Last time we talked about HIPAA, we said it was time to start getting serious. A number of new rules have been implemented that have increased the level of enforcement faced by healthcare organizations. In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, which addressed the privacy and security concerns associated with the electronic transmission of health information. In 2012, the threat of fines for noncompliance with HIPAA regulations became real, and the 2013 passing of the Omnibus Rule created a stricter enforcement rule, increasing the minimum and maximum penalties for healthcare entities guilty of HIPAA violations. The Omnibus Rule also included a breach notification regulation that added provisions regarding when and how breaches must be reported in addition to which healthcare entities are required to report. Tolerance for noncompliance with HIPAA regulations was lower than ever before and the odds of getting audited or, in the case of a breach, paying a significant monetary penalty, were increasingly high.
Well today, HIPAA is more serious than ever, with even more changes. In September 2015, the Office of the Inspector General (OIG) told the Office of Civil Rights (OCR), which enforces HIPAA, to get tough about enforcement. The OIG recommended that the OCR implement a permanent audit program as well as intensify its follow-up on breaches of personal health information (PHI) by any covered organizations or corporations that directly handle PHI, such as hospitals, doctor’s offices and health insurance providers. This has led to an escalation in the number of HIPAA audits. In fact, half of 2015’s HIPAA settlements, totaling over $5 million, came in November and December, after the increased requirements were put in place. As the number of audits continue to grow, HIPAA’s budget to investigate and enforce is growing as well, creating a circuitous audit firestorm for which the healthcare industry needs to be prepared.
With the growing pressure over the increased number of audits, simply being compliant is no longer enough. Healthcare organizations need to be compliant and audit-ready. While these new rules have provided more time to become compliant, the level of scrutiny has also increased. Maintaining compliance is still important, but now you need to demonstrate you are compliant as well. Auditors are going to want to see the processes and policies you have in place and they will need assurance that no data is exposed.
Healthcare entities can do this with a two-pronged approach: from a policy and procedural perspective (having the right policies in place), and from a forensic perspective (making sure that those policies are actually being followed). To be audit-ready, healthcare organizations need to be able to provide the necessary data—this is why reporting is so important. Healthcare organizations must be able to report on the policies they have in place (such as which departments and individuals, vendors, partners, patients, etc., have been granted access to PHI), as well as what kind of gates are in place to ensure those with access should in fact have that level of access. Healthcare organizations should also be able to provide granular reporting of security analysis and incidents in addition to what remediation steps are in place.
To ensure compliance, it’s essential that security procedures are followed by every user in the organization. If your organization has a workstation that is used by multiple nurses or doctors, you should have policies in place that require everyone to use their own credentials for login. Then you need to be able to prove that multiple users are logging in with their individual credentials, instead of sharing one. It’s important to keep in mind users’ expectations and implement protocols that are both secure and user-friendly. Doctors are notoriously resistant to technology, so it’s critical to keep these banner employees of the healthcare system happy and compliant.
Remember, when your users don’t follow proper protocol, they are putting the organization at risk. That’s why it’s imperative to have the right technology in place to ensure the security of health data. Historically, healthcare organizations have been slow to act, especially from a technology perspective. With the onslaught of these enforcement changes, however, organizations that are not thinking about protecting against breaches (and will likely be audited regardless of whether or not a breach occurs) can potentially face expensive fines, unwanted attention, and tough penalties.
When putting a system in place to ensure compliance and audit-readiness, make sure the solution balances risk with users’ expectations. Look for systems that offer a single authentication framework, which makes it easy to securely manage multiple devices and methods. A system with a centralized policy engine allows users to manage large environments with diverse authentication needs. Whatever solution, make sure it employs context aware verification to accurately assess risk-based access. Additional useful features to look for are event logging, which allows users to define which types of authentication are logged for later retrieval, and reporting capabilities for analysis and compliance demonstration. All these will help ensure your organization is audit-ready.
To learn more from OCR for ways to stay compliant as well as training and resources visit this site: http://www.hhs.gov/hipaa/for-professionals/training/index.html. To become involved in the OCR-sponsored community or connect with others professionals in the healthcare industry, visit here: http://www.hhs.gov/hipaa/for-professionals/list-serve/.