Posted: January 23, 2018

I remember my children having nightmares. Middle-of-the-night wake up calls held scary tales of dragons, giant bugs, and other fantastical monsters. To them, these forces were real and worrisome. But to me, I knew how to handle their concerns, assure them I would always protect them. Keeping them safe, from dangers real or imagined, has always been my priority.

But for large organizations — hospitals and healthcare systems in particular — the scary monsters keeping you up at night are all too real. Hacking, security breaches, and improper handling of PHI are major concerns and have caused true issues and financial consequences for organizations who have fallen prey to malicious forces. Having patient, HIPAA-covered data stolen or even accidentally released is something healthcare organizations need to put continual effort into avoiding.

In order to protect your organization and its sensitive data, you need to understand the rules of PHI.

A Department of Health and Human Services (HHS) statement pointed out that access to electronic PHI must be restricted to only authorized users, including affiliated office staff. Further, covered entities must implement audit controls and regularly review audit logs to help prevent hackers or “malevolent insiders" from covering their tracks and to prevent breaches before they happen.

Scope of the challenge
All covered entities, such as providers, health plans, and clearinghouses (and their business associates), must comply with HIPAA requirements to protect the privacy and security of health information.

They're up against steep odds. Roughly one-quarter of U.S. consumers have had their healthcare data stolen from technology systems, with the highest percentage of breaches occurring at hospitals, urgent care clinics, and pharmacies.

And it's an exorbitantly expensive problem. Data breaches cost healthcare organizations $380 per record, more than 2.5 times the average across industries. When medical identity theft happens, consumers take a financial hit, too. Unlike credit card cases, in which account holders' responsibility generally maxes out at $50, almost two-thirds of medical identity theft victims suffer out-of-pocket costs averaging $13,500.

PHI responsibilities
HIPAA's Privacy and Security rules specifically detail what must be done to keep electronic PHI secure. Organizations bound by the rules are required to:

  • Follow stipulations about who can view, receive, and share PHI;
  • Use and share PHI only to the minimum extent necessary amount needed to accomplish their intended purpose;
  • Establish agreements with service providers to ensure that they only use and share PHI according to the law;
  • Institute procedures to limit who can access PHI and implement training programs for employees about how to protect PHI; and
  • Put in place administrative, technical, and physical safeguards to protect PHI.

It's important to note that technology-based solutions alone can't ensure HIPAA compliance — even if they meet standards established by the regulations. Software designers typically focus on building in physical and technical safeguards that meet specific criteria of the Security Rule such as access control or encryption, but administrative controls like regular reviews of access data or periodic security assessments must also be conducted.

Professionals using such systems in their day-to-day activities bear ultimate responsibility for maintaining HIPAA compliance — which leads to some still-evolving considerations.

The state of PHI
Today's healthcare practice needs to connect with patients in ways not imagined when HIPAA was framed and adopted. Patients expect electronic communications, sometimes directly with providers, but at a minimum with the business side of the practice via email, apps, or online forms.

At the top layer, all employees who interact with PHI should be trained on appropriate and authorized access and use of such data, as well as the ramifications for mishandling it.

Overall, anyone who touches PHI must protect it, advises security analyst Brand Barney. “Employees have a serious moral responsibility to both their employer and to their patients to keep health data secure," he emphasizes.

Additionally, employees should understand when certain data, such as marketing identifiers collected via email, would be considered PHI. Your compliance department should be your guide to the law.

“The relationship with health information is fundamental," explains the Department of Health and Human Services. “If [identifying] information was listed with health condition, health care provision, or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI."

HIPAA encompasses aspects of human and technical compliance to help guard against breaches and unplanned disclosures of PHI.

Want to learn more about effective healthcare digital marketing within HIPAA's confines? Read our post on how to vet your website vendor for security structure and practices.