Healthcare stakeholders are about to face a new frontier in the battle to remain HIPAA compliant and protect PHI and health data – digital. The new digital healthcare landscape is one of the key concerns for payers, providers, and patients as we enter into 2015 and have the opportunity to look back at 2014.
Since 2009 there have been almost $25 Million in HIPAA penalties collected by the HHS, and the introduction of digital and mHealth are set to add even more possibility of being penalized. Let’s take a look at some of the key areas of concerns for healthcare players looking to revitalize or revamp their HIPAA protocols and safeguards.
mHealth & Wearables
The day has come where we must now plan for wearable and smartphone app data to become part of healthcare’s standard data flow. With it has also arrived the vulnerability of transferring health data across new platforms and networks that may pose even greater security risks. Many of these risks have risen from the new data handoff patterns - from wired medical device or wearable data streaming to smartphones across Wi-Fi networks, smartphones forwarding data to providers via 4G LTE cellular protocols and providers processing data via corporate networks - now being used thanks to the rise of such devices.
The key question being voiced remains, in what situations must HIPAA safeguards be implemented to protect the data flowing from these devices? For example, once wearable/app data is used by providers, it’s protected by HIPAA safeguards, but in other situations – such as when it’s gathered by employers or payers – it may not be protected.
The solution? As for now - education. Educating patients and providers on when and how HIPAA safeguards will protect PHI is key to ensuring we manage the logical and physical security risks inherent in passing around so much data across multiple Wi-Fi, 4G and corporate networks.
As new software and operating platforms arise, older versions become obsolete. HHS has made it clear that healthcare stakeholders using unsupported software will be subject to HIPAA violation penalties.
For 2015, the continued use of Windows XP will be considered a HIPAA violation as Microsoft has discontinued updating the operating system for security issues or bugs. Additionally, Microsoft Office 2003 and Microsoft Exchange Server 2003 will also be added to the list of unsupported software.
Hacking & Cyber Threats
2014 saw a multitude of cyber attacks and hacks on large corporations, most recently impacting Sony Pictures and number of their A-list celebrity employees. 2015 is expected to seem similar ploys arise as terrorist move to the digital frontier.
In the case of Sony, there actors’ individually identifiable health information, some of which appears to be protected health information (PHI) under HIPAA, was among the sensitive personal data hacked into. A file was accessed that contains a list of the highest-cost patients covered by Sony Pictures health plan.
Healthcare players are encouraged to be aware of these threats and ensure they maintain cyber security protocols to thwart a similar situation to Sony’s occurring when more valuable or critical PHI is involved.
Business Associate Terms
With the recent concerns that seem to be arising throughout digital health, it is being recommended that healthcare stakeholders revisit their Business Associate Agreements and revise the terms to better reflect the HIPAA safeguards and protocols surrounding mHealth, EHRs, wearables, telehealth and more.
Some key terms you may want to include are:
Requiring business associates to implement very specific security controls.
Ensuring business associates comply with specific state or federal privacy and security requirements.
Limiting the creation or use of de-identified data derived from the covered entity’s PHI.
Purchasing cyber security insurance.
Types of security incidents that do and do not require per-incident notification.
HIPAA Complaints & Investigations
With the growing concern of maintaining HIPAA compliancy and protecting PHI, the Office of Civil Rights is expecting an increase in compliance investigations, audits, and enforcement actions.
Finally, we may begin to see more and more entities and individuals who do not absolutely require PHI in order to do business try to avoid it as much as possible.
PayerFusion & PHI
As we prepare to ready the healthcare landscape for the introduction of mHealth and wearables, there is a growing importance surrounding how we handle and manage PHI or other valuable health data. The threats and vulnerabilities will continue to grow as new technology and innovation further complicates the battle against hackers or other dangers.
PayerFusion Holdings often conducts internal HIPAA training and audits to ensure all of our claims, patient data, and insurance information remain protected to the best of our ability. We aim to handle PHI like we handle the lives of our clients, with the utmost care and safety. Additionally, we are now offering large groups access to our Online Personal Health Record platform with mobile availability for iOS and Android. This PHR includes 24/7 accessibility and is fully HIPAA compliant utilizing a secure and encrypted data transfer to protect each users' information.
To learn more about PayerFusion’s HIPAA-compliant claims management programs or our Online Personal Health Record, contact us at firstname.lastname@example.org or subscribe to our monthly newsletter – Health Insights.