As we have noted before, medical records are some of the most valuable assets cybercriminals can get their paws on. Whereas a social security number may sell for $.50, or the details of a credit card may be worth $6.00, but a health care record for an individual would go for a staggering $250.0 when sold because of the lengthy shelf life of such information. A credit card can be cancelled, but medical records exist for life.
In order to combat the theft of private health data, The Health Insurance Portability and Accountability act was created to establish mandatory privacy standards by which all healthcare providers must abide. Since the original passage of HIPAA in 1996, HIPAA has received several important updates (for more information, click on the link)
- The Privacy Rule expanded the scope of HIPAA in 2003, to set restrictions and details for how protected health information (PHI) can be shared. This includes what, when and under what circumstances PHI can be used or disclosed.
- The Security Rule, passed in 2003, is a set of regulations intended to protect and maintain the confidentiality, integrity, and security of ePHI by implementing proper administrative, physical, and technical safeguards.
- The HIPAA Enforcement Rule was passed in 2006, and added additional regulations to investigate noncompliance, penalties for violations, as well as standards for court cases and hearings.
- The HITECH Act was signed into law in 2009 with the primary purpose of encouraging healthcare providers to adopt Electronic Healthcare Records and supporting technology.
- The Omnibus Rule followed just after the HITECH Act which made business associates and their subcontractors directly liable for their own compliance with HIPAA. Although this change was first mentioned in HITECH, the Omnibus Rule took it to another level by legitimately enforcing these requirements upon business associates beyond simply signing a business associate agreement.
In light of COVID-19 as well as emerging digital technologies that couldn’t even have been foreseen 10 years ago, there have been several proposed updates to HIPAA that would require additional security requirements, software, and administrative procedures.
Monetary Civil Penalties
In 2019, a reported 1.9 Billion was lost due to identity theft. Seeing as breaches of Protected Health Information can potentially result in identity theft or fraud, the first proposed update will allow individuals who have had their data stolen to request financial compensation from the covered entity found at fault for the breach.
There is currently not a procedure in place for the victims whose personal information is left unsecured during a breach to seek financial compensation. Currently, the best they can receive is free credit monitoring and future identify theft protection. If this addition to HIPAA is approved, it would be a big win for the victims of breaches. But if your company was responsible for the breach, it could be a crippling or even devastating blow to the organization. Plan accordingly.
Accounting of Disclosures
Currently, individuals are able to request all of their PHI under the first accounting of disclosures of agreement. These records will share paper PHI, but not digital transactions. This proposed solution would require that there needs to be a clear record of each and every time an individual's PHI was shared, allowing an individual to see every disclosure of their information.
Because the world is increasingly relying on Digital means to accept, share, and store data, this change would be welcomed by people concerned about their personal health data. But, if this provision is approved, it means that Covered Entities will need to have detailed digital records, allowing them to be easily accessible to their patients.
If you are a healthcare organization or a business that supports them, you have a responsibility to keep up with HIPAA regulations. Ignorance of changes in standards is no excuse. But first, the best thing you can do is make sure that you have a secure foundation by complying with the existing HIPAA standards. At Accountable, we have broken the basics of HIPAA compliance into several manageable steps. These HIPAA compliance requirements are:
1) Understanding what patient privacy entails
2) Knowing the core rules of HIPAA required mandates
3) Understanding the roles security and privacy play in the use of Electronic Health Records (EHR)
4) Completing Security Risk Analysis and Management and correcting discovered vulnerabilities
5) Disaster preparedness
6) Ongoing HIPAA training
7) Understanding business associate agreements and other collaborations
As you can see, HIPAA can seem large and bewildering, which is why we created a process and framework to help guide organizations to achieve and maintain HIPAA compliance. Take it out for a free trial, today.