HIPAA, an acronym of the Health Insurance Portability and Accountability Act was signed into law by President Bill Clinton back in 1996. Initially, HIPAA has meant to reform the healthcare industry for two reasons. One was to ensure employees that were between jobs would still have healthcare coverage (P meaning portability). The second was to ensure the security and confidentiality of health information (the first A meaning accountability). As with any policy, HIPAA has changed throughout the years and has added many new rules that healthcare organizations must follow to protect and inform patients.

Here are some 11 of the most frequently asked questions regarding HIPAA security and compliance.

1. What does our organization need to do to become HIPAA compliant?

Although there is no concrete answer for this, our research indicates that the Office of Civil Rights will consider favorably on organizations who make a “good faith” effort to do the following:

• Implemented an active ongoing risk management process
• Performed recent security risk analysis
• Developed policies and procedures that define how patient information and data is secured
• Have signed business associate agreements
• Proof that employees are trained annually
• Filed HIPPA compliance program documentation evidence of all the above.

It is important to note that according to the HIPAA Journal, “ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR).”

2. What Are Explicit HIPAA Requirements?

HIPAA calls these requirements, “safeguards”. There are three safeguard categories, physical, technical and administrative. Physical focus on physical access to information at any location whether it is on site, a remote data center or in the cloud. Technical focus on the technology that is used to protect private information and provide access to the data and administrative focus on the policies and procedures that tie the Privacy Rule and the Security Rule together. Risk Assessments are suggested so organizations can improve and align these safeguards.

3. Do We Need a Business Associate Agreement? A Business Associate is a vendor that needs access to electronic protected health information (ePHI) like technology providers, billing companies, etc. The Privacy Rule lists other activities and services that have access to protected health information where an official agreement is required.

4. Is Annual Employee Training Required? Training employees guarantees that everyone on your team is updated on HIPAA requirements. Training policies should be included and documented in your organization’s Risk Assessment and considered an important, ongoing process. Remember, “ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR).”

5. Can Our Organization Send Emails? The majority of ePHI breaches result from unencrypted data and the transmission of unsecured ePHI over open networks. Communicating by email is acceptable only if the email is encrypted or the person signs a release giving their permission to send them emails. The best policy and practice is to communicate with a patient through encrypted email to securely records the communication trail.

6. Should We Report Ransomware? Ransomware, or malware, is a form of cyber attack when the hacker threatens your organization, preventing you from accessing your data.” They demand a ransom (money) to restore it. First and foremost, your organization should take all precautions so this doesn’t happen. Make sure all systems are protected and train your employees to recognize phishing emails. But if a cyber attack does happen, it is possible that an investigation would be necessary.

7. What is the Difference Between a Security Incident and a Security Breach? Anytime the security officer suspects that any ePHI was disclosed by anyone who is not authorized to see the information is a security incident. The security incident must turn into an investigation before a security breach is determined.

8. How Often Should We Perform Risk Assessments? There is no “one size fits all” policy regarding performing HIPAA Risk Assessments. Risk Assessments should be done on a regular basis to ensure ongoing compliance. HIPAA regulations allow organizations to perform them as they feel necessary, but to meet HHS standards, all organizations should perform them on an annual basis.

9. Should We Perform Vulnerability Scans? Absolutely. A vulnerability assessment or scan is an examination of an organization’s technology, equipment, and software to check for weaknesses that could be used by unauthorized people (hackers) to damage the network. Identifying vulnerabilities is a requirement of HIPAA Security rules and states, ” The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.” The time frame is not specified but is a conversation and policy to plan with your IT provider for your organization’s overall technology security.

10. Should We Encrypt Our Laptop Computers? As mentioned above, encrypting emails and other private information offers protection from hackers and it is recommended as a best practice for all organizations, not just HiPPA covered entities. If an encrypted laptop computer is lost or stolen and you have documentation stating the information was encrypted, then it is not considered a breach.

11. How Should We Train Our Team? Training is an ongoing process to keep everyone in your organization informed and aware. Short, consistent pieces of training we refer to as Micro trainings are helpful. They are short informational videos overviewing relevant topics that can be incorporated into a regular workday policy enforcing that everyone is responsible for safeguarding information. Micro trainings, combined with intentional randomly sent simulated phishing emails from the IT department will reinforce the importance of awareness and policy compliance. Ongoing training prepares everyone in the event of a data breach.

