The Healthcare Insurance Portability and Accountability Act (HIPAA) was adopted in 1996. It seeks to ensure the secure management of healthcare information and outlines guidelines that all healthcare organizations and employees must follow to manage protected healthcare information (PHI). Under HIPAA, PHI is any information that can be used to identify an individual, including:
Lab test results
As technology continues to evolve, the risks facing PHI also grow. It’s now more important than ever for players in the healthcare industry to comply with HIPAA to avoid costly penalties. To understand the significance ofHIPAA compliance, it’s best to revisit past cases relating to violations. These cases will provide crucial lessons on how to avoid common HIPAA-related mistakes.
Case #1: Allergy Associates of Hartford, Conn.
Hartford-based Allergy Associates was fined $125,000 after a patient complained to the Department of Health and Human Services about the disclosure of her PHI by a physician at the facility to a reporter. An investigation revealed that the physician disregarded advice from the hospital’s privacy officer not to respond to the media regarding claims that the woman had been turned away from the facility for bringing along her service animal. Following the disclosure, Allergy Associates failed to take any corrective or disciplinary action towards the physician.
Allergy Associates should have disciplined the physician besides taking corrective action to prevent similar incidents from occurring. Had it done so, the facility would probably not have been penalized. This highlights why healthcare entities should take immediate remediation action when such incidents occur and hold employees responsible for their behavior. Likewise, employees should be trained on media protocols to ensure that PHI is not intentionally or unintentionally disclosed to the media as it happened with Allergy Associates.
By Devin Partida, technology writer and the Editor-in-Chief of the digital magazine, ReHack.com
The coronavirus pandemic has caused massive changes around the world. As people adjust to the new normal, they may notice some differences associated with COVID-19 and telehealth. Here’s an in-depth look at those changes.
Telehealth adoption rising
United States government officials announced changes in mid-March that dramatically increased access to telehealth in the nation. The changes included allowing providers to use everyday technologies to connect with patients, offering more telehealth treatment coverage to Medicare beneficiaries and making such options available at lower costs than traditional appointments.
The increased access and provider flexibility are temporary, intended to remain only for the duration of the country’s health emergency. However, some people believe the changes could bode well for telehealth in general, such as by giving adoption of the technology a sustained boost.
Analysts at Frost & Sullivan predict a 64.3% year-over-year growth increase for the telehealth sector this year. The researchers mentioned the need for social distancing as a central factor influencing the surge. However, they cautioned that the telemedicine industry contains an ecosystem where numerous parties affect adoption rates and healthcare compliance standards.
Medical practices can increase income through telehealth visits
Many people avoid face-to-face treatments now due to the risk of virus transmission. However, even before COVID-19 became a threat, people faced other obstacles that made in-person care more complicated, such as a lack of transportation or mental health struggles that made them nervous in public.
Jason Popp, a partner at Alston and Bird’s healthcare litigation group, pointed out how making telehealth more accessible introduces more revenue streams for medical facilities: “When the pandemic started, physicians in practices were seeing big changes because they couldn’t see patients anymore.”
Popp continued, “Now they’re quickly adapting to the change. Otherwise, they’ve got limited revenue because patients aren’t coming to clinics or certain facilities. It’s been a bit of a wake-up call to practitioners who were previously kind of opposed to telehealth. Now they’re seeing there are immense benefits. After the pandemic, many will continue to provide telehealth.”
A temporary telehealth waiver connected to the coronavirus pandemic expands access to people beyond rural areas. Popp viewed that regulatory change as the most significant and hopes Congress will eventually make it permanent. Other parties familiar with telehealth say the sector is scaling up so rapidly that reverting to pre-COVID-19 healthcare compliance standards would prove difficult.
By Rob Wiley, head of marketing and product strategy, Formstack.
If you’re in healthcare, it’s likely because you have a passion for helping others and solving problems. Those on the IT side of the industry are no exception. Healthcare IT has seen a significant shift from navigating health records in a paper-based system to the digitization of health data—and for good reason.
