Health Care Data Insecurity in the Era of HIPAA

In the health care world, data security has long been a top-of-mind issue.

Earlier this month, Facebook CEO and founder Mark Zuckerberg was grilled in back-to-back congressional hearings about whether his company is doing enough to protect its users’ data. For many, the hearings—and the data disclosures that prompted them—were an eye-opening event, bringing to the forefront the dangers of data insecurity. In the health care world, data security has long been a top-of-mind issue. But instead of congressional hearings, administrative scrutiny occurs in a different form: the audit.

Indeed, while Congress debates what, if any, regulation is needed to protect users’ privacy on social media, health care providers have lived under the Health Insurance Portability and Accountability Act (HIPAA) for more than 2 decades, and the Health Information Technology for Economic and Clinical Health (HITECH) Act for nearly a decade. The latter of the 2 authorized the US Department of Health and Human Services’ Office of Civil Rights (OCR) to conduct audits to ensure compliance with health privacy regulations.

Rachel V Rose, a Houston-based attorney whose practice focuses on health care and corporate law, said there are generally 2 pathways to a HIPAA audit: a complaint by a consumer, or a random audit as part of OCR’s audit program. The vast majority of audits happen as a result of patient complaints. Since 2003, nearly 26,000 investigations sparked by patient complaint have led to corrective actions. Meanwhile, the second phase of OCR’s random audit program started in 2016 and results were released last year. The random program included 166 audits.

Rose said health care organizations must think ahead in order to avoid HIPAA violations. “While an OCR Pilot Program Audit cannot be avoided if one's name comes up from the random sample, an organization can avoid adverse audit findings,” she told MD Magazine. “Being proactive is crucial and the best way to avoid fines is through compliance.”

When she advises clients, Rose asks them these questions: Are you undergoing annual risk assessments by third parties? Do you have an adequate Business Associate Agreement in place with all required entities? Do you have annual trainings and are their policies and procedures adequate? Is your data encrypted, both at rest and in transit? Do you have current HIPAA releases signed and kept in patient medical records?

Click to continue reading on MD Magazine.