Data security in the healthcare industry is vital. Healthcare practices must ensure the privacy and security of protected health information (PHI) and electronic protected health information (ePHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA), and they may face punitive consequences if they don’t.
Appropriate data security can be difficult to achieve — HIPAA requirements are complicated, compliance is time-consuming and small practices (those with less than 20 employees) have few resources to deal with tangled technical issues. They may staff only one or two IT personnel, who are hard-pressed to maintain constant software and hardware updates necessary for compliance under budget restrictions. Or they may staff no internal IT personnel, leaving the practice manager to handle all aspects of HIPAA compliance. Also, with recent updates to HIPAA data security regulations, some small practices have found it difficult to adapt.
Nevertheless, small practices must assume these challenges. Otherwise, consequences can be toxic to their bottom line and reputation.
This paper outlines HIPAA security requirements as of March 2015; consequences for noncompliance; compliance challenges faced by small healthcare practices; and ways ShareFile can help support them.
First passed in 1996, HIPAA is legislation intended to protect patients’ rights regarding their access to their PHI and to ensure its privacy and security.
Covered entities and business associates
HIPAA applies to covered entities: certain businesses or individuals in the healthcare field, including small healthcare practices.
HIPAA also applies to business associates, or businesses associated with a covered entity that help it carry out its healthcare functions. If you engage with a business associate as defined by HIPAA, you must sign a contract with them. The contract states that the business associate will support the HIPAA regulations that apply to its dealings with you.
As a small practice, you probably need outside technical support, data management or both. These are usually relationships with a business associate as defined by HIPAA. For example, if you upload PHI to cloud-based storage, the service you use probably hosts that data on its own server. This makes it your business associate. Therefore, it must be able and willing to uphold HIPAA data security standards on your behalf.
The HIPAA rules
HIPAA regulations comprise four rules. The Privacy Rule ensures that patients have a right to access their medical information without having it shared with outside parties. The Breach Notification Rule provides procedures to follow if PHI is disclosed in an unauthorized manner, and the Enforcement Rule sets out penalties for a breach. Finally, the Security Rule regulates one category of information covered by the Privacy Rule: PHI stored in an electronic format, or ePHI.
The security rule
The Security Rule outlines data security for the creation, storage, sharing and transference of ePHI. Its flexible measures depend on your practice’s size and resources, but they specify that all practices must comply with the Rule to the best of their reasonable ability. Practices must ensure that all ePHI is confidential, as defined by the Privacy Rule. They must also make all ePHI available upon demand, accessible only by authorized persons and protected against anticipated threats. Finally, they must train employees to ensure compliance with the Rule.
The Security Rule also requires covered entities to specify a person who ensures that a practice is meeting the Rule’s regulations. Someone in your practice must be primarily responsible for securing your data. If he or she is the practice administrator, then Security Rule compliance is one more task on an endless list. It’s easy to let this slip through the cracks.
The HITECH Act and the Omnibus Rule
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) changed HIPAA regulations regarding health information technology. The Omnibus Rule, passed in 2013, finalized the HITECH Act’s provisions. These pieces of legislation define more stringent standards for enforcing the security of ePHI and more severe penalties for its disclosure than were originally included in HIPAA.
Some practices haven’t caught up to these provisions and may not be vigilant about their compliance. If you’re one of them, you need to take a very close look at your data security.
Most HIPAA noncompliance cases in the news involve national companies, government investigations and million dollar fines. As a small practice, you may believe you won’t face the same kind of scrutiny or incur such hefty costs.
Think again. Even a small reported violation can prompt a compliance review by the Office for Civil Rights (OCR), which conducts HIPAA violation investigations. If someone in your waiting room can see part of the computer screens at your front desk, you’re displaying PHI. A secretary who calls a person’s home and leaves a voicemail despite instructions not to do so has disclosed PHI.
Data security mistakes are just as easy to make. An employee addressing an email containing PHI to the wrong person or sending it over an unsecured network (from a mobile phone, for instance) could be violating the Security Rule.
These little slipups can result in big consequences if the OCR scrutinizes your practice and finds either your privacy protocols or your data security wanting.
In 2013, the OCR looked into 14,300 complaints of HIPAA violation. It investigated 4,463 of them and 3,470 resulted in disciplinary action. So if the OCR intervened in only 4.12 percent of cases, your practice is relatively unlikely to face review, right?
Not necessarily. According to HIPAA’s website, private practices are the most common covered entities investigated for HIPAA violations and required to take corrective action. By that metric, your small practice is more likely to be investigated than the big ones in the news.
Why else should you worry about HIPAA investigations?
• Being investigated hurts your reputation, regardless of the outcome. No practice wants its name associated with a HIPAA investigation.
