Introduced in 1996 to assist in dealing with medical fraud, the health insurance portability & accountability act (HIPAA) has since evolved significantly. However, one fact remains the same: Any healthcare facility or medical personnel who don’t follow the standards set by HIPAA on the protection of patient data suffer hefty fines. This article covers what companies need to know about HIPAA compliance in 2019 to stay compliant and avoid penalties. We’re assuming a basic knowledge of HIPAA – if you aren’t familiar with the healthcare regulation, you can read more about what HIPAA compliance is here.
Potential changes to HIPAA in 2019
Due to changes in patient data, especially Electronic Health Records (EHRs), there is a need to make changes to HIPAA to improve data sharing and coordinated care. For this reason, the Office for Civi Rights (OCR) has requested that healthcare facilities that are under HIPAA coverage to provide feedback about areas in the act that require updates.
The window period for submission of feedback is February 11, 2019. In the meantime, OCR is working on current recommendations, and the question remains as to whether we will see any changes to the act before the end of 2019.
OCR is primarily targeting the HIPAA privacy rule, particularly the clauses that limit coordinated care and a transition to value-based healthcare. Additionally, OCR is aiming to make changes to the privacy rule to support efforts aimed at fighting the opioid menace in the US.
How HIPAA is currently enforced
2018 was a record year for enforcement of HIPAA. Total fines and settlements stood at over $28M, representing a rise of about 22% over 2016’s already impressive record.
This trend is expected to continue, as OCR is clearly increasing efforts in enforcing HIPAA in 2019 and beyond. Delays in providing medical records to patients, denying access to records, and overcharging patients are areas that are likely to face new enforcement efforts. OCR is also expected to step up their enforcement and penalization of compliance breaches that include lack of safeguards, absence of HIPAA policies and procedures, impermissible PHI disclosures, poor risk management, failure to initiate thorough risk analyses and lack of business associate agreements. Email data breaches are also likely to attract higher penalties in the coming months.
5 must-haves to get HIPAA compliant in 2019 and beyond
Embracing HIPAA compliance isn’t any different from developing modern data security plans. The following steps will set you on the right path to meeting compliance requirements:
Step1: Begin with a thorough risk assessment and gap analysis
Your journey to HIPAA compliance should start with a thorough evaluation of your electronic health records (EHR) to ensure compliance and minimize risks. Best results will come from third-party experts with experience in healthcare security and compliance.
When you hire a consultant, they will begin with an evaluation of your security program to make sure it’s in line with HIPAA regulations and determine if it’s ready for ‘certification.” It’s worth noting that OCR doesn’t certify compliance but has assigned this role to independent organizations.
After the assessment, your in-house team or consultant should produce a comprehensive report that will include the following:
- The present security status of your organization in relation to OCR audit protocol
- Best recommendations for risk remediation
- Steps to follow to achieve certification
Step 2: Remediation of risk and addressing compliance gaps
Based on the consultant’s report, you should initiate immediate action to fill in any gaps in your security program. A quality consultant will be able to help you to develop policies, programs, procedures and standards to implement critical security practices and controls.
Step 3: Adopt automated compliance reporting
The evaluation standard for HIPAA demands organizations covered by the regulations to document both technical and non-technical assessment to gauge if they are in line with the set standards. This task is easy to achieve through compliance and security reporting solutions.
Many security management solutions offer extra predefined event reports, such as reports by data type and data source, thus increasing efficiency in your daily monitoring and reporting. Choose a flexible and intuitive interface that allows you to manipulate data swiftly.
Your chosen automated compliance reporting solution should offer centralized visibility of on-premises and cloud assets, threats, logged data from firewalls, cyber attack vulnerabilities, and other vital security tools that will provide sufficient data for documenting and maintaining continuous compliance.
Step 4: Implementing breach notification monitoring protocols
According to the breach notification rule, all entities covered by HIPAA and their associates must report any breach linked to unsecured protected health information. Security management platforms should be able to make detection, monitoring and responding to breaches simple and fast.
Since most healthcare organizations are shifting data and applications to the cloud, you should make sure the technology of choice provides threat detection both in multi-cloud environments and on-premises.
Step 5: Continuous evaluation and risk management
Whether you’re managing HIPAA compliance internally or you have outsourced the task, the monitoring process should be continuous to avoid the last-minute rush for annual assessments and audits. The program must offer-real time visibility of your environment.
Maintaining HIPAA compliance isn’t a simple task; it demands lots of attention. If you choose to work without healthcare security consultants, adhering to HIPAA compliance may take lots of time and result in data breaches that will compromise the security of your patient data. But with the right technology, people and processes achieving HIPAA compliance becomes an easy task.