There are many benefits to digital transformation in the health industry. For one, administrative costs alone in healthcare account for nearly $266 billion per year. By transferring records like medical forms and insurance verification paperwork to a secure electronic platform, healthcare providers can save on administrative spending and put those funds into more impactful areas. Additionally, the digitization of health data streamlines communication between all levels of the healthcare process: from physicians to patients and insurance companies.
But the digitization of health data also comes with challenges that healthcare IT professionals must solve—most notably around the implications of Health Insurance Portability and Accountability Act (HIPAA) compliance, patient engagement and employee empowerment.
Rules and regulations in healthcare are ever-changing, and health providers and practices are expected to stay up-to-date and comply. Ensuring your company maintains compliance and data stays secure begins with your healthcare IT team. Not only does compliance protect your company from stiff penalties and violations, it also safeguards the protected health information (PHI) of customers and partners.
Consider this: A patient is asked to share interest in an elective surgery and decides to opt out. If this document confirming their disinterest in the surgery is stored insecurely using a paper file, this puts the patient’s trust at risk of being breached, and in turn, the decision to opt out of the procedure at risk of being dishonored. Meanwhile, storing this information in a secure, electronic file would reduce the risk associated with data breaches and the file being lost or misread. With a strong IT team following HIPAA guidelines, your practice can stay safe from violations and accidental exposure of sensitive records in the digital world of healthcare.
The digital transformation of healthcare doesn’t just impact the backend of business; it also affects patient experience and how practices are represented to future customers and partners. Healthcare IT professionals have to consider how digitization impacts the user experience and the ease of electronic communication between patient and practitioner. Here are seven important questions healthcare IT teams should ask themselves when evaluating their current digital network and any future improvements:
What systems are patients interacting with when preparing for or during the visit?
How easy is it for patients to provide information to their health provider?
How long does it take for the patient to fill out the intake documentation?
Are patients required to enter duplicate information anywhere?
Is the process convenient for the patient? Are they able to complete the information when and where they would like?
Is there an option to sign electronically and securely?
Does the patient receive copies of their documents for their own record keeping?
Healthcare IT professionals should consider the answers to these questions to determine the top changes they need to make to their digital system in order to improve patient experience and, ultimately, increase the number of patients they serve.
The rapid digitalization happening in healthcare promises to streamline patient care and the availability of patient information.
Overall, advancements in technology fueling this are a step in the right direction. That said, there are side effects to this trend that put sensitive patient data at risk.
Healthcare organizations are rife with sensitive personal data, ranging from health records to social security numbers, birth dates, and addresses. This makes them an appealing target for cybercriminals looking to steal and profit from that information. One recent survey reports that the majority of hospitals (82 percent) have had a significant security incident in the past year.
Healthcare organizations must protect sensitive patient data as mandated by theHealth Insurance Portability and Accountability Act(HIPAA), the regulatory framework for the healthcare industry. As breaches continue to rise, healthcare providers and others in the industry must understand how to properly secure this sensitive data.
Here are three ways to ensure HIPAA compliance with patient privacy.
Ensure Technical Safeguards are in Place
Healthcare organizations must protect sensitive patient data from external and internal threats. While digital health records may improve efficiency, this electronically protected health information (ePHI) must be kept safe via technical safeguards.
This includes access and audit control requirements that determine access control capabilities for all information systems that have ePHI and ensuring that activity within these systems can be traced back to specific users. Organizations also need formal policies for access control.
Authentication and integrity are also critical, meaning that healthcare organizations must protect ePHI from being altered or destroyed and must also secure that data while stored at rest. Authentication can be accomplished via digital signatures, checksum technology, and error-correcting memory.
Data in motion must also be secured, especially with the proliferation of electronic medical records (EMR) and health information exchanges (HIEs). Healthcare organizations must be able to securely transmit patient medical records between facilities.
Apply Administrative Safeguards
Healthcare organizations bear responsibility for both Protected Health Information (PHI) and Personally Identifiable Information (PII), which requires the proper categorization of each type of data. Each type of data requires its own unique treatment, making it paramount that the information is properly classified.
Administrative safeguards break down into the following categories:
Security management process
Assigned security responsibility
Information access management
Security awareness and training
Security incident procedures
These areas help organizations implement policies and procedures to guide employees in the proper care and use of ePHI. This may include security training requirements along with a delegation of security responsibilities within an organization.
