Find out whether you’re doing all you must to avoid costly violations.
You’ve probably noticed plenty of websites asking you to accept “cookies” or rejoin email lists this summer. That’s because the EU’s General Data Protection Regulation (GDPR) took effect May 25. Designed to give European citizens more say over how their personal information is collected and used, the GDPR ranks among the world’s strongest data privacy laws.
Because the GDPR applies to companies doing business with Europeans wherever those companies are based, it will inevitably affect U.S. healthcare organizations. American providers already need to exercise greater caution with patient information to achieve HIPAA data compliance, but the GDPR holds the industry to even stricter standards.
For instance, under the GDPR:
- Patients must give active and express consent for organizations, including healthcare organizations, to collect and store their personal details. (Under HIPAA, organizations don’t need consent, but must store personal details securely.)
- Patients have the right to erasure (the “right to be forgotten”). (Under HIPAA, as Health IT Outcomes explains, “any patient record that is in the hospital’s database cannot be erased simply because the patient wants to.”)
- Organizations must notify patients of any data breach within 72 hours of becoming aware of it. (Under HIPAA, organizations have up to 60 days.)
And GDPR fines for non-compliance can be more severe than HIPAA fines. Where violations of the U.S. law can cost, at the most, $50,000 each with an annual maximum of $1.5 million, failures to comply with GDPR can run a maximum of 20 million euros (about $23 million), or up to 4% of the preceding fiscal year’s total global turnover, whichever is higher.
The GDPR is “widely considered to be the next-generation model for privacy protections,” Tony Abraham writes for Healthcare Dive. It shines a bright light on people’s rights to information security. That focus, together with the American healthcare industry’s continuing vulnerability to data breaches—more than one is reported every day, according to HIPAA Journal—leads some observers to wonder whether the U.S. should adopt stricter standards for handling patients’ protected health information (PHI).
A Six-Point HIPAA Data Compliance Checklist for Your Organization
We’re not legislators at MDCodePro and can’t predict what U.S. lawmakers will do. We urge providers to aim for the greatest possible compliance with all current legislation.
Though our focus is compliance with CMS documentation guidelines, we’ve put together a simple, six-point checklist you can use to strengthen your e-compliance with HIPAA. It’s no substitute for professional legal counsel or information technology advice, but it may help identify your organization’s most pressing compliance goals, as well as steps you must take to reach them.
Answer “true” or “false” to each of these statements:
- We have assessed our data security risk and taken appropriate action.
HIPAA requires your organization to assess the risks facing its PHI and reduce them to the lowest level reasonably possible. A thorough analysis of threats and vulnerabilities will flag potential problems involving the confidentiality, integrity, and availability of all protected information, including e-PHI (PHI in electronic form), your organization creates, maintains, transmits, or receives before these problems occur.
This assessment is more than a task you must complete to be compliant. It’s a way to honor the trust your patients give you as their healthcare provider. The Office of the National Coordinator for Health Information Technology (ONC) offers a downloadable risk assessment tool to help you document your organization’s risks and take steps to address them.
- We are encrypting all patient information.
Strictly speaking, HIPAA doesn’t make data encryption a “required” measure. It’s an “addressable” one. But this distinction only means organizations may document an “equivalent alternative” producing the same result if, based on risk analysis, encryption isn’t “reasonable and appropriate.” When you contemplate the damage done to your patients’ privacy and your reputation should unencrypted e-PHI be breached, it’s tough to conclude encryption is anything but “very necessary,” as HealthITSecurity states.
Even when you keep decryption keys separate from encrypted data (as the law requires you must), encryption isn’t foolproof and must be used with other safeguards for maximum effectiveness. But since the healthcare sector sees more devices storing unencrypted data stolen than others and double the cyberattacks, encryption is a vital investment in HIPAA data compliance and your own peace of mind—and one today’s technology makes easier than ever.
- We have policies about using e-PHI with mobile devices.
While mobile device adoption is on the rise in healthcare, increased reliance on tablets, smartphones, laptops and portable drives brings an increased risk of e-PHI ending up where it shouldn’t. In 2015-2017, breaches involving mobile devices exposed 1,303,760 patients and plan member records, reports HIPAA Journal.
Your policies should recognize how important mobile technology can be when caring for patients and communicating with them and with staff, but also regulate how employees use those devices to access, view, and transmit e-PHI. HHS’ Office for Civil Rights (OCR) recommends safeguards like user authentication, automatic lock/logoff and remote wipe capabilities, secure Wi-Fi and VPNs (Virtual Private Networks), and data encryption.
- We are centralizing data storage and reviewing data access.
HIPAA doesn’t dictate whether you use a physical server or store e-PHI in the cloud. The cloud may prove, as Health IT Outcomes calls it, the “only viable solution” for storing data, but that storage must be centralized and secured. Any third-party server service must comply with all applicable HIPAA requirements.
The law also requires you keep audit logs and regularly review audit trails, which means keeping track of those who accesses your organization’s e-PHI and how. Most information management systems include tools for meeting these requirements, but it’s up to you to establish exactly what information the audit log collects and what constitutes “regular” audit trail review. Let risk analysis guide your decision. Don’t wait until a security breach forces you to take too little action, too late.
- We have HIPAA agreements with outside parties who deal with our PHI.
Server providers aren’t the only third parties you have to be sure are in data compliance with HIPAA. Any person or entity outside your organization who interacts with your PHI—answering services, medical transcriptionists, accountants, medical coding and billing services, data analysis, document storage or shredding companies, practice management, and more—is your “business associate” in the law’s eyes and must obey all applicable privacy regulations.
You must obtain a written contract or other document containing satisfactory assurances that your business associates and any of their subcontractors will safeguard your organization’s PHI and only use it as needed to perform its responsibilities to you. HHS makes a model business associate contract available online. You can also find decision trees online, such as this one, to help you clarify who counts as your business associates and who doesn’t.
- We train and monitor staff HIPAA compliance on an ongoing basis.
HIPAA requires healthcare organizations to train staff in both the HIPAA Privacy Rule and the HIPAA Security Rule, but doesn’t spell out specific requirements. The HHS OCR offers free resources to help you plan training. HIPAA Journal lists helpful “dos” and “don’ts,” and points out that though HIPAA training may feel burdensome, the potential financial cost if you’re not providing it could be devastating.
Your responsibility doesn’t end with HIPAA training for employees. The law makes explicit your obligation to monitor staff for HIPAA compliance. Without an internal monitoring program, you expose yourself to substantial financial risk (one non-compliant organization paid HHS a $5,500,000 resolution amount). Fortunately, a staff aware of required compliance monitoring can help you stop violations—like shared login credentials, unattended devices or documents, or curious “nosing around” in patients’ charts—before they occur.
Don’t Stop Strengthening Your Practice With HIPAA Data Compliance
Taking stock of and, if necessary, improving your e-compliance with HIPAA is vital to your organization’s legal and economic health. And who knows? HIPAA data compliance now may give you an advantage should the U.S. move toward stricter, GDPR-like standards in the future.
Improving practitioners’ medical documentation and coding skills is another smart investment you can make in your organization, and MDCodePro is the tool you need to help you do it. To learn more about how MDCodePro can make your organization’s coding more accurate, more compliant with regulations, and more profitable, fill out this form.