Like anything related to federal regulations, HIPAA compliance is not exactly a lighthearted and relaxing topic. However, the Security Rule and Privacy Rule of Title II establish strong standards to protect PHI (protected health information). Regardless of our perspectives toward the law, understanding it is critical for healthcare organizations so that they can avoid fines.
Mike Miliard, the managing editor of Healthcare IT News, stated in March that the federal government would be cracking down on non-compliant healthcare organizations this year. Specifically, he reported that Susan McAndrew of the US Department of Health and Human Services (HHS), speaking at the annual conference of the Health Information and Management Systems Society (HIMSS), said that 2014 would be a year in which compliance is “where the action is going to be.” In other words, getting properly aligned with the HIPAA omnibus rule (which went into effect September 23, 2013) is a must.
Miliard interviewed James Wieland, an attorney, and principal at Ober|Kaler’s Health Law Group, to further understand healthcare compliance among IT executives. Wieland regularly works with healthcare firms, so he provided clarity on points of the law that have generated the most confusion for his clients.
Here are Wieland’s five tips:
1. Electronic access is as much of a right as privacy.
Consumers use their rights to information more commonly now since most records are available digitally, notes Wieland, with people of all demographics becoming more aware of their health care rights. That means more responsibility and costs for your business. There is a silver lining here, though. You can charge for the hardware. You probably don’t want a random USB drive from a patient plugged into your computers, which is reasonable. Wieland’s clients buy large amounts of thumb drives and then provide them at cost, which is entirely legal.
2. You must have approval in writing for transfers of PHI.
Any confirmation that you can send protected health information must be in writing. It’s not enough to get verbal permission, and everything must be directly communicated in the written word to stay compliant. Interestingly, Wieland notes that PHI can be transferred via a method that is not secure, such as standard Web HTTP protocol. However, if you do send anything through unencrypted means, you must have a specific statement from the patient that they understand the security risk of unencrypted transmittal.
3. It’s wise to have a verifiable risk assessment.
You want to have conducted a risk analysis and resolved any possible vulnerabilities. Wieland notes that risk assessment is particularly needed by healthcare providers that use third-party security solutions, adding that risk documentation will be the top item wanted by the HHS’s Office of Civil Rights (OCR) if they investigate your organization following a breach. Small organizations can perform the assessment without outside help, using guidance from the government published in 2012. The annual guidance covers the OCR’s risk analysis expectations. You need to analyze how PHI moves within your infrastructure, record a comprehensive explication of risks, and develop a mediation strategy at a fundamental level.
4. It’s not just about compliance but meaningful use.
It helps to understand the compliance activities in a broader context, incorporating meaningful use. As Wieland mentions, “meaningful use” of the EHR goes beyond the EHR itself to include any risk analysis of your medical record system. Wieland also stresses that meaningful use audits are annual, while HIPAA risk analysis only needs to occur when significant data migration occurs.
5. Be on top of user settings.
One mistake made by many healthcare providers that is entirely avoidable is making sure the user settings are appropriate. You need to be aware of the settings that users can change and prevent any users from accessing or adjusting elements that could put you at risk.
Why the law changed & breach notification advice
It also helps to consider what motivated the HIPAA modifications. Data loss has become more common recently as data has migrated to new technologies, according to Wieland, who says it’s reasonable to make the regulatory changes. He also thinks that the OCR didn’t think people were being careful enough under the old language. He notes that the new focus on individual harm is more complex and subjective, trumping the previous, objective focus on data compromise.
Wieland also recommends sending out notices in the event of a breach. He argues that breaches are subject to accounting. If someone wants to look at the accounting, and they see that you had a breach and did not send out notifications, you will be in a terrible legal position – which he describes as “‘deep doodoo.’”
Finding a strong business associate for healthcare hosting
The above tips are great advice for healthcare providers to consider how PHI is handled at their office. While we make our healthcare clients’ data completely private and secure, all information on our HIPAA compliant systems is provided transparently so that you can understand the exact protections in place and oversee your data from every angle. Check out our HIPAA Compliant Hosting plans today and also consider one of our VPS Hosting options.