The Healthcare IT sector continues to explode with more cloud migrations, remote work policies, telehealth, SaaS applications and IoT devices coming online every day. These technologies are combining to make patient care more cost-efficient, convenient, and effective. But there is a trade-off. With the expansion of your network and the addition of technology comes the addition of security vulnerabilities. Telehealth is great. Until you get Zoom-Bombed in the middle of a session with a patient. Or your laptop gets infected with malware and patient records are compromised. Occurrences like this, or something as simple as faxing a record to the wrong number or emailing a record to the wrong address, can lead to audit, in which case all ducks need to be in a row. But if you’re like everybody else, you’ve already got more than enough administrative overhead. The added tasks of achieving, monitoring, maintaining, recording, and archiving those compliance records may seem too daunting to even know where to begin. But can you afford not to? The following are a few things you need to consider before you put HIPAA compliance on the back burner.
No knowledge and likely would not have known about the violation by exercising due diligence.
$119 – $59,522 per violation
The CE or BA knew, or would have known of the violation with due diligence, but short of willful neglect.
$1,191 – $59,522 per violation
Violations that are caused by willful neglect but for which corrective action is taken within 30 days.
– $59,522 per violation
Violations that are caused by willful neglect and for which no corrective action is taken within 30 days.
$59.522 per violation – $1,785,651 (annual cap for all identical violations)
Now that we’ve got the requisite fear-mongering and alarm-ringing out of the way, let’s move on to the benefits of HIPAA compliance outside of avoidance of fines and penalties.
2. HIPAA Compliance Increases Productivity
Most organizations believe that implementing so many additional constraints will negatively affect employee productivity or network performance, when true HIPAA compliance in practice yields the exact opposite results. Many of the required technical security controls protect you from potential work stoppages or slowdowns, or data loss due to malicious activity or carelessness. In addition, the administrative controls require staff training and standardization of policies, procedures and file categorizations. Well-developed processes with well trained staff to execute those processes always spells increased productivity. This is actually the most beneficial side effect of implementing a HIPAA compliance program, as true compliance in practice forces you into a process-oriented methodology. These developed processes will not only allow you to do more, but your organization will also be able to easily pivot as the business grows and ever-changing circumstances and regulations require.
3. Enforcing HIPAA Compliance Implements Data Security by Default
The entire purpose of the Health Insurance Portability and Accountability Act is to hold entities responsible for the privacy and protection of patient health and personal information. The Department of Health and Human Services (HHS) recognizes this, and mandates certain protections and failsafes for compliance. For example, hard drives containing PHI must be encrypted. This is the same for email accounts used to transfer sensitive information. HHS mandates end user training for safe internet usage and handling of PHI. The ability to log security incidents is also a requirement, as this is a critical element to forensic tracing in the event of a breach. The idea here, however, is prevention of the breach through technical controls, administrative policy, end user awareness and concerted due care.
4. True HIPAA Compliance Equals Scalability and Continuity
Though all the controls and requirements mandated by HHS under HIPAA laws may seem like constraints and added expenses at first glance, they are actually investments in a process-oriented way of operating. While HHS had the benefit of the patient in mind when determining the protective controls that must be put in place, these same controls allow and enforce the use and repetition of repeatable, refinable, scalable processes that allow for increased producitivity and streamlined growth. True HIPPA compliance also provides business continuity when backup and Incident Response Plan (IRP) requirements are met. Having such components as these in place ensures that you are always able to provide complete and timely service to your patients.
5. HIPAA Compliance Fosters Community Trust
A data breach is one of the worst things that can happen to your business, but it can be an absolute nightmare for the patient who's data is stolen. Imagine the fallout from having patients' mental health treatment records stolen or having patient illnesses disclosed through a breach. Or all the damage that can happen in general when Protected Health Information (PHI) is compromised. This is far more serious than a credit card number disclosure, which is usually detected and rectified within days of compromise. A patient's health records contain their whole lives. Everything a criminal would need to assume that person's identity is potentially present in one record. Or in the case of ransomware, where the practice's files have been encrypted and they are unable to treat patients or send patient records to other facilities so they can be treated elsewhere. This type of scenario can be just as bad or worse when conditions like allergies or prescription contra-indications cannot be communicated to a pharmacist due to outages. Those who entrust us with their care need to be able to rest assured that we are actively doing everything in our power to protect not just their privacy, but their livelihoods, and their very lives. And being able to communicate that we are doing just that goes a long way toward developing that reputation with those we serve.
The initial tasks of discovering, remediating, training and creating all necessary documentation required in the case of audit or breach is resource intensive, time consuming, and there is a learning curve. But the potential cost of neglecting these mandates, with the amount fined directly related to the level of negligence, are too impactful to ignore. What’s worse, after paying the fines and repairing the damage done, you still have to enact a compliance plan. Add to that the lawsuits and loss of trust in the community after years building it, and any Business Impact Analysis will list this as a critical finding. An ounce of prevention beats a pound of cure.