The financial penalties for not securing protected health information (PHI) have become greater, and the risks for violation more numerous, under the final Health Insurance Portability and Accountability Act (HIPAA) omnibus rule that went into effect Sept. 23. The rule greatly modifies and implements the Health Information Technology for Economic and Clinical Health (HITECH) Act by adding protections for stronger security of PHI, especially as it relates to electronic communications.
In the 1990s, PHI mostly was communicated on paper. Electronic communication was not yet widely embraced, and texting was not available. Today, it’s a different story. Electronic communication is affordable, efficient and perhaps one of the fastest ways to transmit information. It’s so fully accepted in daily life that many people, including those within the healthcare industry, now rely on electronic communication for business purposes.
In 2003, HIPAA addressed the increased need for protecting electronic PHI through security standards also known as “the security rule.” By 2005, the regulation established administrative safeguards to ensure that covered entities “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the security rule] for the covered entity or business associate.” This step was an important one in ensuring that the security rule actually was implemented and actively administered.
WHAT THE STANDARDS COVER
The administrative standards cover:
- access authorization,
- security awareness and training,
- periodic security updates,
- protection from malicious software,
- log-in monitoring,
- password management,
- security incident procedures,
- contingency plans,
- data backup plans,
- disaster recovery plans,
- emergency mode operation plans,
- maintenance records,
- workstation use and
- device and media controls.
As technology continues to advance, healthcare providers and other covered entities must stay abreast of new security challenges. As such, organizations must understand and follow the technical safeguards to ensure that the transmission of PHI is secure and encrypted.
Under the 2013 HIPAA omnibus rules, breach notification requirements have changed significantly with regard to unsecured/unencrypted electronic health information. Covered entities now are required to have policies in place to disclose non-allowable uses of PHI, procedures to identify the risks associated with unauthorized uses and processes to determine whether a reportable breach has occurred. As these requirements relate to email, facilities must be aware of the inherent risks associated with the use of some email platforms.
FREE EMAIL ISSUES
Many facilities, especially those of small to mid-sized organizations, encourage employees to use their personal or generic email accounts to communicate with staff, healthcare providers, business associates, residents and family members. These email accounts typically are available at no cost and seem to do the job. Are they encrypted and HIPAA-compliant, however?
In June, a Google attorney filing a legal brief in an effort to have a class-action data-mining lawsuit dismissed cited the 1979 Supreme Court case Smith v. Maryland and said that those sending or receiving email messages via its service—at least those without Gmail accounts sending messages to those with Gmail accounts—should not expect their messages to remain private. In fact, Google has had a standard practice of reviewing the content of every email that passes through its server since its inception in 2004, according to an Aug. 15 Los Angeles Times article by Jon Healey.
Unfortunately, this practice is not limited to Gmail. It also is a standard practice of most “free” email programs, such as Yahoo, Hotmail and AOL.
Before 2009, the fines for HIPAA violations were $100 per violation and $25,000 for identical violations during a calendar year. The new monetary penalties are significantly higher (see table, “Monetary penalties for HIPAA violations”). A healthcare facility can take basic steps to protect itself, its employees and business associates from being at risk of violating the new HIPAA regulations, however. The best strategies to avoid fines involve corporate compliance programs, quality assurance performance improvement (QAPI) programs and overall policies and procedures.