In summary, HIPAA exists to protect patients’ private data against fraud and theft and dictates how that
data can be distributed. If it seems relatively straightforward, that’s because it is — until you factor in how
HIPAA is enforced. HIPAA applies to PHI that’s transmitted electronically and “covers a large range of
data transfer protocols, from handling face-to-face interactions to transferring and backing up data.”
Because the channels through which we communicate have expanded to include digital platforms, such
as social media, text messaging and email, it’s easy to see why it’s so challenging for organizations to
maintain HIPAA compliance. In fact, many health care organizations that think they’re HIPAA compliant
(or at least claim to be) actually are not.
That’s troubling for a few reasons: First and foremost, it leaves health care records (and patients’ private
information) vulnerable to data breaches. Between 2009 and 2019 there have been 2,546 significant
health care data breaches (those involving more than 500 records), resulting in the theft or exposure of
189,945,874 health care records. Also, health care orgs deemed non-compliant face harsh penalties.
Fines for HIPAA violations can range anywhere from $100 to $50,000 per violation, with a maximum
penalty of $1.5 million per year — and that’s on top of potential civil and criminal penalties.
Given the severe consequences of failure to comply with HIPAA standards, it’s imperative that health
care orgs do everything within their power to get their affairs in order, starting with the following:
Be better prepared for eDiscovery requests and HIPAA audits. When it comes to HIPAA
audits, it isn’t a matter of whether you’ll be audited, but when. There are measures you can take,
such as thoroughly documenting HIPAA policies and procedures within your organization,
conducting routine risk assessments and creating in-depth training materials, to prepare for when
that day inevitably comes. It’s also in your best interest to implement a software solution that
makes it easier for your legal team to respond to eDiscovery and litigation requests to streamline
the audit process. Properly maintain — and dispose of — patient data. The key to properly maintaining patient
data is to enforce strict data security standards. The HHS defines these standards under its
Security Rule; requirements include detailed administrative and technical requirements, as well
as implementation specifications and organizational and documentation requirements.As far as the disposal of patient data is concerned, PHI cannot be disposed of unless the individual
identifying information is removed or destroyed. This is easier said than done in the world of
electronic communications, and the HITECH government mandate complicates things further, so
be sure to do your due diligence prior to disposing of anything. Maintain an email archive. Email archiving isn’t required under HIPAA’s Security Rule but
storing all electronic communications in a single location can go a long way toward ensuring
HIPAA compliance. That’s because maintaining an email archive makes it easier to screen
incoming and outgoing emails, create custom retention policies, index and search emails, monitor
who has access to your organization’s emails and quickly recover any emails that were
accidentally deleted.