A Survey of The Current HIPAA Landscape
Maybe it’s due to the next round of audits now underway, or maybe it’s because we’re learning more about what MACRA may mean for all of us, or maybe because it’s an election year. Regardless of the reason, there are a number of recent articles and blog posts that specifically focus on HIPAA compliance and responsibility. Here are some of the biggest takeaways we have from all of the recent discussions.
Providers are ultimately responsible for HIPAA compliance.
It’s a bit of a scary article to be honest, but a recent post on HealthITSecurity.com addresses the ultimate responsibility for HIPAA compliance.
The article (http://healthitsecurity.com/news/does-hipaa- compliance-give- a-false- sense-of-security), written by the CEO of a cloud hosting provider, Adam Stern, addresses cyber attacks in regards to HIPAA compliance.
The key takeaways? HIPAA compliance is extremely important, yet there are few guidelines on how to ultimately make it happen with technology. This isn’t new information. In fact, it’s something we’ve known about HIPAA since it was first implemented. The rules have always been stringent and there has been very little guidance about how to safely achieve those rules with technology.
But the point that Stern is ultimately attempting to make is that due to this ambiguous nature, the healthcare provider is responsible for securing HIPAA information, not any third-party platform or vendor with a business associate agreement (BAA).
“No one forces any provider to submit to a HIPAA audit,” Stern writes. “For many (I’d say too many), the ‘business associate agreement’ loophole is big enough to drive an ambulance through.”
So, Stern’s recommendation is to thoroughly vet all vendors, especially ones that handle sensitive information.
Email encryption is really, really important.
If you haven’t yet given thought to investing in an encrypted email system, now is the time to do so. That’s one of the big takeaways from Jean Wendland Porter’s recent article in McKnight’s (http://www.mcknights.com/guest-columns/hipaa-and-ehealth-avoiding-problems/article/494657/).
Porter, a physical therapist in Ohio, details some of the common pitfalls when it comes to HIPAA compliance within a provider’s office, and one of the biggest is email.
“Sending a non-encrypted email that says ‘We sent your insulin prescription to your drug store’ has violated HIPAA, because the medication information plus an email address is considered PHI,” she writes. The only means of solving this issue is having a fully-encrypted email solution. And even then, Porter writes, you have to be careful with how you compose the email. Information in the subject line of the email or in the file name of any attachment isn’t encrypted and could be considered a HIPAA violation.
The location of your fax machine matters.
This is one that probably hasn’t crossed many minds, but it’s something Porter also addresses. Faxing is still an extremely prevalent way of exchanging information in many areas of the country, but faxing information could be considered a HIPAA violation. And it all depends on the location of the fax machines being used.
“If the fax is in a public area that’s frequented by others who are not privy to PHI, you can’t (fax information securely),” she writes. “If it’s a private fax in an office, accessible only to those who provide care, yes you can.”
So, remember to be vigilant. Vet your cloud vendors carefully. Give serious thought to encrypted email, if you’re not already doing using it. And know the locations of any fax machine you’re sending to or receiving information from.