2018 turned out to be a year of record fines for HIPAA violations. Over $25 million in fines, with the mean fine being just over $2.5 million. Could your medical entity bear that financial burden? Would it suffer irreparable harm from the adverse publicity? And just what violations did these healthcare entities do to get scrutinized, investigated and penalized?

Since 2016, settlements and fines from the Department of Health and Human Services’ Office for Civil Rights (OCR) have risen substantially. Healthcare entities should expect that this trend may continue and remain committed to avoiding HIPAA security breaches, negligence and failure to follow long-standing policies.

2018 Review of OCR Settlements

Whether your business is a smaller, private entity or a large, public entity, OCR investigations are expensive and potentially damaging to your business’s reputation. Prevention is our best defense – don’t let these errors happen.

• Fresenius Medical Care North America. $3,500,000 – Settlement. Risk analysis failure. Impermissible disclosure of ePHI. No policies covering electronic devices. Insufficient encryption; inadequate security policies; inadequate physical safeguards.
• Filefax, Inc. $100,000 – Settlement. Unauthorized disclosure of PHI.
• University of Texas MD Anderson Cancer Center. $4,348,000 – Civil monetary penalty. Impermissible disclosure of ePHI. No Encryption.
• Massachusetts General Hospital. $515,000 – Settlement. Filming patients without consent.
• Brigham and Women’s Hospital. $384,000 – Settlement. Filming patients without consent.
• Boston Medical Center. $100,000 – Settlement. Filming patients without consent.
• Anthem Inc. $16,000,000 – Settlement. Risk analysis failures. Inadequate review of system activity. Failure to respond to an identified breach. Lacking technical controls to thwart unlawful ePHI access.
• Allergy Associates of Hartford. $125,000 – Settlement. PHI disclosure to a journalist. No sanctions against an employee.
• Advanced Care Hospitalists. $500,000 – Settlement. Unauthorized PHI disclosure. No BAA (business associate agreement). Deficient security measures. No HIPAA fulfillment efforts before April 1, 2014.
• Pagosa Springs Medical Center. $111,400 – Settlement. Failure to end employee access. No Business Associate Agreement (BAA).

Don’t forget about your State’s Attorney General’s Office

Medical entities also saw a rise in fines/monetary penalties from state attorney generals. While the penalties are not always for HIPAA violations, they are still a distraction from your healthcare entity’s mission statement, requiring employees’ time and financial resources devoted to defending you against violation of state laws and HIPAA violations. Some states have become more aggressive in enforcement of HIPAA violations. The Northeastern states – New Jersey, New York, Massachusetts, Connecticut and the District of Columbia – have stepped up their enforcement efforts along with Washington State (who has yet to announce a settlement amount with Aetna). Defendants in these actions include insurance companies, hospitals, medical groups and even a transcription company.

State settlement amounts have ranged from a low of $75,000 to a high of over $1,000,000.

Common sense and training along with competent managed IT services will help ensure that your business is at decreased risk of HIPAA fines and penalties.

The deeper your understanding of the scope of potential HIPAA violations, the less likely you’ll be guilty of violating patient privacy. The Department of Health and Human Services publishes OCR news and bulletins on its website. Details of every action are published on a timely basis, including a PDF of the resolution agreement.

Make it a point to review the OCR website on a monthly basis. This site will provide insight into the actionable behaviors that employees or departments may commit.

Many of these offenses seem obvious in retrospect. Ensure that every employee understands these simple violations.

• Business associate agreement. Ensure that BAA agreements with outside vendors are properly executed and that the vendor owner (or their authorized agent) knows of this agreement.
• Terminated employees. Have a written policy regarding terminated employees so that their access to confidential patient information is terminated immediately. Your HR department and IT services vendor should work in unison to change passwords/deny access as soon as the employee leaves or is terminated.
• Filming patients without consent. Don’t be lured into a major HIPAA violation by television and documentary filmmakers. While upper management and the CEO may feel that being featured in a TV series will bring prestige and goodwill to the facility, patients don’t feel that way and are protected by HIPAA.
• Healthcare entities must be proactive in protecting data. Seemingly simple violations like insufficient encryption, no response to a breach or not providing HIPAA training to employees are not a viable excuse to OCR or state attorney generals.

