Healthcare HIPAA Challenges 2021
Healthcare professionals are well aware of the unique circumstances faced by hospitals and healthcare providers over the past 11 months. In addition to the COVID-19 pandemic, testing procedures, tracking transmission of the virus, patient care, concern for frontline workers as well as the need for shared information dominated thoughts and actions. Telemedicine became the norm whenever possible. The media became heavily invested in this pandemic. Patients themselves became more aware of their rights with regards to personal health information (PHI) in addition to gaps in their healthcare coverage. HIPAA became a mainstream addition to healthcare vocabulary. HIPAA compliance and cybersecurity moved front and center in executives minds as well. Several of the challenges for 2021 include the following:
The coronavirus, the pandemic, vaccination research, its supply and distribution amid a national election became big news covered by every media outlet in what seemed like a 24/7 news loop. With all that came the question ‘is the media bound by HIPAA?’ The short answer is ‘no.’
The health and diagnosis of every individual is fundamentally personal, and HIPAA defines it as deeply private and protected. Journalists are not restricted by HIPAA guidelines. They can and do ask people for personal and private information. That is the nature of their job. Journalists are free to interview anyone they choose. If they obtain privileged information from a healthcare worker, the worker is bound by HIPAA and subject to possible violation sanctions, but the journalist is not. The media’s business is putting forth information. Members of the Society Professional Journalists code of ethics states that ethical journalism “strives to ensure the free exchanges of information that is accurate, fair and thorough.” Whether every media outlet or individual abided by this statement is open to debate. The fact remains that this pandemic has been big business for the worldwide media, HIPAA notwithstanding. This begs the question of whether the media should be bound by HIPAA, but the fact is, however much healthcare would prefer it, at this point, they are not. Leaks are inevitable and individuals are hard pressed to resist the lure of an interview. At the very least, healthcare executives and managers need to provide assistance, training and guidelines for dealing with the media.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been in effect in its current form since 2003. Much has changed since then. Is it time for a bit of any update? In an effort to eliminate confusion, clarify misunderstandings and streamline procedures, changes to the rule were put forth by the Office of Civil Rights (OCR) of the Health and Human Services (HHS) office at the end of an administration, then HHS Secretary Alex Azar said the new changes “would break down barriers that have stood in the way of commonsense care coordination and value-based arrangements or far too long. It remains to be seen if this proposal will be implemented under the new administration.
The proposed changes are designed to expand individuals right to access their digital health information, increase information sharing across the care continuum in order to benefit overall case management. It will also free up discussions allowed during health crises from the recent pandemic to individual opioid overdoses. The new rule would also add definitions for ‘electronic health records’ and ‘personal health application.’ It recommends replacing the disclosure of personal health information from ‘professional judgement’ to ‘good faith belief.’ The OCR acknowledges this is more permissive than formerly the case. It also suggests eliminating the patient’s written receipt of the Notice of Privacy Practices. At the time of this writing, the changes are still pending.
Covid-19 di not change the compliance requirements for HIPAA although the OCR relaxed them a bit with respect to health information sharing. Just as the rest of the world is starting to approach some form of normalcy, strict enforcement of the Act is returning. Fines resulting from violations will return too. The back log of HIPAA violations is resolving. On January 15, 2021, the Lifetime Healthcare Companies were recently agreed to pay $5.1 million to the OCR and HSS following a security breach involving private health information for approximately 9.3 million people. The city of New Haven, CT was recently assessed a penalty in excess of $200K following a security breach involving private health information for approximately 500 people. This incident illustrates the vulnerability of many health security systems. A terminated employee returned to the city’s Health Department and was able to log on to her old computer. She downloaded this information on a USB and shared her credentials with an intern. This was an internal breach by a formerly trusted employee. OCR Director Roger Severino stated “medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.” As recetnty as January 15, 2021, the Lifetime Healthcare Companies agreed to pay $5.1 million to the OCR and HSS following a security breach involving private health information for approximately 9.3 million people. These compliance issues lead right into the next challenge for 2021.
In the past, many healthcare facilities unfortunately followed the ‘pay a fine, make a compliance plan, regret not doing it in the first place’ route. This will no longer work in today’s technological world. It is not a matter of if a data breach will occur, but when. Types of attacks can include ransomware, phishing (sending fake e-mails to invite people to reveal private information), equipment theft or loss, unauthorized access (see above), insider or security failures.
In a survey of 2500 security professionals, 73% feel unprepared and 96% of these believe data hackers are 3 steps ahead of their security measures at any given time. The business of the hospital as well as patients themselves are at risk for things like identity theft and PHI exposure. Covid-19 brought these risks and the scam risk closer with demands for products like masks, other PPE’s, toilet paper and even vitamins. Hackers used online orders for these as entry points into a given system. Other important issues developed with the increase in remote workers. With 90% of healthcare and hospital employees reporting little to no guidance in setting up secure home offices, cyber thieves just had to lay in wait.
Identifying risk factors is essential, closing any gaps and having a HIPAA Incident Response Plan and an Information Technology Response Team in place. Expect this will happen and count on it occurring at the worst possible time. Unfortunately, cybersecurity measures are often done reactively, after the fact rather than proactively when informed decisions can be made. Detailed blueprints are available online that detail roles and responsibilities for the who, what, how and when necessary for Incident Response Teams. It also discusses methods to review, adapt, learn and recover from a data breach.
For many people, this year has been filled with hardship, worry, uncertainty, sadness, loss and illness. We’ve grappled with racial injustice in our nation, unrest in our communities, canceled plans, social distancing, anxiousness and isolation. Preparing as much as we can, for situations we know will occur make even more sense in light of this.
At NHS Solutions, our team remains ready and able to meet these needs with our pool of qualified interim healthcare leaders. Contact us to discuss your organization’s needs or to speak with our recruiting team about your next career move as an interim nurse leader.