Make it a habit to learn what the hot topic HIPAA enforcement issues are. If you already have a HIPAA compliance program, review and tweak it to stay ahead. If not, when you start you can prioritize what to do first to catch up.
You don’t have to guess what the priorities are because the people who enforce HIPAA speak publicly about them. Most recently, at a conference in October, several senior enforcement officials from the Office for Civil Rights (OCR) detailed what they are looking for. They were very clear.
Patient Right of Access
Patients need to be able to obtain their own medical information easily. Today there are software apps that help patients assemble and organize their information and the OCR wants these to succeed because they promote patient access. In April 2019 OCR issued new FAQs addressing how HIPAA applies to these apps. Read the FAQs for the whole story, but our key takeaway:
Key takeaway: a covered entity that sends ePHI to an app will not be liable for unauthorized access to the PHI either in transit or after it is received by the app, unless the app was “developed for, or provided by or on behalf of the covered entity.”
There is much more to the patient right of access, and we have written about the topic several times in recent months. Start here to learn the basics, apart from software apps. Many, many covered entities and business associates are NOT complying with HIPAA when patients ask for their medical records. The OCR is watching, so learn the rules.
Most breaches of patient information today occur through email – hackers use phishing to trick employees into providing access into the system. In the ten years between 2009 and 2019, email accounted for 17% of breaches and during 2019 the number skyrocketed to 40%.
Ransomware remains a dangerous risk to health information security. Remember ransomware is “presumed to be a breach” according to OCR so in addition to recovering from the attack, healthcare organizations must do a breach investigation.
Ransomware is more difficult to prevent than typical phishing attacks, but you can defeat ransomware through your risk management actions. Do a Risk Analysis, and follow through.
Key Takeaway #1 – all employees with access to PHI need regular security training. Most hacks can be prevented when employees are taught what to look for, and given practice. Train, repeat, train, repeat.
Key Takeaway #2 – maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack.
Business Associates and HIPAA
One of the largest patient data breaches this year occurred at a billing company, American Medical Collection Agency (AMCA), under contract to two of the largest medical labs in the world, Quest and LabCorp. Over 12 million patients were affected and multiple federal lawsuits have been filed. The costs are staggering and the final outcome is years away.
OCR investigates all breaches of more than 500, so we can assume they are looking at it. The mistakes at AMCA illustrate risks faced by both covered entities and business associates who support them.
OCR continues to warn that business associates themselves are directly liable for HIPAA compliance AND covered entities need to evaluate their business associates, and have strong business associate agreements in place. As a covered entity, take care that your BAA does not place you in jeopardy for the negligence of your business associates.
Key Takeaway #1 – for covered entities – make a list of your vendors who are business associates and make sure you have business associate agreements. Take care not to make them your agent or you risk taking on their mistakes as your own.
Key Takeaway #2 – for business associates – have HIPAA policies in place, follow your BAA agreement, and if you have subcontractors, make sure you have subcontractor business associate agreements.
Risk Analysis – Risk Management is the Basis of Everything
No one has a perfect airtight system to prevent all mistakes, but everyone can reduce risks by paying attention.
We beat this drum regularly, as does the OCR. It is not enough to check boxes when it comes to HIPAA compliance. After you adopt HIPAA policies, the culture of HIPAA compliance requires ongoing risk management. Best practices call for a risk analysis once a year. Then throughout the year, follow a plan to reduce and manage those risks.
Key Takeaway – do a thorough risk analysis, document it and follow the risk management plan it creates. Do it every year.
Help from The HIPAA E-Tool® Now
We stay current so you don’t have to follow every twist and turn in the news. With The HIPAA E-Tool® you can be confident you’ll know the hot topics and have the tools to manage them. It includes an interactive Risk Analysis you can complete yourself, archive and save to refresh next year.
And our HIPAA experts are a phone call away if you have a pressing question.