Are you HIPAA Compliant? Are you ready if the Federal Office of the Civil Rights audits you?

Sulaimon Jimoh About The Author

October 18, 2018

HIPAA Compliance and Data Security

SecuritySecurity concept Lock on digital screen, illustration

A study conducted by the Office of the Assistant Secretary for Planning and Evaluation (ASPE) on LTPAC providers engaged in Health Information Exchange (HIE) found that LTPAC facilities continue to have issues with outdated technology solutions, and that some key personnel in these facilities remain unaware of the importance of the security and interoperability of PHI. 

This poses an ongoing challenge for the LTPAC sector with regard to both HIPAA compliance and data security. LTPAC facilities are in a unique and pivotal position in that HIE is an absolutely critical factor in their day-to-day operations, given that patients frequently are transferred from acute care settings such as hospitals to LTPAC settings for rehabilitation.

HIPAA Security Compliance for LTPAC

The transfer of eHIE must be accomplished with effective security measures in place to protect the privacy of patients, but not all LTPAC facilities have sufficient technology infrastructure or trained IT staff on board to achieve this. Fortunately, incentives exist for LTPAC facilities whose key personnel want to take strong, proactive measures to keep PHI safe and avoid security breaches and high HIPAA fines. As reported by ASPE, it's important not only to achieve compliance, which is the minimum standard set forth by Federal Regulations, but also to attain the maximum possible degree of security that will protect PHI against any and all threats, including malware, cyberattacks, and loss or theft of mobile devices used in patient care.

Assistance for Compliance and Security

To achieve not only HIPAA compliance but also a high level of security for PHI, LTPAC facilities must undergo thorough risk assessment procedures on an ongoing basis for continuous development and improvement. The cost of these assessments will vary according to a great many factors including but not limited to the size of the facility, the level of HIT, EHR, and eHIE that already exists, and to what degree improvements and upgrades can and must be made.

Government Funded Incentives

As reported by the Centers for Medicare & Medicaid Services (CMS), the HITECH Act funds incentives intended to help healthcare organizations achieve HIPAA compliance and safeguard the security of their EHR and PHI. These incentive programs, formerly known as EHR Incentive Programs, are now referred to as Promoting Interoperability (PI) Programs. The EHR Incentive Programs were created as part of the passage of the HITECH Act to offer payments to eligible facilities and personnel who utilize Certified EHR Technology (CEHRT), which is defined by the Office of the National Coordinator for Health Information Technology (ONC) as technology by which healthcare professionals can submit PHI to CMS such that CMS can readily process it.

 

 

Outsourcing IT Requirements

As reported by the HIPAA Journal, LTPAC facilities are increasingly turning to third party IT specialists for their risk assessment needs, and it is easy to see why. Many LTPAC organizations simply do not have properly trained HIT staff employed in-house, which constitutes a perilous situation in today's environment where cyberattacks on healthcare organizations are, according to Bloomberg, on the rise.

A Necessary Investment

While some smaller and medium-sized LTPAC organizations might balk at the expenditure of conducting a HIPAA Risk Assessment, it is vital that these procedures be instituted and maintained. While the expense of a HIPAA Risk Assessment and any related remediations can be seen as a significant cost to an organization, the cost of non-compliance is simply too high, whether in terms of actual dollars or in the loss of trust of residents and their families. Following a series of high-profile data breaches a 2014 survey by the Ponemon Institute found that 68% of individuals believed that the fault for the breaches rested with the healthcare providers for not taking stringent enough measures to ensure data security. While HIPAA compliance is both desirable and mandatory, it is even more critical that LTPAC facilities go the extra mile to institute proper procedures and policies on an ongoing basis necessary to ensure the safety and security of PHI.