Prepare for Compliance Audits
It may sound obvious, but preparing for and submitting to compliance audits on a regular basis can help healthcare organizations stay in check and avoid expensive HIPAA fines. By employing a feedback loop based on the results of reviews, organizations can inform future decisions regarding security. Organizations should be conducting internal reviews ahead of scheduled audits to go over daily logs and to seek out anomalies, errors, and other suspicious activity that could signal a threat.
More than simply scanning for these anomalies, organizations must also have an appropriate and measured response mechanism in place. The ability to quickly respond to security issues is incredibly important and requires documentation and training.
This new digital environment makes for exciting new opportunities in the healthcare space. Unfortunately, it also brings with it new threats and security concerns that must be addressed. HIPAA compliance requires a comprehensive strategy to protect PHI and PII, including the right technology, the right safeguards, and the right training.
Cloud technology application in healthcare is not new. Back in 2015, we created a post on cloud usage in healthcare, where we researched this topic and predicted that we will see the growth of this industry. And now in 2019, we see that we were right. Let us see what as changed in this area with time.
What are the benefits of using cloud technology in healthcare?
Although not yet fully implemented, cloud computing is popular with healthcare because it offers a lot of positive features that are essentials for improving the medical industry.
Improved data management and storage
It goes without saying that the healthcare industry deals with a lot of data that needs to be stored somewhere. And cloud data storage capacity is one of the biggest advantages of adopting cloud technology in this industry. Plus, keeping records on the cloud allows analyzing the data, which in its turn can help prevent major disease outbreaks.
Mobility and speed
For hardware servers, we run a speed test to verify if the connection is speedy enough, but it is a fact that cloud computing offers faster connection and access to required information, which oftentimes is key in healthcare. Additionally, storing data on the cloud allows healthcare professionals to be able to access it from anywhere at any given time. It also enhances more efficient collaboration between them, as information is synchronized in real-time. This way doctors can easily view samples, lab results, and share notes, which significantly improves patient care.
Compared to supercomputers, cloud computing costs far less. Also, upgrades of any of the various features of cloud tools are both faster and cheaper than those done for hardware solutions.
Challenges and risks of cloud application in healthcare
Even though cloud technology has many advantages for healthcare, nevertheless, there is a number of risks and challenges that slow down the transition process to the new system completely. The biggest ones of them are the following:
Whatever cloud solution healthcare organizations decide to use, it must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) for secure data portability. It means that these principles should not only be understood and followed by medical facilities, but by cloud technology vendors as well. However, there are many cloud providers on the market now who offer HIPAA compliance.
The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
If you are looking for good business ideas, the healthcare industry should be your first option. The industry is a fantastic place for individuals with healthcare-related business ideas as well as aspiring entrepreneurs to invest in. Exploring these ideas is excellent for many reasons. There is an opportunity to serve the aging population in the country and helping individuals who are struggling with the drug crisis.
Currently, there are many technological and medical advances as well as widespread interests in health and wellness. All these are great incentives for healthcare entrepreneurs. Also, combining all these factors means that there is a thriving market for the health-related businesses and medical staffing network.
Aspiring entrepreneurs can convert one of the many health-related business ideas into viable ways to make a living. But before getting started, they need to understand how staffing, liability, and HIPAA guidelines play into their decision making since non-compliance can result in closures and fines depending on the severity of the violation. Here are the main healthcare businesses ideas that can help you invest in the industry:
Medical mobile screening
When thinking about a new healthcare-related business idea, then medical mobile screening is a good option for you since it requires less investment. Medical mobile screening is nothing but a simpler version of booking a physician’s appointment, ordering medicines, and scheduling vaccinations through the use of digitized technology.
This means that an individual can do all these activities without visiting a doctor or queuing for long hours while waiting for their turn to come up. From the business person’s point-of-view, this simplicity means far less overhead. Better yet, a medical staffing agency can be used to find worthy candidates from around the globe, further reducing business expenses by removing the need to headquarter everyone in the same location. The staff, just like the patients, can be situated virtually anywhere with an internet connection.
