By Dan Munro for Forbes
The short answer is yes ‒ many health related organizations adhere faithfully to both the letter and spirit of the healthcare legislation known as HIPAA.
The challenging answer is no ‒ many health related organizations who claim to be “HIPAA Compliant” simply aren’t.
The confusing answer is that many organizations that claim to be “HIPAA Compliant” have no such legal obligation.
Passed in 1996, HIPAA stands for Health Insurance Portability and Accountability Act and there are two “rules” that apply to healthcare entities that handle Protected Health Information (PHI).
The first is the Privacy Rule ‒ and the second is the Security Rule. These two rules work together to outline what Health and Human Services (HHS) requires as policies and procedures for handling PHI in all its forms (paper, electronic, images etc…).
The Office of Civil Rights (OCR) under HHS is chartered with enforcing HIPAA and can leverage criminal and civil penalties for violations that occur with either “covered entities” or their partners as “business associates” ‒ both of which are defined legal terms.
Why should we care? Because data breaches in healthcare are on the rise and data security in the new digital health economy is a good proxy for patient trust.
The number for 2014 ‒ 11,840,968 ‒ is really just through the end of July, but it does include the 4.5 million record breach by CHS in August. Failure to update critical infrastructure software in a timely manner was a significant factor in the CHS breach.
Many also see this public reporting as the tip of the iceberg because it only includes breaches that are officially reported to HHS. The larger part of this iceberg could well be the amount of PHI being siphoned out of healthcare entities who are totally unaware of the breach (which can span months or even years). This 380 bed hospital is a great example of one such facility that seems unaware of the risk and doesn’t appear to be monitoring their network perimeter very effectively ‒ if at all.
HIPAA’s confusion actually started soon after its passage in 1996. As consumers, we first experienced the direct effect when providers (all stripes and sizes) started demanding signatures on “HIPAA Authorization” or “HIPAA Release” forms which were included as a part of their administrative process. Sadly, the form itself is largely unnecessary because the primary need for providers to “share” our health information is around claims processing and billing. HIPAA actually allows for that exact purpose without any formal patient consent.
Arguing that exact point with the local pediatricians office, however, is like fighting City Hall. Lots of frustrations for both sides and no real progress. They can’t legally deny healthcare services for refusing to sign a HIPAA Authorization form, but is that really the best battle to have with a provider? The easy answer is no ‒ so we play the charade of ignorance (or indifference) and sign away. After about 15 years it’s so routine that it’s now accepted as a de facto standard throughout the U.S.
Since 1996 ‒ as the entire world moved online ‒ we’ve started to hear a new phrase around HIPAA called “Compliance.” As consumers we hear or see this phrase applied to all manner of healthcare apps, websites and services as if there was a certifying entity or governing body that issued HIPAA Compliant certificates like a Good Housekeeping Seal of Approval.
“There is no such thing as being “HIPAA Certified” in cloud computing. Many hosting providers claim “HIPAA Compliance,” but they put the burden of any audits and assessments directly on their clients. The only hard evidence of best practices around security and privacy is a third party audit that is based on HHS’ Office of Civil Rights (OCR) Audit Protocol ‒ the same audit criteria that OCR uses for their audits. For us, this is more than just adherence to legislation, it’s a part of our company culture around protecting what we know to be our customers most valuable assets ‒ patient information.” Mike Klein ‒ Co‒CEO of Online Tech, Inc.
The same can be said of healthcare apps downloaded to smartphones and tablets. While there is no single authority or governing body for “HIPAA Compliance,” there is a rigorous and formal process for establishing best practices around privacy and security specifically for PHI data.
Implementing and adhering to these rigorous policies and procedures can and logically should be certified by a 3rd party organization that is neutral and qualified to assess the policies and procedures compared to best industry practices and benchmarks.
Implementing and adhering to these rigorous policies and procedures typically falls to CPA firms that offer both the audit and attestation service as an annual process ‒ often associated with specific audit protocols. In healthcare, these protocols are well defined by the OCR.
“It’s really critical for any healthcare software or services business to understand that without a 3rd party audit by a CPA firm following AICPA standards – they really have no idea how strong their privacy and security practices are. If there’s ever a breach – the whole business is at risk for not only the breach, but the penalties associated with the breach, the recovery and the remediation. The smaller the healthcare company, of course, the harder it is to make all these commitments – which includes the cost of an annual 3rd party audit and attestation.” David Barton ‒ Managing Director, UHY LLP
Many large healthcare institutions do have a Chief Compliance Officer (CCO), but even here the commitment can be half‒hearted. PwC recently offered these statistics from their analysis of healthcare providers.
The majority of respondents (86%) indicated they have a designated CCO who reports directly to either the board of directors or the CEO, but 14% do not have a CCO
43% of CCO’s have other responsibilities ‒ and responsibility for other functions
All of which suggests we’re headed for more big data breaches and “HIPAA Compliance” will likely remain a confusing term for everyone ‒ including “covered entities,” “business associates” and especially all of us as patients.
“Although business associates are now required to comply with the HIPAA Security Rule, my experience is that they have been really slow to respond. Many business associates are confused about whether or not they fall within the definition of a business associate and even more confused about their compliance requirements. There is a general understanding that they are required to sign a business associate agreement, but the notion that signing a business associate agreement makes you “HIPAA compliant” is naive and risky for everyone ‒ including covered entities and patients. When OCR begins enforcing HIPAA and levies hefty fines and penalties against business associates, they will wake up quickly. In the meantime, patients’ health information is at risk and I have seen a dramatic increase in breaches caused by business associates which have not implemented measures to comply with HIPAA’s Security Rule.” Linn Freedman, Partner ‒ Leader, Privacy & Data Protection Group ‒ Nixon Peabody, LLP
Data security and privacy certainly isn’t the only proxy for patient trust in healthcare, but it’s a big one. Understanding and adhering to HIPAA Compliance across the entire digital health ecosystem is a leading indicator of just how well organizations view that trust.