{"id":4826,"date":"2022-08-09T21:24:50","date_gmt":"2022-08-09T21:24:50","guid":{"rendered":"https:\/\/cmitsolutions.com\/clear-lake\/?p=4826"},"modified":"2023-02-01T18:21:40","modified_gmt":"2023-02-02T00:21:40","slug":"hows-your-hipaa-compliance","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/blog\/hows-your-hipaa-compliance\/","title":{"rendered":"How\u2019s Your HIPAA Compliance?"},"content":{"rendered":"

Federal Agency to Update Guidelines for Healthcare Cybersecurity<\/h2>\n

Nine years ago, sweeping changes were made to HIPAA, the Health Insurance Portability and Accountability Act of 1996. These changes, implemented by the Department of Health & Human Services Office of Civil Rights in the 2013 Omnibus Rule, enhanced privacy and security regulations and beefed up the security around Protected Health Information (PHI).<\/p>\n

For consumers, the 2013 Omnibus Rule ushered in a new era of data protection and personal privacy. For businesses in the health care industry, the changes to HIPAA opened up a Pandora\u2019s box of new requirements, acronyms, and compliance confusion.<\/p>\n

Consider this: the Omnibus Rule overhauled the Breach Notification Rule, which was included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). For small- to medium-sized businesses in North America, that can be incredibly confusing. But it\u2019s not prudent to avoid the issue: failing to comply with the Breach Notification Rule when protected health care data is compromised can trigger civil and criminal penalties\u2014including steep fines for each record lost.<\/p>\n

Nearly 10 years after those changes to HIPAA, many companies still don\u2019t understand the importance of compliance. But in an effort to help healthcare organizations better protect electronic patient PHI, the federal National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry.<\/p>\n

The NIST\u2019s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2<\/a>), is designed to help healthcare companies enhance the confidentiality, integrity, and availability of PHI. After a decade of healthcare industry innovation, PHI now covers more than just medical histories, including prescription orders, lab results, vaccination records, and even the electronic messages sent between providers and patients.<\/p>\n

Due to a recent increase in cyberattacks and ransomware infections, the US Department of Health and Human Services, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued frequent updates to cybersecurity recommendations for healthcare companies. Now, the NIST\u2019s draft publication will provide HIPAA Security Rule compliance guidance that aligns with existing cybersecurity regulations and risk management protocols.<\/p>\n

At CMIT Solutions, we\u2019ve spent the last 10 years helping health care organizations across North America comply with HIPAA changes, decipher complex rule changes, and assess the state of regulatory risk. In line with the NIST\u2019s new draft publication, we\u2019ve collected the following 10 tips for data protection and compliance recommendations:<\/p>\n

1. HIPAA compliance is not optional.<\/strong>\u00a0If you manage Protected Health Information (PHI) or work with any Covered Entity (CE) as a Business Associate (BA), you must comply with federal regulations or face substantial civil and criminal penalties\u2014no ifs, ands, or buts. If a business accepts Meaningful Use funding, which defines minimum government standards for electronic health records (EHR) and outlines how clinical patient data should be exchanged between health care providers, insurers, and patients, enhanced compliance documentation is also required.<\/p>\n

2. Compliance rules cover more than just the healthcare practices that see patients.<\/strong>\u00a0What are CEs and BAs, anyway? Covered Entities are defined as physician practices, clinics, and hospitals, while Business Associates can be classified as IT vendors or other subcontractors. Both types of businesses must maintain up-to-date HIPAA policies, procedures, forms, and Notices of Privacy Practices. And Covered Entities (CEs) are responsible for ensuring their BAs are compliant\u2014a fine-print detail that many practices don\u2019t follow up on.<\/p>\n

3. Data protection and protocols are equally important.<\/strong>\u00a0Way back in 2013, a small dermatology practice in Massachusetts learned this lesson the hard way. Not only were they slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a thumb drive that an IT vendor lost, but the practice was also fined an additional $150,000 \u201cfor not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).\u201d So that was one fine for the actual breach\u2014and one for not having protocols in place to address it once it happened.<\/p>\n

4. Data breaches and the fines accompanying them continue to increase.<\/strong>\u00a0Since 2013, the Department of Health & Human Services Office for Civil Rights has received nearly\u00a0295,000 HIPAA complaints<\/strong>, investigating and resolving\u00a025,525 cases<\/strong>\u00a0and imposing overall penalties of more than\u00a0$131 million<\/strong>\u00a0for the loss, theft, exposure, or impermissible disclosure of\u00a0314,063,186 health care records<\/strong>.<\/p>\n

