miliard, the managing editor of Healthcare IT News, stated in March that the federal government would be cracking down on noncompliant healthcare organizations this year. Specifically, he reported that Susan McAndrew of the US Department of Health and Human Services (HHS), speaking at the annual conference of the Health Information and Management Systems Society (HIMSS), said that 2014 would be a year in which compliance is “where the action is going to be.” In other words, getting properly aligned with the HIPAA omnibus rule (which went into effect September 23, 2013) is a must.
To further understanding of healthcare compliance among IT executives, Miliard interviewed James Wieland, an attorney and principal at Ober|Kaler’s Health Law Group. Wieland works regularly with healthcare firms, so he was able to provide clarity on points of the law that have generated the most confusion for his own clients.
Here are Wieland’s five tips:
1. Electronic access is as much of a right as privacy.
Consumers are using their rights to information more commonly now since most records are available digitally, notes Wieland, with people at all demographics becoming more aware of their health care rights. That means more responsibility and costs for your business. There is a silver lining here, though. You can charge for the hardware. You probably don’t want a random USB drive from a patient plugged into your computers, which is reasonable. Wieland’s clients buy large amounts of thumb drives and then provide them at cost, which is completely legal.
2. You must have approval in writing for transfers of PHI.
Any confirmation that you can send protected health information must be in writing. It’s not enough to get verbal permission. Everything must be directly communicated in the written word to stay compliant. Interestingly, Wieland notes that PHI can be transferred via a method that is not secure, such as standard Web HTTP protocol. However, if you do send anything through unencrypted means, you must have a specific statement from the patient that they understand the security risk of unencrypted transmittal.
3. It’s wise to have a verifiable risk assessment.
You want to have conducted risk analysis and resolved any possible vulnerabilities. Wieland notes that risk assessment is particularly needed by healthcare providers that use third-party security solutions, adding that risk documentation will be the top item wanted by the HHS’s Office of Civil Rights (OCR) if they investigate your organization following a breach. Small organizations can perform the assessment without outside help, using guidance from the government published in 2012. The annual guidance covers the OCR’s risk analysis expectations. At a fundamental level, you need to analyze how PHI moves within your infrastructure, record a comprehensive explication of risks, and develop a mediation strategy.
4. It’s not just about compliance but meaningful use.
It helps to understand the compliance activities in a broader context, incorporating meaningful use. As Wieland mentions, “meaningful use” of the EHR goes beyond the EHR itself to include any risk analysis of your medical record system. Wieland also stresses that meaningful use audits are annual, while HIPAA risk analysis only needs to occur when major data migration takes place.
5. Be on top of user settings.
One mistake made by many healthcare providers that is completely avoidable is making sure the user settings are appropriate. You need to be aware of the settings that users can change and prevent any users from accessing or adjusting elements that could put you at risk.
Why the law changed & breach notification advice
It also helps to consider what motivated the HIPAA modifications. Data loss has become more common recently as data has migrated to new technologies, according to Wieland, who says it’s reasonable that the regulatory changes were made. He also thinks that the OCR didn’t think people were being careful enough under the old language. He notes that the new focus on individual harm is much more hard and subjective, trumping the previous, objective focus on data compromise.
Wieland also recommends sending out notices in the event of a breach. His argument is that breaches are subject to accounting. If someone wants to look at the accounting, and they see that you had a breach and did not send out notifications, you will be in a terrible legal position – which he describes as “‘deep doodoo.’”
Finding a strong business associate for healthcare hosting
The above tips are great advice for healthcare providers to consider the way in which PHI is handled at their office. While we make our healthcare clients’ data completely private and secure, all information on our HIPAA compliant systems is provided transparently, so that you can understand the exact protections in place and oversee your data from every angle. Check out our HIPAA Compliant Hosting plans today and also consider one of our VPS Hosting options.