Issue link: https://beckershealthcare.uberflip.com/i/572638
17 ASC Management 11 Tips for Keeping HIPAA Compliance in the Digital Age By Brandon Howard Here are 11 tips for healthcare professionals to keep HIPAA compliance in the digital age. 1. With the Health Insurance Portability and Accountability Act of 1996, the Pri- vacy Rule issued by HHS, "addresses the use and disclosure of individuals' health information — called 'protected health information' by organizations subject to the Privacy Rule — called 'covered entities,' as well as standards for individuals' privacy rights to understand and control how their health information is used." 2. e Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish security standards for protecting certain health information that is held or transferred in electronic form. e Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information," according to HHS. 3. In a digital age, maintaining HIPAA compliance can be trickier than ever before. Virtru recently provided six best practices to maintain HIPAA com- pliance and stay ahead of data security threats. ese include: • Use a strong data encryption • Encrypt emails • Use multi-factor authentication • Make all your employees experts in HIPAA compliance • Review the compliance and security practices of business associates • Be aware of social engineering and inside threats 4. In 2004, HHS received 6,534 complaints, compared to 12,915 complaints in 2013. Of 34, 389 total complaints investigated by HHS, 31 percent were found to be a "no-violation," and 69 percent resulted in corrective action. In 2013, HHS resolved a total of 14,300 privacy complaints, compared to 9,408 in 2012. 5. Technology itself is not the leading cause of HIPAA violations. e top three causes of a data breach, according to data from the Ponemon Institute as cited by the Central and Southern Ohio chapter of HIMSS, are: • Lost laptops or devices • Employee mistakes or unintentional actions • ird party errors 6. Last year, the largest data breach occurred with Community Health Sys- tems Professional Services Corporation, affecting about 4.5 million people. A cyberattack on UCLA Health this year also affected 4.5 million people. One of the largest data breaches of all time occurred in January 2015 with An- them, affecting roughly 80 million people. 7. e Health Information Technology for Economic and Clinical Health Act was passed in 2009, which supports the enforcement of HIPAA requirements by raising the penalties for those that violate HIPAA. e HITECH Act was formed as a response to health technology development and increased use, storage and transmittal of electronic health information, according to OnlineTech.com. e HITECH Act established four tiers of violations with increasing penal- ties, with a maximum penalty of $1.5 million for all violations of an identical provision, and a $100 minimum. Violating HIPAA for personal gain or mali- cious reasons can result in a potential jail sentence of up to 10 years. Recently, St. Elizabeth's Medical Center in Brighton, Mass., agreed to pay $218,400 to settle an alleged HIPAA violation and to adopt a corrective action plan for its HIPAA compliance program. 8. In the event of a data breach involving fewer than 500 people, HITECH calls for a written notification by first class mail to the individual at their last known address, as well as annual submission of a log to HHS document- ing such breaches during the year involved. Breaches involving 500 or more people require a written notification by first class mail to the individual's ad- dress, notification to prominent media outlets serving a state or jurisdiction of a breach involving more than 500 residents of the state or jurisdiction and immediate notification to the Secretary of HHS. 9. In conversation of HIPAA compliance in the digital age, mhealth applica- tions appeal to patients and physicians for their convenience, but also must be HIPAA compliant. Running an app from a HIPAA-compliant hosting en- vironment does not make the app itself compliant, according to a Healthcare Insights blog post. If a HIPAA-covered person or organization uses the app, or if the app stores or transmits personally identifiable health information, both the hosting and app must be HIPAA compliant. 10. An ASC currently using Windows Server 2003 to store PHI could ef- fectively become non-compliant with HIPAA and the HITECH Act, and the servers running Windows 2003 become a major security risk, according to Nelson Gomes, President & CEO, PriorityOne Group. 11. According to a NueMD 2014 HIPAA survey, 31 percent of respondents were "very confident" that their electronic devices are HIPAA-compliant and 18 percent were "very confident" that their mobile devices are HIPAA-com- pliant. Additionally, 45 percent of respondents have a formal breach notifica- tion policy and 33 percent have performed a risk analysis. n