Some healthcare entities are breathing a slight sigh of relief at the DHHS decision to reduce the annual limit on civil penalties for HIPAA violations, but the cost of violating healthcare compliance has always been about more than fees. Hospitals spend 64 percent more on marketing and image repair after a data breach, and in some cases, the damage done to the organization’s reputation is irreparable.
Patients care about the security track records of their hospitals, and as consumers, they’re becoming much savvier, just as healthcare’s reliance on online platforms is exploding. An online world that was once limited to portals and email now includes smartphone apps, wearables, consumer data platforms, and the Internet of Medical Things (IoMT).
This shift may cause disruptions, but it also poses an opportunity for healthcare IT professionals, who are now positioned to be champions of PHI security and innovators who identify services and solutions to enhance patient relationships.
The new scope of PHI
Formally, under HIPAA, PHI includes any identifiable information connected to the health status of an individual in the past, present, or future that is handled by a HIPAA-covered entity in the course of healthcare services, payment for services, or use in operations.
The formal list of protected identifiers is almost twenty items long and includes names, geographical identifiers smaller than the state, non-year dates related directly to the individual, biometric identifiers, device identifiers, serial numbers, and email addresses.
This information is covered at the federal level under the HIPAA Privacy Rule, but for many organizations, this is just the beginning of their healthcare compliance concerns. Multiple states have enacted laws and policies that govern patient consent for the exchange of PHI and standards for the disclosure of mental health information. This interactive application from HIT.gov allows you to view a map that displays Health Information Exchange (HIE) consent policies, state-sponsored HIE consent policies, and additional laws by location.
New measures for modern healthcare compliance
We’re transitioning into an age of healthcare compliance where HIT professionals are tasked with managing the complexities of changes like HIEs, increased patient creation of and access to PHI, and growing cybersecurity threats. Rising to these challenges will require a new perspective on security and organizational protection.
Start with holistic frameworks that balance risk
PHI security is now a big-picture problem. This means that piecemeal approaches will leave your organization—and your patients—subject to unnecessary risk.
Organizations like The Health Information Trust Alliance (HITRUST) have created a framework designed to meet your organizational needs, allowing leaders to manage both risk and security. Perhaps most importantly, it joins multiple requirements and standards from the payment card industry, HIPAA, and the International Organization for Standardization (ISO) in an effort to improve organizational cybersecurity considerably.
Talk to your employees
A holistic framework is just the start. Your people are going to be major players in your efforts to maintain healthcare compliance and keep PHI safe.
The vast majority of healthcare breaches come from inside healthcare organizations, with insider attacks being responsible for 50 percent of 2018 breaches, a statistic that’s unique to healthcare, according to a Verizon analysis of more than 20 industries.
But it’s not just about internal malefactors. Phishing has become a preferred method for hackers. Last year’s Verizon report revealed that phishing and financial pretexting represented 93 percent of all breaches, and email was the main entry point, being involved in 96 percent of investigated incidents. If you haven’t already, consider launching a threat awareness campaign across your organization to account for this.
Customize your security strategy
Healthcare is finally picking up momentum in line with the transition into the digital era, but it still relies heavily on analog processes. For example, a full 90 percent of providers rely on paper and manual processes for collections.
While this might be a comfortable or even preferred method for your patients, it requires a secure, well-managed approach that enables your staff to secure the devices they use and focus on innovating within the scope of your organization’s core service to provide care that ensures the satisfaction and wellbeing of all patients. For example, consider partnering with a Managed Print Services (MPS) provider to offload some of the IT burden of printer maintenance, uptime, and security.
As healthcare compliance standards continue evolving to meet emerging risks and opportunities across the industry, smart healthcare IT professionals will stay on top of security management trends as a core element of their professional growth.