Cybersecurity may be seen as a burdensome expense – protection of data is expensive, but it protects your business’s ability to recover in the event of a natural disaster or ransomware attack. Many of these settlements and penalties resulted from simple mistakes which would not have been costly to avoid. Be proactive and develop a plan to avoid expensive, avoidable HIPAA violations.

How Much is Spent Worldwide on IT Costs?

Worldwide IT costs in 2018 hit an estimated $3.7 trillion, up 4.3 percent over the prior year, according to the Gartner, Inc. With so much at stake, it’s essential for all companies that utilize IT to consider the pros and cons of a traditional IT approach versus moving more and more functionality to the cloud. Finance considerations are one of the top considerations, but control over assets and data security are also vitally important. Therefore, it’s essential that the CIO is prepared to talk about the differences in language other executives can understand.

Why It’s Difficult to Explain Cloud Costs to the C-Suite?

CIOs sometimes have a hard time explaining the difference between cloud services (typically a SaaS with monthly operating expenses) and traditional healthcare IT models that may involve paying cash for software and equipment to own them outright (a capital expenditure). This comparison needs to factor in the monthly cost to run on-premise data centers, as well as the allocation of capital expenditures, such as hardware, licensing, etc. Non-financial factors include company policies that favor ownership versus rental models for IT hardware and software. Unless the cloud expense is much higher, the C-suite should lean toward cloud economics as a more strategic approach. It governance policies may also need to be revisited to support cloud computing trends.

Moving from a Cost Center to Strategic Partnership Model?

Healthcare organizations deliver healthcare services but are also digital companies. Cloud computing is now a critical component that brings the latest technology to the table, perhaps improving outcomes. It’s essential to help the C-suite understand this. One analogy that works is comparing it to another service based on consumption. Just as the utility or electric bill varies based on actual consumption, cloud computing cost varies based on changing usage. Building an accurate forecast prepares the leadership team for the hit to OpEx and the P&L. It may still be a tough sell, and the IT team might need some finance talent to track and adjust usage trends to keep the cloud cost forecast up-to-date.

How Can a Flexible OpEx Model Help Healthcare IT?

If a healthcare company needs to change directions fast to incorporate new diagnostic tools, therapies or IT innovations, an OpEx model is the fastest way to respond. Many times, the CIO is seen as someone holding fast to a traditional CapEx model or as someone rushing change before the organization is ready. Instead of letting the decision point be a source of contention, a mix of CapEx and OpEx could be the best answer. In this hybrid model, the decision to use a cloud-based approach versus a traditional on-premise solution would hinge on individual decisions about risk management and financial requirements, resulting in a variety of local and managed private cloud services as well as public cloud services.

What are Some Convincing Tactics for other Executives?

The difference boils down to buying software and hardware at once or paying a subscription. To show healthcare executives the advantages of the cloud, CIOs must demonstrate the benefits of the OpEx (or hybrid) model in a quantifiable way. For example, consider the CapEx model for buying a piece of hardware. The hardware has to be secured and configured, and the terms and conditions must be approved by the legal team before software can be installed. You put out a lot of hard-earned cash and wait months to actually use the product. The process takes months and ties up precious resources. In the cloud model, new solutions are available quickly without the headache of in-house configuration and maintenance. It also gives organizations the ability to scale down as well as up. This agility is something that’s easy to forget because most people associate cloud migration with scaling usage up.

How Can Cloud Solution Be Included in ROI?

Include the following in the calculation of ROI: increased productivity (concentration on core functions), cost reductions, security, network, data storage, and transfer improvements. In a healthcare organization, access is key to improving patient outcomes. It’s important to show how each of these items translates to the ROI. If you can do this effectively, the rest of the C-suite is likely to fall in line with a cloud model.

What Preparation is Needed Before Talking to the C-Suite?

Before speaking to a C-suite individual, the CIO should prepare a model showing the ROI. The presentation should include technical data on cloud-based models that are clearly understood. Documenting a cloud strategy defines the outcomes sought by the CIO, and it’s the beginning of a road map to get there. The CIO’s roadmap should describe how the cloud model will save cost and add efficiencies while improving security and networking reliability. It also has to conform to HIPAA regulations.