5. Updated Breach Notification rules have widened the scope of what\u2019s defined as a HIPAA violation.<\/strong>\u00a0In the past, this only applied to major breaches of thousands or even millions of records. But only\u00a04,500 of the aforementioned 25,525 healthcare data breaches<\/strong>\u00a0have leaked the information of more than\u00a0500 individuals<\/strong>\u2014the rest were smaller breaches, sometimes only involving a handful of records. The 2013 Omnibus Rule greatly expanded the definition of a breach and the consequences of failing to address it properly. Not providing proper notification of even a single record loss in a defined time window, for instance, can automatically trigger a long, drawn-out federal investigation.<\/p>\n

6. Compliance requires ongoing attention.<\/strong>\u00a0HIPAA compliance isn\u2019t just a one-and-done situation. Back in 2013, all changes required by the new regulations had to be implemented immediately. But many companies didn\u2019t know they were also required to update them regularly. This isn\u2019t always easy for busy practices or growing contractors, who often assume that one signed agreement is enough for years to come. Instead, regular review and renewal of compliance are required to stay in line with HIPAA regulations\u2014hence the NIST\u2019s new draft guidelines for adherence to the Security Rule.<\/p>\n

7. The HHS Office of Civil Rights continues to expand its Division of Health Information Privacy enforcement team.<\/strong>\u00a0This arm of the federal bureau started small, but over the last five years, it has grown significantly. More and more cybersecurity professionals now focus on healthcare data, and HHS has recruited hundreds with experience in privacy and security compliance, enforcement, data policy, outreach, and systems management. If your business doesn\u2019t have a knowledgeable cybersecurity partner by its side, you could be outgunned in the event an audit or investigation occurs.<\/p>\n

8. It\u2019s not just the feds you have to worry about.<\/strong>\u00a0When federal agencies expanded the reach of new HIPAA rules in 2013, they also enlisted the help of state Attorneys General. The HITECH Act empowers state AGs to file actions and obtain damages on behalf of state residents, but initially, states were reluctant to exercise their enforcement powers. Between 2010 and 2015, only 11 enforcement actions were brought in three states. That increased significantly in 2017, when five states, including New York, each filed suit against HIPAA violators. In 2018, that total rose to nine states, followed in 2019 by a 30-state class-action suit. And in 2021, 41 state Attorneys General sued the American Medical Collections Agency (AMCA) after AMCA announced it was the victim of a massive data breach.<\/p>\n

9. HIPAA compliance requires staff privacy and security training.<\/strong>\u00a0Many large organizations and state institutions now mandate this ongoing education for all employees. But smaller practices often overlook the fact that clinicians and medical staff who access PHI must be trained annually on proper HIPAA procedures. Additionally, documentation of provided training must be kept for six years\u2014and must be exhibited upon request.<\/p>\n

10. Yes, there\u2019s actually a HIPAA \u201cWall of Shame.\u201d<\/strong>\u00a0HHS maintains a regularly updated website called \u201cEnforcement Highlights,\u201d where they list every health care organization served with an enforcement action each month. The site also calls attention to particularly egregious violators, reporting major breaches and providing details that often drive mainstream news coverage. All of this info is widely available to the general public, making the consequences of a data breach reputational in addition to financial.<\/p>\n

CMIT Solutions can help with all of this HIPAA confusion. We understand that healthcare businesses have to comply with strict rules and stringent regulations\u2014and we know that failure to meet them can have a serious impact on your company\u2019s bottom line. Given our depth of experience, we also understand that HIPAA compliance means different things for different companies\u2014and we know how to leverage technology solutions and compliance expertise to meet those challenges.<\/p>\n

If you need help with HIPAA compliance, data protection, or regulatory enforcement, CMIT Solutions is here to help.\u00a0Contact us today<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Federal Agency to Update Guidelines for Healthcare Cybersecurity Nine years ago, sweeping…<\/p>\n","protected":false},"author":77,"featured_media":4975,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"class_list":["post-4826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-quick-tips"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/posts\/4826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/comments?post=4826"}],"version-history":[{"count":0,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/posts\/4826\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/media\/4975"}],"wp:attachment":[{"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/media?parent=4826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/categories?post=4826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cmitsolutions.com\/clearlake-tx-1106\/wp-json\/wp\/v2\/tags?post=4826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}