Q: What is the most common mistake people make about HIPAA?
The most common mistake is to think that HIPAA compliance is taken care of through the use of an electronic health records (EHR or EMR) system. HIPAA goes way beyond electronic records and IT matters. A total HIPAA compliance program guides everyone in the organization, from the front desk to the health care professional in how to communicate with patients, family members and friends, including with social media; how to conduct an annual risk assessment – of the whole office, not just the electronic records; how to assess whether a breach of protected health information has happened (and what to do if it has); how to prevent Ransomware attacks; how to prepare for a HIPAA audit; and regular workforce training. Even the best EHR/EMR system does not cover all of these issues, because these issues go beyond IT.
Q: Does HIPAA enforcement affect small-to-medium size health care providers?
Yes. Last fall the Office for Civil Rights, the agency which investigates HIPAA breaches, announced that it was stepping up its review of breaches that affect fewer than 500 individuals. There are far more small-to-medium size providers than there are large ones across the country, and they typically do not have adequate HIPAA policies and procedures in place.
Q: What is your biggest concern about HIPAA today?
My biggest concern is the growing threat of Ransomware. The U. S. Department of Justice reports that Ransomware is the fastest growing and most dangerous threat to the security of health information in the United States. More than 4,000 daily Ransomware attacks were reported in 2016 – a 300 % increase over 2015 and it continues now, in 2017. Not only does this harm patients whose data is stolen but it can be extremely disruptive and costly to health care providers.
From the perspective of HIPAA, the U. S. Department of Health and Human Services (HHS) says that a Ransomware attack on a Covered Entity or Business Associate that encrypts Protected Health Information (PHI) is presumed to be a HIPAA Breach. This means if you’re hit by Ransomware you must provide notice to all the affected individuals, the HHS and, if the attack locked up PHI of 500 or more individuals, prominent media outlets. HHS presumes a Ransomware attack is a Breach because the encrypted EPHI “…was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Q: President Trump recently named Roger Severino as the new director of the Office for Civil Rights at HHS, which enforces HIPAA. Will HIPAA enforcement slow down under the Trump administration?
There is no question that enforcement of HIPAA Privacy and Security Rules will continue to increase dramatically. The public and Congress demand it. More than a hundred and seventy million Americans have already been hurt by medical identity theft in the last seven years and threats from ordinary criminals and cyber criminals are increasing. Privacy is not a partisan issue.
Q: What is one piece of advice you have about HIPAA for someone who wants to improve their compliance?
The secret to HIPAA is that it’s easy to comply once you know the rules. Find a complete solution with step-by-step guidance to walk you through it, make sure you complete a risk assessment, then instill a culture of compliance in your office with your workforce.