Healthcare Technology Featured Article

June 11, 2013

New HIPAA Rules Mean Tightened Security, Privacy & Stricter Compliance

In March, the new HIPAA (Health Insurance Portability and Accountability Act) privacy and security rules took effect. U.S. business associates have until Sept. 23 to reach compliance, HealthTechZone reported. New regulations impact in particular business associates and subcontractors.

The latest changes are part of tighter rules over the past three years to upgrade HIPAA enforcement and protection of confidential health information. It has led to increased fines and prosecution for privacy and security violations. 

Healthcare providers now need to "conduct or review a security risk analysis;" implement “security updates as necessary;" and correct "deficiencies" – Michael E. Kanarellis, a senior IT assurance manager, and Ryan Rodrigue, manager, IT Assurance Services, both at Wolf & Co., wrote recently in a report in Becker’s Hospital Review.

In a recent OCR (Office of Civil Rights) audit of 20 healthcare providers many deficiencies were found. Some 65 percent were security-related and 26 percent were privacy-related.

"What we're learning from the audits…is there's plenty of noncompliance out there and plenty of room for improvement," Leon Rodriguez, director of the OCR, said.

There needs to be better inventorying of data, improved assessment of security risks and tightened controls, the report said.

One series of issues relates to what data a hospital has on its patients, where is it stored, and how it is transmitted, the report said. “The assessment should guide your organization in prioritizing security risks, reallocating resources, and developing work plans to mitigate the most important threats,” the report said. “Finally a risk assessment should not be a one-off exercise; in the digital landscape, new threats are always emerging.”

In addition, the report highlights that vendors risk violating the security of patient health information. At South Shore Hospital in Massachusetts, for example, the data destruction vendor lost backup computer tapes containing patient information.

Human frailty represents another risk. "A lot of these cases [of data breaches] turn on some kind of human frailty,” Rodriguez said. To remedy this potential issue, “inform and train your employees on proper information security procedures,” Becker’s Hospital Review said. “Your employees should be instructed to never use a link embedded in an email message or to use USB, CDs or DVDs not provided by the organization. Your IT department should send out regular notices about how to avoid dangerous schemes or information about IT best practices, which will help keep security top of mind.”

And security issues can arise from mobile devices. “The growing use of mobile devices for delivering patient care and transmitting patient health information promises to improve quality of care, but it also creates entirely new vulnerabilities, as there are now many more points for accessing information,” the report said.

Also, StillSecure and Coalfire recently listed some tips to help companies and organizations become compliant, HealthTechZone said. First, find out if an organization needs to be compliant. Find out where data lives. Undertake both risk analysis and data classification. Remember that mobile devices, tablets and smartphones frequently hold ePHI data. Many workplaces also now have bring your own devices to work (BYOD) policies in place, too.

And understand encryption. “If there is a security breach, HHS (U.S. Department of Health and Human Services) officials will first ask if the data was encrypted,” HealthTechZone reported. “If the answer is no, the investigation can easily lead to fines, penalties and negative publicity.” 

Edited by Ashley Caputo
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]