HIPAA violations are clearly not to be taken lightly. Consider the over $1 M penalty that Lifespan was hit with last year for a stolen laptop containing unencrypted data. It had electronic protected health information including patient names, medical record numbers, demographic information, and medication information. After investigating the matter, the HHS Office for Civil Rights (OCR) determined that Lifespan was not encrypting ePHI on any of its laptops, lacked device and media controls, and had failed to sign a business associate agreement (BAA) with its parent organization Lifespan Corporation. In short, the OCRs investigation pointed to systemic noncompliance with the HIPAA Privacy and Security Rules.
The HIPAA Compliance Checklist
Based on Lifespans experience and that of many others who have been similarly penalized for HIPAA violations, one can conclude that staying in line with HIPAA is a good idea. Compliance steps have been widely discussed in a number of forums, here is a quick summary to keep on the list.
- Instituting policies and processes for HIPAA compliance and documenting them.
- Establishing BAAs with vendors who handle protected health information PHI.
- Inventorying all devices and computers and configuring them to protect PHI.
- Encrypting all PHI data including data at rest and data in transit.
- Ensuring that all employees are continuing to protect devices and data.
- Educating employees on HIPAA compliance processes and procedures.
- Ensuring that your EMR and Billing Software are HIPAA compliant.
- Managing digital and physical access to data, on premises and in the cloud.
- Storing data in HIPAA compliant servers with proper data recovery plans.
Something to always worry about is the possibility of a breach of protected health information. Smaller practices could be even more vulnerable as they may lack the resources to put everything in place. Consider that all it takes is just a single breached record to potentially expose the practice to steep fines.
HIPAA Compliance — Privacy vs. Security
There are many facets to HIPAA Compliance. Physical safeguards. Administrative safeguards. Logs and controls. Putting all data in a locked room in the form of paper documents may not necessarily ensure HIPAA compliance as the HIPAA Privacy Rule protects all protected health information, be it electronic, paper, or oral (though, making the room accessible only to authorized personnel through the use of biometric scanners may help ..).
This provides a segue into the topic of Privacy vs. Security. Privacy refers to an individuals right to keep their PHI confidential. On the other hand, Security is about protecting PHI through technical and operational controls that protect an individuals PHI.
The HIPAA Privacy Rule is focused on protecting the rights of an individual and their ability to control and access their own PHI. It assures that all PHI will be protected from unauthorized disclosure and covers PHI in all formats including electronic, paper, and even oral.
The HIPAA Security Rule is concerned with the protection of ePHI that is created, received, or used electronically. Covered Entities and Business Associates are required to deploy strong physical, technical, and administrative safeguards that protect patient ePHI. The Security Rule prescribes physical, administrative and technical protections that should be used to prevent unauthorized access.
HIPAA Compliance — A Steep Hill to Climb
But if we step back for a moment, we could conclude that it is not easy to stay compliant with HIPAA, especially for smaller practices. Some of the requirements could be considered onerous and the liability a heavy load to carry. One of the problems is the number of people who have access to healthcare information especially when you have a revolving door with new employees coming in and out. It may make sense to entrust the responsibility of HIPAA compliance and data protection to a third party with a BAA in place.
HIPAA Compliance — Keep Trying
End of the day, the HHS is working to get organizations to comply with HIPAA including their obligation to protect the sensitive information that people have entrusted to them. There have been instances where HHS could have imposed penalties but did not because it became clear that the concerned entities were being diligent and were trying to get it right.
These organizations may not have gotten it all right. There may have been breaches that exposed patient information. But they were trying. When it comes to HIPAA compliance, demonstrable efforts to stay in line with the law would be a big first step. After all, trying is half the battle.