The world has changed a lot over the past two years. The Covid-19 pandemic forced a rapid transition to a remote way of life. The healthcare industry is one particular industry that faced an overnight transformation due to the pandemic. People were no longer able to see their doctors in person, forcing both patients and health care providers to rapidly adapt to the new normal. Although evolving technology has helped make the transition to digital healthcare more efficient, it also introduces a new set of HIPAA compliance challenges.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by the Department of Health and Human Services in 1999 to protect personal health information (PHI) and to give people control over their healthcare records. HIPAA was updated to account for changes in technology with the HITECH Act in 2009 and the HIPAA omnibus rule in 2013. However, the world in 2022 looks a lot different than it did nearly 10 years ago.
HIPAA’s two main rules are the privacy and security rules. The privacy rule defines PHI and outlines when it can be used and disclosed. The security rule creates standards for protecting PHI and ensures that companies use appropriate security controls to keep unauthorized parties from accessing patient data. Failure to comply with either of these rules can lead to fines and potential jail time depending on the nature of the violation. The pandemic and subsequent changes in the way people work have made HIPAA compliance significantly more complicated in the past two years. Here is how HIPAA compliance and data protection have become more difficult in recent times.
Telehealth and telemedicine services became significantly more popular during the pandemic when people were unable to receive care in person due to the risk of transmitting or catching Covid. In fact, the Department of Health and Human Services found a 63-fold increase in telehealth utilization during the pandemic! This means that more sensitive healthcare data is transmitted than in the past.
Doctor's visits, follow-ups, and other routine healthcare operations are frequently conducted via phone or video conference instead of in person. Even as restrictions have loosened, many people are choosing to stick to virtual healthcare instead of reverting to traditional methods. It is easier and more cost-effective to set up a video call instead of an in-person appointment in many situations. Telehealth is here to stay and creates a new set of challenges for HIPAA compliance.
In the old days protecting patients’ privacy meant clinicians had to keep their voices low when discussing PHI and lock up any file cabinets containing medical records. Now with the increase in telehealth services protecting patient privacy looks very different. Video channels where people converse with their physicians must be secured. People must be able to upload images of conditions that are affecting their wellbeing without them being stolen in transit. Electronic medical records store the vast majority of people's protected health information. In general, telemedicine has rapidly increased the amount and variety of digital healthcare data that must be protected.
Remote work grew exponentially following the onset of the pandemic, and there are many reasons to believe that remote work is here to stay. Research from Owl Labs found that over 80% of remote workers want to stay remote after the pandemic is over. The vast majority of remote workers believe they are happier and more productive when working from home. There is also a business case for remote work since companies don’t need to pay for office space and happy employees are more effective workers.
One interesting takeaway from that report is that healthcare was one of the industries with the largest percentage of remote workers after the pandemic started. On top of people working in health systems, there are a number of health-tech companies that are required to abide by HIPAA. This health-tech industry has been steadily growing for a long time, but has skyrocketed in the past two years. Many teams in these industries are using Slack, Teams, and other collaboration software to work effectively without having to go in person. This means that their device security must be up to par before they can work with patient data.
Beyond securing end-user devices, organizations using remote work tools like Slack or Teams to discuss, store, or transmit PHI have to follow certain rules to avoid violating HIPAA. These rules include following specific security measures and implementing procedures such as never communicating with patients via Slack. We have written a guide to setting up Slack to be HIPAA compliant. It’s important to note that setting up software to allow compliant communications is not the same as utilizing it in a compliant manner. In general, the switch to remote work has complicated HIPAA compliance for traditional healthcare organizations and the new era of health-tech companies. All remote workers must be aware of their obligations in maintaining HIPAA compliance when creating, discussing, or transmitting PHI.
Another way HIPAA compliance is tricker today is the transition to cloud-based vs on-premise services. Most companies today utilize a variety of software as a service (SaaS) applications to carry out a variety of functions. For example, cloud databases running on platforms like Amazon Web Services (AWS) have replaced many hard drive configurations. Cloud-based security services have made on-premise network security less relevant than before. Physical safeguards are not as relevant as protecting mobile devices and having security measures such as multi factor authentication for accounts that can access PHI.
Every SaaS tool a covered entity or business associate uses represents another organization they have to work with to ensure compliance. Covered entities may find themselves signing hundreds of business associate agreements (BAA) in order to fully encapsulate their network of trust. Many business associates will have their own BAA’s with subcontractors, creating a complex situation for handling roles and liabilities for handling PHI. Companies should also conduct regular risk assessments to see if their tools are as secure as they think. Although using tools creates these additional risk analysis challenges, they also allow your company to work more efficiently.
Many of these SaaS tools are built to automate workflows. Understanding how these automations are operating and evaluating processes for potential risks to PHI is essential to ensuring HIPAA compliance. A workflow that could automatically disclose sensitive data without authorization must be adjusted to avoid such a scenario. The increase in SaaS tools was happening before the pandemic, but remote work has only sped up the process.
Health information used to be restricted to clinicians, but personal well-being has become more of a priority for many people. Research has found that people are taking more control of their health than ever before. Whether it is beginning to exercise, engaging in preventative care, or focusing on mental health; people want to be in charge of their own well-being.
One way individuals are taking ownership of their health is by using apps and fitness trackers such as MyFitnessPal and Fitbit. These platforms collect tons of user data, and traditionally were not considered covered entities or business associates. However, the FTC has recently required wearable device makers to comply with its breach notification rules. Although this is not directly applicable to HIPAA compliance, it is still very similar to the HIPAA breach notification rule and requires updating policies and procedures.
Another way patients want more control of their health is being able to access their medical records from their personal devices. People want to be able to read their diagnoses, understand their doctors recommendations, and move documents between practices with convenience. Balancing accessibility and security for medical records is tricky. Many companies will use patient portals to store PHI while others will simply require consent to send unsecured PHI. The shift to people wanting more involvement in their health is great for personal wellbeing, but significantly complicates HIPAA compliance.
The final and arguably most important reason complying with HIPAA is becoming increasingly difficult is the general increase in cybersecurity threats. 2021 had the largest number of healthcare data breaches on record, and that number is likely to continue to grow as the amount of healthcare information stored online continues to increase.
Healthcare information is worth up to $250 per record on the dark web, nearly 50 times more than the next most valuable type of information. There is a clear financial incentive for hackers to target healthcare information, but there is also a clear financial incentive for companies to protect data. HHS fines for a HIPAA violation can add up to millions of dollars! A data breach also erodes customer trust and preventing them should be a top priority for any healthcare organization. Preventing breaches should always be a top priority for healthcare organizations, but the increase in breach attempts makes it even more critical than in the past.
HIPAA compliance is more difficult than ever before, but companies can take steps to protect themselves from violating HIPAA. One of the best ways an organization can maintain compliance is by keeping its employee training up to date on common challenges the organization deals with when protecting its patient's data. Haekka’s training catalog includes courses on many aspects of HIPAA compliance. Some of the lessons in said courses cover cloud providers and subcontractors, messaging and HIPAA, and data security on personal devices. The courses and lessons are periodically updated to reflect the world’s changing security landscape.
Outdated training can not protect you against modern threats. The evolving healthcare landscape combined with rapid technological advancements means that what once worked is not effective anymore. Haekka’s training platform is integrated into Slack to meet employees where they do real work. Training in the context of work increases employee engagement and retention rates. To find out more about how Haekka can help your organization abide by HIPAA regulations, schedule a demo with one of our founders today!