• The OCR can conduct random compliance reviews of any covered entity. Your practice can be investigated whether or not anyone has filed a complaint.
• The number of cases the OCR investigates will likely increase. In 2003, the OCR reported 1,516 HIPAA violations. Now it’s almost 10 times that annually, with no sign of slowing down.
A noncompliant practice faces greatly varying disciplinary action. You may earn a citation from the OCR, along with help supplementing or altering your security practices. Or you could face a large fine that drives your practice into the red — or even out of business.
HITECH uses a tiered fine system based on the violator’s culpability. It distinguishes between knowing and unknowing violations and establishes degrees of violation. HITECH considers an accidental PHI email disclosure very differently than a large-scale breach of data security disclosing thousands of medical records and specifies penalties accordingly.
For a small practice whose potential HIPAA violations are likely to be unknowing and accidental, that’s good news. The bad news is that HITECH has increased fines. Before HITECH, a single HIPAA violation meant a maximum fine of $100. Now even an unknowing act of noncompliance could merit fines up to $50,000. The cap on what you can be charged for violations of one provision in a year is a robust $1.5 million.
HIPAA regulations are challenging to uphold. Small practices have many issues to consider.
The complexity of HIPAA requirements thwarts small practices’ efforts. You have only a few people — maybe just one person — responsible for ensuring compliance with an extremely detailed law. It’s very easy to miss something.
Changing technology is an IT or practice manager’s biggest compliance headache. There are many ways to exchange electronic files via mobile device — email, file-sharing services, even text — and busy doctors and administrators utilize them all.
According to the Security Rule, PHI shared or stored on these devices must be secured to the best of a practice’s reasonable ability. This means enabling devices’ security features and monitoring them constantly. Does everyone in your practice know that? If a physician receives a patient chart by unencrypted email on a new iPad, you could be in violation of HIPAA.
Then there are Electronic Health Records (EHR) systems. Records management is of utmost importance to your practice’s HIPAA compliance. Records must be retrievable at any time, perhaps years after the fact. EHR also differ among practices, and transferring records between them can be difficult or impossible. Administrators often fall back to reliable but inefficient methods like email to transfer files that can cause problems under HIPAA.
Compliance takes a lot of time. In addition to learning HIPAA regulations, understanding their relationship to your technology, and monitoring and updating your technology, you also have to conduct lengthy training.
Under the Security Rule, the whole staff in a healthcare practice must be trained to follow security guidelines — doctors included. You also have to re-train them every time you change a recordkeeping or communication process.
Obviously, doctors hate taking time away from patient care, and you fall behind in other duties when you organize and conduct trainings. So you may stick to your old record management systems, even if they may not make HIPAA happy, because they’re faster and seem to cause less hassle.
But if a paper record must be electronic in order to meet compliance, someone has to scan or enter it. If emailing a document isn’t secure, someone has to fax it and follow it up with a phone call, or use a courier to mail it. If one office’s EHR can’t talk to another’s, someone must figure out the problem and transfer records between them. This all takes time that a busy office manager doesn’t have to spend — and costs your practice money too.
File-sharing that supports your needs
Citrix ShareFile is a cloud-based file-sharing service oriented specifically toward business needs. It provides a simple, fast, secure way to store and exchange sensitive files. You can transfer large files like CAT scans and X-rays instantly and share them with multiple end users both within and outside of your organization, over public or private networks. So you can exchange files securely by email with imaging and surgical centers, referring physicians, patients and others — all in a way that supports your HIPAA compliance.
Most importantly, ShareFile supports your HIPAA compliance. ShareFile updated network and security architecture to keep up with the changes implemented in 2013 under the Omnibus Rule. This created a unique service specifically for the healthcare industry: the ShareFile Cloud for Healthcare.
The ShareFile Cloud for Healthcare stores and transfers ePHI while ensuring industry-leading security and supporting HIPAA compliance. The service can help you deal with complicated regulations, enable better communication within your organization and with patients, decrease your technological headaches and save you valuable time.
ShareFile also offers an intuitive, familiar filefolder configuration and 24/7 onboarding support. With ShareFile, you don’t waste time assigning new end users or setting up security protocols. It’s just as easy to transfer files — even by email. ShareFile allows you to email a secure link to the document you want to share. Onboarding specialists spend as much time as it takes to train you, so that you can spend as little time as possible training your staff.
Using ShareFile means you spend less time scanning and faxing documents and following up on the phone. You enjoy a more streamlined system of document transfer that eases your paperwork burden while remaining HIPAA compliant.
To ensure your patients’ good health, maintain the health of your practice. A HIPAA violation can bottom out your bottom line, damage your reputation and even force you to close your doors.
For more information on the Citrix ShareFile Cloud for Healthcare, call 1-800-441-3453 or visit ShareFile for Healthcare.