The Healthcare IT sector continues to explode with more cloud migrations, remote work policies, telehealth, SaaS applications and IoT devices coming online every day. These technologies are combining to make patient care more cost-efficient, convenient, and effective. But there is a trade-off. With the expansion of your network and the addition of technology comes the addition of security vulnerabilities. Telehealth is great. Until you get Zoom-Bombed in the middle of a session with a patient. Or your laptop gets infected with malware and patient records are compromised. Occurrences like this, or something as simple as faxing a record to the wrong number or emailing a record to the wrong address, can lead to audit, in which case all ducks need to be in a row. But if you’re like everybody else, you’ve already got more than enough administrative overhead. The added tasks of achieving, monitoring, maintaining, recording, and archiving those compliance records may seem too daunting to even know where to begin. But can you afford not to? The following are a few things you need to consider before you put HIPAA compliance on the back burner.
1. HIPAA Compliance Is Mandatory
Let’s start with the obvious. The
law requires all organizations that house or process PHI to implement and
document ongoing measures to comply with all regulations. The HIPAA Privacy
Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule must be
adhered to in order to protect patients' rights to privacy. And for good
reason. Data breaches cost the healthcare sector an estimated $4 Billion last
year. This is why breaches resulting from willful negligence are met with the
biggest fines. And we don't have to look far for
stories of millions of dollars in fines for headline worthy violations in the
news. But below are the latest fines adjustments released by the Department of Health and Human Services (HHS). They apply to penalties assessed on or after Jan. 17, 2020 and for violations occurring on or after Nov. 2, 2015.
Tier 1
No knowledge and likely would not have known about the violation by exercising due diligence.
$119 – $59,522 per violation
Tier 2
The CE or BA knew, or would have known of the violation with due diligence, but short of willful neglect.
$1,191 – $59,522 per violation
Tier 3
Violations that are caused by willful neglect but for which corrective action is taken within 30 days.
$11,904
– $59,522 per violation
Tier 4
Violations that are caused by willful neglect and for which no corrective action is taken within 30 days.
$59.522 per violation – $1,785,651 (annual cap for all identical violations)
Now that we’ve got the requisite fear-mongering and alarm-ringing out of the way, let’s move on to the benefits of HIPAA compliance outside of avoidance of fines and penalties.
2. HIPAA Compliance Increases Productivity
Most
organizations believe that implementing so many additional constraints will
negatively affect employee productivity or network performance, when
true HIPAA compliance in practice yields the exact opposite results. Many of
the required technical security controls protect you from potential work
stoppages or slowdowns, or data loss due to malicious activity or carelessness.
In addition, the administrative controls require staff training and
standardization of policies, procedures and file categorizations.
Well-developed processes with well trained staff to execute those processes
always spells increased productivity. This is actually the most beneficial side
effect of implementing a HIPAA compliance program, as true compliance in
practice forces you into a process-oriented methodology. These developed
processes will not only allow you to do more, but your organization will also
be able to easily pivot as the business grows and ever-changing circumstances
and regulations require.
3. Enforcing HIPAA Compliance Implements Data Security by Default
The entire purpose of the Health Insurance Portability and Accountability Act is to hold entities responsible for the privacy and protection of patient health and personal information. The Department of Health and Human Services (HHS) recognizes this, and mandates certain protections and failsafes for compliance. For example, hard drives containing PHI must be encrypted. This is the same for email accounts used to transfer sensitive information. HHS mandates end user training for safe internet usage and handling of PHI. The ability to log security incidents is also a requirement, as this is a critical element to forensic tracing in the event of a breach. The idea here, however, is prevention of the breach through technical controls, administrative policy, end user awareness and concerted due care.
4. True HIPAA Compliance Equals Scalability and Continuity
Though all the controls and requirements mandated by HHS under HIPAA laws may seem like constraints and added expenses at first glance, they are actually investments in a process-oriented way of operating. While HHS had the benefit of the patient in mind when determining the protective controls that must be put in place, these same controls allow and enforce the use and repetition of repeatable, refinable, scalable processes that allow for increased producitivity and streamlined growth. True HIPPA compliance also provides business continuity when backup and Incident Response Plan (IRP) requirements are met. Having such components as these in place ensures that you are always able to provide complete and timely service to your patients.
5. HIPAA Compliance Fosters Community Trust
A data breach is one of the worst things that can happen to your business, but it can be an absolute nightmare for the patient who's data is stolen. Imagine the fallout from having patients' mental health treatment records stolen or having patient illnesses disclosed through a breach. Or all the damage that can happen in general when Protected Health Information (PHI) is compromised. This is far more serious than a credit card number disclosure, which is usually detected and rectified within days of compromise. A patient's health records contain their whole lives. Everything a criminal would need to assume that person's identity is potentially present in one record. Or in the case of ransomware, where the practice's files have been encrypted and they are unable to treat patients or send patient records to other facilities so they can be treated elsewhere. This type of scenario can be just as bad or worse when conditions like allergies or prescription contra-indications cannot be communicated to a pharmacist due to outages. Those who entrust us with their care need to be able to rest assured that we are actively doing everything in our power to protect not just their privacy, but their livelihoods, and their very lives. And being able to communicate that we are doing just that goes a long way toward developing that reputation with those we serve.
Conclusion
The initial tasks of discovering, remediating, training and creating all necessary documentation required in the case of audit or breach is resource intensive, time consuming, and there is a learning curve. But the potential cost of neglecting these mandates, with the amount fined directly related to the level of negligence, are too impactful to ignore. What’s worse, after paying the fines and repairing the damage done, you still have to enact a compliance plan. Add to that the lawsuits and loss of trust in the community after years building it, and any Business Impact Analysis will list this as a critical finding. An ounce of prevention beats a pound of cure.
Mundell Phillips
Mundell Phillips is CEO of Nutech Solutions LLC. His prior work experiences include over 15 years technical and managerial roles in the private and public health information technology and cybersecurity sectors. Mundell has led the design and implementation of several disaster recovery, performance optimization, security and compliance remediation projects for the proverbial alphabet soup of Government agencies (DOD, VA, DOJ, DOT, etc.). He has now committed his specialized expertise and experience to tailoring those same solutions to healthcare providers and others under HIPAA compliance mandates, helping them to scale up and out through IT solutions and process development and refinement.