20 Years of HIPAA: Are We There Yet?
It was in 1996 that the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress to become law. Long since its passing, covered entities such as healthcare providers, plans, and data warehouses, etc. are still in the midst of trying to achieve full compliance. Fines and complaints continue to mount so why is full HIPAA compliance so elusive even 20 years later? Moreover, how can Unified Communications (UC) help?
Mobility can upset the ideal HIPAA environment. Our mobile devices, including laptops, smartphones, and tablets can cause breaches through carelessness such as loss and more sinister interactions of theft. Leaving mobile devices around unencrypted and containing protected health information (PHI) makes HIPAA violations possible and are the primary cause of breach.
Without knowing it, use of social media apps in the healthcare environment can be an easy set up for a HIPAA violation. Photographs and videos taken in or outside of a hospital that end up on Snapchat, Facebook, or even Pokémon Go, for instance, can expose and identify the PHI of a patient. Take the time to develop a social media policy for compliance.
FAILING TO REVIEW
Covered Entities need to vigorously review their HIPAA compliance measures to assess risks. Routine risk analysis is crucial (and a HIPAA compliance mandate) to evaluate new technologies brought into the healthcare setting and realize any vulnerabilities in network systems and workflows. Regular and automatic security upgrades to network devices are necessary to maintain compliance as well. Verify the safeguards are in place and demonstrate their ability to reduce risks.
Mandatory training in HIPAA compliance is an ongoing measure entities must undertake. Remember to keep your team up to date on how to maintain compliance during onboarding and plan regular reviews.
WHO IS AT RISK & WHY
Since 2003, the official date that HIPAA compliance became enforceable for all covered entities and their business associates, over 137,000 complaints have been made to the Office for Civil Rights. The OCR has resolved at least 96% of these by disproving the validity of the claim, or making sure, even assisting until, the problem was fixed or settling with a fine. The OCR states that it has collected over $37 million in fines to date.
Privacy breaches occur mainly because of human errors. The most common reasons include improper use and disclosure of PHI, lack of access to PHI by patients, lack of safeguards of PHI, over-disclosure of PHI, or lack of administrative safeguards of electronic PHI (ePHI). This last one is where Unified Communications (UC) can support your organization.
Covered entities most commonly involved in corrections are frequently:
- Private Practices
- General Hospitals
- Outpatient Facilities
- Health Plans/Insurance Issuers
If this is your organization, you can never be too careful. There are UC solutions, such as call recording, to protect ePHI and offer a compliance strategy that will support your organization. Many entities already use call recording to support patient services, document treatment and mitigate malpractice suits. Call recording solutions vary so it is key that the call recording solution is HIPAA compliant—scalable and flexible and with limits to physically accessing where the ePHI is stored. The solution must also provide access and audit controls, authentication, and transmission security. The audit mechanism should track key events, such as logins and logouts, password updates, and recordings marked for playback or deletion. These physical and technical safeguards will ensure that the recording solution you choose has the compliance needed for HIPAA’s standards.