December 9, 2022
The Health Insurance Portability and Accountability Act of 1996 (also known as HIPAA) is designed to put patients in control of their private health information. The implicit principle behind this is that the information is their property, so they have the right to say what happens to it–and above all else, to enjoy the confidence of knowing that those to whom they may have entrusted it do not treat it as a tradable or sharable commodity.
Compliance obligations enforce the principle for healthcare organizations, and compliance is heavily dependent on holistic data governance. Get the latter right, and the former falls into place.
It may seem to be a relatively one-dimensional requirement. If a healthcare organization wishes to share personal patient data, the theory is that all it has to do is seek the consent of the patients involved, thereby ensuring that nothing untoward has happened, or will happen, to their information without their knowledge.
The reality is that there are multiple dimensions to securing and safeguarding this openness and transparency, every one of which is subject to scrutiny under the HIPAA Act. There are also vast communities of hackers with a keen interest in getting hold of this information. Being ‘untoward’ is what their mission is all about. Treating sensitive information as a commodity is their modus operandi (MO). The rights of individual patients present no constraint to them at all. Their only real compliance concern is to ensure the quickest route through to the “fast buck.”
In today’s digital world, whilst taking care of patient’s health is the unequivocal role of healthcare organizations, so too is taking care of the data that increasingly contextualizes and facilitates this role. We have Big Data to thank for the potential it offers for organizations to improve patient outcomes, but also for the added dimension of taking care of every aspect of data governance in informing and helping to drive these outcomes.
The Essential Data Health Check
The U.S. Department of Health & Human Services (HHS) provides comprehensive guidance for healthcare professionals in the light of the recognition by Congress that “advances in electronic technology could erode the privacy of health information”.
These advances evolve ceaselessly, such is the nature of technology. As they do, so do the capabilities of cybercriminals. Healthcare organizations are expected to keep pace with all three; compliance obligations, sophisticated cyberattack techniques, and technology that improves the capabilities and effectiveness of healthcare practices.
There’s no escaping the fact that managing Big Data is a very Big Task for the healthcare industry. HIPAA is high on the task’s agenda, but other regulations must also be taken into account. These include GDPR, the California Consumer Privacy Act (CCPA), Protected Health Information (PHI), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and The Payment Card Industry Data Security Standards (PCI DSS).
Regulations abound. That’s because data abounds. It’s everywhere in your organization. All the regulators expect of you is that you know where it is, what it is, and that it’s being stored, used, and processed in the right way. Phew. Sizeable tasks, all of them. With robust and automated solutions in place, however, they don’t necessarily have to be.
Six Key HIPAA Audits
Looking more closely at HIPAA, an internal HIPAA Audit Checklist can be downloaded at HIPAA Journal. This document outlines the six central annual audits and assessments that healthcare providers need to undertake:
- Security Risk Assessment
- Required Annual Audits/Assessments
- Privacy Standards Audit (Not required for BAs)
- HITECH Subtitle D Privacy Audit
- Security Standards Audit
- Asset And Device Audit
- Physical Site Audit
The checklist also points to the need to create remediation plans to deal with any deficiencies in the foregoing six areas and provides an invaluable audit tip: “If audited, you must provide all documentation for the past six years to auditors”.
As technology and cybercrime evolve pretty much non-stop, so does the shape and impact, scope, and depth of HIPAA. HHS issued a bulletin on December 1, 2022, about the use of online tracking technologies to “collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application”. Such tracking may be through websites or mobile apps.
Just days before that (November 28) HHS proposed “New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges”. Such additions impact healthcare organizations rapidly, and the need to keep pace never wanes. It’s not a one-time, one-fix deal. See the ongoing changes here.
The future of HIPAA and Compliance is redefined with what could be viewed as unsettling regularity, were it not for the relief from the task that can be afforded by diligent data governance. This much is self-evident, but it raises the question of how you make sure explicitly what the data is (and where it is) that you need to ensure governance.
Robust Compliance and How To Minimize the Task
The essential first step is to reveal and understand any risk, anywhere across your entire data estate. Once you discover and address areas where you may be exposed, you will be in the position of having optimized your compliance stance.
A call from the regulators that they’d like to audit your organization should be something you welcome, rather than receive with any degree of uncertainty. This is an agenda the regulators will set. They may want to take a look at your data practices, security measures, Best Practice policies in place across the digital aspects of your data, the physical assets that enable and use them, and your organization’s rigid adherence to its well-formulated codes of practice; any, or all, of the foregoing.
NowPrivacy’s single data discovery platform is more than a software solution; it’s a holistic approach to ensuring visibility across your structured and unstructured data. It’s about peace of mind for your organization, the citizens you serve, and the official bodies that may look at what you’re up to at just about any time they decide to do so.
You should take a good look before they do.