Amid all the political talk about changes to the Affordable Care Act, there’s something that really should be catching the attention of healthcare IT instead. Enforcement of the familiar security rule in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has picked up in a big way. With over $10 million in settlements announced so far this year, 2017 is on pace to be a record breaking year for multi-million dollar fines.
But while the big fines may grab the headlines, you may be surprised to hear that private practices are the most common targets of enforcement. According to the U.S. Department of Health and Human Services (HHS), the types of entities that are most likely to be required to take corrective action based on HIPAA violations are listed below in order of frequency:
- Private Practices
- General Hospitals
- Outpatient Facilities
- Pharmacies
- Health Plans (group health plans and health insurance issuers).
Corrective actions required to be taken by smaller facilities may not add up to a million dollar fine, but often result in a million dollar pain in the you know what for IT departments that are already overworked and understaffed. So, how can IT departments large or small minimize compliance risk?
At a recent South Florida Hospital and Healthcare Association Symposium, cybersecurity expert Sanjay Deo summed up his advice in 3 steps: Establish clear policies for how your organization handles protected health information (PHI), train employees on these policies, and conduct a periodic risk assessment that includes a plan to address any issues found.
On this last point, the HHS provides a handy 156 question assessment tool to help organizations see where they stand. OK, 156 questions may not meet your definition of “handy.” On the other hand, many of the questions are variations on the same theme. For example, consider one of the questions, “Does your practice implement safeguards to assure that ePHI is not accessed while en-route to its intended recipient?” Or this one, “Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?”
If you answered “yes” to both those questions, there is a good chance you have a Citrix-powered environment. For those who are unsure, these questions crystalize why so many healthcare organizations rely on Citrix, not only for the controlled clinical app access and encryption provided by XenApp, XenDesktop and NetScaler, but also for the easy to use email and file sharing capabilities enabled by XenMobile and ShareFile. These collaboration tools, in particular, have features that ensure patient data is being shared only with the intended recipient. Just as important, all of the products integrate to form a digital workspace that is easy to use, reduces clicks, and facilitates care.
However you decide to plug your compliance gaps, one thing is for sure, HIPAA isn’t going anywhere. So, it makes sense to be proactive. Whether you are a big fish, a little fish, or somewhere in between, the rules are the same for everybody.