It seems that the data security landscape is constantly changing. Every day, new threats arise and fresh best practices emerge to keep companies at the forefront of protecting sensitive information. PKWARE’s staff of experts in data security share their thoughts in our blog, highlighting the most current topics on data security, management, and reduction. Check back frequently and join the conversation.

Staying Compliant with New HIPAA Rules

Posted by on in Compliance

With the U.S. Department of Health and Human Services' recent release of the Final Rule regarding the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Non-Discrimination Act, medical practitioners are facing a September 23, 2013 deadline to bring patient privacy and data security policies in compliance with the new regulations.

The need for stricter regulations
Recent developments have made patient information security a paramount concern in the healthcare industry. More hospitals are transferring sensitive records to an electronic filing system. This move would not only consolidate data and streamline patient information collecting efforts, but would also allow medical staff to share those records with other hospitals. However, the storage of sensitive patient information has raised concerns from privacy advocacy groups.

In addition, the spread of cybercrime within the healthcare industry has led some to question how secure patient information will be if it is stored on hospital servers. A study of 80 healthcare organizations conducted by the Ponemon Institute found that 94 percent of the respondents had experienced at least one data breach in the past two years, reported Health IT Security.

With these considerations in mind, the federal government has pushed to enforce new regulations governing the storage, protection and use of patient information. To avoid incurring penalties for noncompliance, medical administrators should take note of the changes made to the most recent additions to the Final Rule.

Key requirements to address
According to Becker's Hospital Review, the Final Rule requires medical facilities to address several major issues in order to be in compliance:

  • Update data breach defenses in line with the HITECH Act's standards
  • Change the necessary operating procedures to meet new policy requirements
  • Update Notices of Privacy Practices to give to patients
  • Ensure that business associate agreements meet new definitions

Addressing data breaches
One issue that the new regulations address is the notification of patients in the event of a data breach. Currently, hospitals are only required to report incidents to the federal government if the breach affects 500 or more patients. However, even in the case of a smaller cyberattack, administrators are required to notify patients if their information has been compromised.

The updated HIPAA regulations have adopted a broader definition of compromised patient information. Previous incarnations of the Final Rule defined it through the "risk of harm standard", essentially stating that patient information was considered to be compromised if it were stolen or accessed to be used in a detrimental way. The new regulations state that any impermissible use or access of medical records is considered a breach of privacy and data security. In these instances, administrators would need to conduct a risk assessment in order to prove to authorities that the information in question was not compromised.

Tagged in: Compliance Data Breach Data Security HIPAA HITECH

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Wednesday, 02 October 2013