Retail pharmacy business
This business is the simplest and easiest way to venture in the healthcare industry. It is among the most flourishing and productive healthcare businesses in the sector today. If you are looking forward to establishing your own drug store business, you must a abide by the current regulations of the retail pharmacy business that manage and guide the stockpiling, sourcing supply, sale and recording keeping in regard to the HIPAA compliance.
Retail pharmacy business is the best for individuals planning to open a store in the vicinity of medical facilities since demand is more in such locations. The retail pharmacy business is among the growing and profitable healthcare business opportunities that never go out of consumers since they have daily use products.
Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all, which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
Why HIPAA exists and who it covers
Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
Protected Health Information (PHI/ePHI) and the key personal identifiers
HIPAA enforcement and the consequences of noncompliance
Their responsibilities as an individual within the organization
Many hospitals, clinics and healthcare organizations today talk about going paperless. In fact, according to a November 2016 research report from IDC, more than 40 percent of healthcare organizations report that they have a paper-reduction initiative in place.
Yet even hospitals that have achieved late-stage meaningful use status still receive and process high volumes of paper. This is especially true for important printing workflows, such as medical records, administrative files, admissions documents, prescriptions and pharmacy information. According to a recent survey by HIMSS Analytics, commissioned by Nuance, 90 percent of survey respondents reported some clinicians still use paper-based documents.
There is no escaping that healthcare organizations are committed to paper, at least for the short-term future. For instance, the IDC study found print volumes are expected to remain flat for the next two years, before beginning to decline after that time period.
When you consider that this amount of paper is expensive (both in terms of actual printing costs as well as overall document management processes), hard to track, and poses serious security and compliance risks, you may wonder why so many healthcare organizations continue to rely on paper.
To help answer the question, we’ll take a closer look at the reasons cited in the IDC report. We’ll also offer a few best practices any healthcare organization can follow now to reduce its reliance on paper to address the challenges posed by manual or paper-based workflows.
Why Paper Use Continues
According to the IDC report, the top reasons hospitals, clinics and healthcare organizations continue to use paper include incompatible document management systems or technology. This issue is most notable between the organization and outside facilities, leaving default paper processes as the best workaround.
Another reason is that many workflows still require paper documentation, most notably patient check-in/belongings forms, records requiring signatures, consent forms and more. Additionally, the majority of prescriptions and pharmacy records are still paper-based. For example, only 10 percent of responding hospitals indicated that prescriptions were electronic.
Lastly, healthcare organizations are large-scale consumers of fax technology. Hospitals report that many still receive and send up to 1,000 pages per month by fax. Interestingly, these hospitals report that while faxing may be an antiquated technology, many are behind in implementing new technology and must continue to focus on what works for them.
The handling and sharing of medical records is a critical and sensitive issue, and one that affects millions of providers, patients and payers every day. According to the Center for Disease Control and Prevention, Americans alone make more than a billion visits to doctors’ offices, clinics and hospitals annually, so one can only imagine how often medical records exchange hands between patients, physicians, specialists, healthcare organizations and their staff.
Test results, images, medical and billing history and other related information continue to be mailed, faxed and—more commonly—emailed between interested parties. Email is the most popular of these options because it combines the wide accessibility of snail mail with the immediacy of fax transmission. But email as a means of sharing sensitive healthcare data lacks in three critical areas: security, regulatory compliance and working with large files.
Security, privacy and protection
Gaps in email security should have doctors and patients sweating bullets any time they attach medical information to an email and hover their cursor over the “send” button.
The overarching problem lies in the encryption, or lack thereof. Like CDs and popular online sharing services, medical records transmitted via email are generally unencrypted. This is the case not only in transit, but also when they sit on the servers of the email providers. Thus, sensitive medical information lies vulnerable at all times.
Exchanging records by email means exposing patients’ personal information and their entire medical histories to a nefarious underworld of hackers seeking to exploit such information. It may include the most personal and private information, from social security numbers to diagnoses for chronic illnesses. Should information get in the wrong hands, there’s no predicting the extent and impact of the consequences.