The Health Insurance Portability and Accountability Act (HIPAA) made sensitive patient data protection imperative. The past year witnessed continued upholding of HIPAA, consistent reminders from the Office for Civil Rights (OCR), and updates to the two subparts of the law — the privacy and security rules.
HIPAA is arguably one of the most critical enactments of Congress regarding healthcare, and for the benefit of patients, let’s hope that its implementation will only improve. Now that we’re well into 2019, let us review the biggest HIPAA blunders of 2018 and look into several significant changes to the law this year.
The basics of HIPAA compliance still apply
HIPAA requires healthcare businesses to ensure the confidentiality, integrity, and availability of all electronic patient health information (ePHI). This means they can’t disclose PHI to unauthorized entities, alter, or destroy said information without securing necessary permissions from the owner.
The same enforcement rules also apply in 2019. Covered entities should conduct an accurate and thorough risk assessment before signing business associate agreements (BAAs) with their third-party vendors.
There are also simple measures you can do to physically protect PHI, like locked cabinets and privacy screens. You can also dispose of and destroy electronic devices securely after they are no longer needed.
Don’t repeat the same HIPAA violations in 2018
There are lessons to be learned from several HIPAA violations made last year. Avoid making the same mistakes if you don’t want to pay millions of dollars in fine and damages.
To keep your patients’ and the public’s trust, you must treat your ePHI as your most valuable asset. You need to scan your hardware and software regularly to detect unauthorized access to your systems. If your company can’t safeguard your data 24/7, better hire a managed services provider (MSP) to secure your infrastructure for you. Don’t repeat the mistake that LifeBridge Health, Inc. did, letting an attack go unnoticed for two years.
You must also require third-party vendors to sign a BAA. They must be trained in HIPAA compliance and cybersecurity because they can be entry points for cyberattacks. Tufts Associated Health Maintenance Organization, Inc. failed in this aspect. 70, 320 individuals were impacted when a mailing vendor sent out ID cards to members in envelopes with clear plastic windows that prominently displayed PHI.
Learn the changes made into the law in 2019
The Department of Human Health Services (HHS) issued a request for information to identify HIPAA regulations that require sharing patient information for the purpose of treatment, payment, and operations. This initiative is similar to 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records)which will be revisited in March 2019. It will permit providers to share PHI to promote patient treatment for substance abuse disorder, particularly in light of the opioid epidemic.
HHS will also handle monetary penalties and settlements differently from data breaches. This includes sharing a percentage of the monetary penalties or settlements paid by healthcare organizations with the individuals directly affected by a breach.
Compliance is one of the most difficult things a small- or medium-sized business (SMB) has to deal with because of their lack of a legal department and their employees’ insufficient knowledge of the law. This is why you should partner up with Netcom Solutions, an MSP that’s been in business since 2005. If your Miramar, Coral Gables, or Miami business needs help with compliance, call us today.