In 2009 fewer than 46% of all medical providers in the United States used electronic records, with the majority still using paper patient records, faxes, and handwritten charts. The Patient Protection and Affordable Care Act (PPACA) went into effect in 2014 mandating healthcare organizations to convert paper records into electronic medical records (EMR or EHR) and while now, nearly all health care organizations have made the conversion, most have not controlled which systems and employees have access to the data.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) created an electronic data interchange that health plans, health-care clearinghouses, and certain health-care providers, including pharmacists, are required to use for electronic transactions. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
However, with the transition to electronic records and a data exchange for healthcare providers, a patient’s data was likely to be entered and maintained on a number and disparate set of systems, scanned and databased on other systems and handled by a variety of medical professionals.
New to the digital market and lagging financial, consumer products, and tech sectors, health care providers are still struggling to obtain the technology or the information technology expertise to handle the massive compliance challenge. As an example, as late as last year in the annual Thales Data Threat Report, the organization revealed that 70% of U.S. healthcare organizations surveyed experienced a data breach, with a third reporting one in the last year alone. This is the greatest rate of any industry studied by Thales.
Security incidents and breaches where PHI falls into the wrong hands is a clear indication that healthcare organizations do not have control of their patient’s data. In this blog post, we’ll discuss the obstacles to complying with HIPAA and other privacy regulations as well as the comprehensive solutions that are empowering healthcare providers to manage and secure patient data simply and cost effectively.
Managing and Security Patient Data is the Most Significant Challenge
HIPAA-protected health information (PHI) is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them. Just like PII or personally identifiable information, PHI is any data that could potentially be used to identify a person. Examples include a full name, Social Security number, driver's license number, bank account number, passport number, and email address. However, PHI typically includes additional pieces of data.
The meaning of PHI includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing. The Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) include 18 types of information that qualify as HIPAA-protected health information (PHI) identifiers.
Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received electronically. The HIPAA “Security Rule” has specific guidelines in place that dictate the means involved in assessing ePHI.
PHI or ePHI needs to be accessed by doctor’s, nurses, administrators and other health care professionals over the course of the health care provider's relationship with a patient. Thus, patient data is likely to be found on a variety of servers, databases, laptops and other technology. Understanding where this data is stored in the organization and how to manage and secure it is difficult.
Complying with HIPAA as Standards Rise
Organizations should start preparing for an Office for Civil Rights (OCR) HIPAA audit long before they are notified that they have been chosen for a random audit. Further, for organizations that are not chosen for a random HIPAA audit, they may still face penalties for noncompliance if they have a patient complaint or experience a breach.
To be clear, the Department of Health and Human Services (HHS) oversees the OCR, which uses the HIPAA audit program to assess the compliance of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
Since 2003, the OCR has discovered 55 Privacy Rule violations and handed out close to $80 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.
In 2018, OCR settled 10 cases totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Last year, OCR reached an all-time record year in HIPAA enforcement activity suggesting that their standards will continue to rise.
Further, the majority of the complaints and fines were because of the health care provider’s inability to protect patient data. Lastly, once the OCR has made up its mind to audit a health care provider, they have just 10 days to respond.
