Health expenses add up to nearly one-fifth of the gross domestic product in the United States: at $3.2 trillion, this segment represents 18% of the GDP. The transition to digital environments could lead to total cost savings of $300 billion, particularly related to chronic conditions. By lowering cost, digitizing healthcare effectively makes it easier to deliver treatment, improve quality-of-life, and save lives. However, healthcare technology is also tricky because of the parameters of healthcare law, especially the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology and Clinical Health Act (HITECH).
Most doctors, hospitals, and other healthcare players understand the ongoing importance of protecting electronic protected health information (ePHI). However, covered entities and business associates (Health and Human Services’ terms for the organizations it regulates) want to understand how the field of HIPAA compliance is changing.
The simplest evaluation of the evolving landscape of HIPAA compliance is achieved by looking at HIPAA fine totals for the last few years and reviewing the Congressional Justification from the federal Office for Civil Rights. While the former reveals actual dollar amounts of the agency’s fines, the latter shows us how the budget and activities of this agency are changing under the new presidential administration. Reviewing HIPAA compliance mistake trends suggests specific actions firms can take to avoid violations and related issues. Health IT innovations reveal areas that will be of growing concern for those seeking HIPAA compliant solutions.
2017 HIPAA fines: 176% rise over 2015
Here are the fine totals collected by the HHS over the last three years:
- 2015: $6.19 million
- 2016: $23.5 million
- 2017: $17.09 million
Although there was a drop from 2016 to 2017, there was an overall 176% rise in settlements from 2015 through 2017.
While fines have been heavy this year as last, the enforcement of HIPAA is adapting to the administration of President Trump. The expectation is that the amount of money designated for the Office for Civil Rights (OCR), the Health and Human Services division that enforces HIPAA regulations, will drop. With less funding, the OCR will not be able to conduct as many enforcement actions; however, settlements could be even more severe since the revenue from them will represent a more substantial part of the agency’s budget. Plus, to whatever extent the OCR is not as active as it has been in the past, state attorneys general may view a decline in federal activity as an opportunity to advance the need for healthcare privacy protections themselves.
In the Congressional Justification for 2018 that was issued by the OCR, the budget is down $6.19 million, $5.33 million of which will be removed from its regional enforcement allotment. Although funding is decreasing, the enforcement tasks carried out by the OCR are still expected to be aggressive since it is planning to “increase use of funds from monetary settlements… to cover other items related to health information privacy (HIP) enforcement activities.” Nonetheless, the agency did note that it is changing to a model focused more on big, high-profile violations.
The Congressional Justification is a sign that the OCR will be centered on revisions to healthcare operations and big fines (since that funding is now more critical to the agency’s budget). As administrative law attorney Jeremy W. Meisinger stated in October, the document addresses the landscape of healthcare IT less broadly than last year’s version did.
2018 trends in HIPAA compliance mistakes
Beyond examining and forecasting the activity of the OCR, trends for 2018 are also revealed by assessing the typical ways that a company struggles with compliance and compliance-related activities. Healthcare attorneys often run into these specific snags as they defend clients.
At the HIMSS Security Forum in Boston on September 11, 2017, Mirick O’Connell partner Matt Fisher listed five top HIPAA compliance obstacles:
- Healthcare companies will often wrongly think that general insurance will cover any data breaches. It is important to know exactly what is covered within your organization’s policy if your security stance is to be strong. Risk assessments are part of getting coverage (and they are part of HIPAA audits as well). Conducting a regular risk assessment can help you uncover possible areas of vulnerability.
- Firms often do not pay enough attention to social media when it comes to compliance. “As much as social media is just another form of communication, you can always make a misstatement,” Fisher explained. A specific issue with social media is that you may not be able to fully remove it from the web once it is posted; you may delete it only to realize that it exists in a third-party archive.
- Business associate agreements often are not read, according to Fisher. In 2018 and the years ahead, sharp HIPAA-regulated companies will carefully review those documents before signing them, since there are legal ramifications for the company.
- State laws must be considered as well because there may be aspects that go beyond what is required in HIPAA.
- Healthcare companies sometimes give excessive trust to provider statements rather than performing careful vetting.
It is worth noting that Fisher did make a problematic point related to his fifth challenge regarding vetting. He said that it is deceptive for a business to claim it has products or services that are compliant with or certified to meet HIPAA. “There’s no such thing as being designated HIPAA compliant or certified,” he said. “A product, by itself, cannot be compliant.” While getting an official federal designation as HIPAA-compliant may not be possible, a company may call its solution “HIPAA-compliant” because the company is stating that it is intentionally meeting all guidelines established by HIPAA. It may call itself HIPAA-certified or HIPAA-audited because a third-party specialist has confirmed the organization’s adherence to the OCR’s standards.
Health IT innovation trends for 2018 & beyond
One final way to address HIPAA compliance trends is in terms of the ways that healthcare technologies are evolving. Tools in these areas will be incorporated into HIPAA-compliant environments by companies that choose to work with them as they become increasingly important in 2018 and the years ahead:
Since payers, hospital decision-makers, and other healthcare professionals are testing or implementing blockchain systems, it is becoming more obvious that the approach could be powerful within healthcare.
Blockchain has become much more prominent in discussion because of cryptocurrencies such as bitcoin. However, blockchain and bitcoin should not be conflated.
Blockchain is just a way to store various data formats within a “write once, ready only” design to prioritize data security and integrity.
There is significant skepticism about how much value artificial intelligence solutions will have for healthcare. In terms of general application, Gartner has specifically argued that businesses should focus on narrow AI solutions.
For healthcare specifically, Paddy Padmanabhan has noted that “it’s hard to find compelling case studies demonstrating how AI technologies have made a tangible difference.” Padmanabhan sees the most sophisticated solutions at present within revenue cycle or claims operations that have high transactions volumes, as a means for robotic process automation (RPA).
Mobility and cloud
Healthcare has increasingly adopted mobile-friendly and cloud-based HIPAA solutions so that patients and practitioners can both have easy access. One forecast suggests that mobile devices will be involved in 65% of communications with healthcare organizations by 2018. It is also common to store medical records on a cloud server so that patients can retrieve their test results anytime and from any location.
Big data and analytics
This field could yield amazing results. Companies now have enough data that they are able to model risk factors of a certain treatment or patient. By analyzing this data, it becomes possible to better predict recovery time and likelihood of readmittance for a certain patient.
HIPAA compliance in 2018
As a recap, HIPAA compliance settlements should be less common but more severe in 2018. Avoid errors with insurance and risk assessments; social media; business associate agreements; inclusion of state laws; and vetting. Be aware of key evolving areas such as blockchain; AI; mobility and cloud; and big data and analytics.