by Bill Ahrens and Justin Frazer | Mazars US
There is a longstanding trend of healthcare providers embracing digital technologies to manage, access, share, and store patient information. Consequently, there is an industrywide need to ensure that digital ecosystems are compliant with regulations, particularly the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its various updates, including the HITECH Act of 2009 and the Omnibus Rule of 2013.
A HITRUST assessment is as close as a healthcare organization can come to certifying that it is fully HIPAA compliant.
While the desire to protect patient data should be enough motivation to appropriately secure protected health information (PHI), healthcare organizations—especially providers—can also experience significant penalties for noncompliance with HIPAA regulations, with fines ranging from $100 to $1.5 million.
Unfortunately, these violations are not uncommon. In 2020, the Office for Civil Rights (OCR) imposed financial penalties for Right of Access violations that ranged from $15,000 to $160,000; for Security Rule violations, penalties ranged from $25,000 to $6.8 million.
Healthcare IT leaders aren’t blind to the fact that protecting PHI should be high on their to-do lists. According to a recent national survey of stand-alone providers and provider offices, the top IT and compliance concern is protecting patient information. However, providers still fall short in this area. Studies show there are several contributing factors:
There is no such thing as a HIPAA certification, and to a degree, compliance with the HIPAA Privacy and Security Rules can be somewhat subjective. As a result, senior management may not know their level of exposure.
Healthcare has been, and continues to be, a prime target for cybercrime because it houses a treasure trove of data. But it typically lags other industries in spending on information security controls.
Many healthcare organizations—especially small ones—have limited staff and expertise in data privacy and security, as well as in implementing the associated controls.
It is a perfect storm—with cyberattacks increasing in frequency and sophistication, regulations and fines for noncompliance growing every year, and an ever-widening gap in skilled resources. While breach of PHI can be due to phishing attacks, hijacked websites, computer viruses, Wi-Fi hacking, and other external factors, healthcare providers are also particularly susceptible to insider threats.
How can providers get a jump on safeguarding PHI effectively and ensure they are in compliance? The first step is to conduct a risk assessment—or, if time and resources permit, a Health Information Trust Alliance (HITRUST) readiness assessment.