The Health Insurance Portability and Accountability Act (HIPAA) was first put in place in 1996 and developed to be the standard for ensuring the protection of sensitive patient data. It is divided into two separate rules that work in conjunction with each other to ensure maximum protection; the Security rule and the Privacy rule.
The Difference Between HIPAA Privacy and HIPAA Security
Both the HIPAA Privacy and Security rules work together to ensure the protection of sensitive patient data, yet they are separate and have distinctly unique purposes. The HIPAA Privacy Rule revolves around the individual and their rights to have control over the way their sensitive data is used. Essentially, medical organizations can use the sensitive data for necessary functions, such as operations, medication and payment. Aside from this, the data must remain confidential. The Privacy Rule ensures that all forms of Protected Health Information (PHI) are protected and remain private; including physical copies, electronic copies and any information transferred orally.
The HIPAA Security Rule differs in that it only applies to Electronic Protected Health Information (ePHI). Any such information that an organization creates, receives uses or maintains is subject to this rule. Some of the specific elements of the Security Rule include the requirement of regular risk assessments and have policies in place to ensure the security of electronic data. These policies should be related to password management, change auditing, email handling and much more.
A Recent HIPAA Violation: Virtua Medica
Despite HIPAA compliance being in place for over 20 years now, organizations still struggle to get to grips with the Security and Privacy rules, and high-profile breaches still occur. Recently, a New Jersey Attorney General fined an organization called Virtua Medica just over $418,000 after the PHI and ePHI of well over 1000 patients was breached.
The key reason that the HIPAA investigation found as to why this breach occurred was that Virtua Medica didn’t take enough care when putting security measures in place. There was a lack of training around sensitive data, and a lack of awareness of the changes taking place within critical IT systems and to critical data, which lead to an unacceptable delay in identifying and responding to the breach.
Can HIPAA Violations Be Avoided?
Theoretically, although you can never guarantee that you won’t be the victim of a data breach, you can ensure that you are doing everything you can to comply to HIPAA rules and regulations. It would take too long to list all the things you need to do to ensure HIPAA compliance, and other blogs have already done this, such as this one here.
The short version is, as long as you are ensuring that you are proactively and continuously taking steps to ensure the safety, security and privacy of PHI, you’re pretty much there. You also need to have a solution in place that allows you to generate the appropriate reports that compliance auditors will look for to prove that you are acting responsibly with patient data. HIPAA Compliance Solutions such as LepideAuditor, come pre-packaged with HIPAA compliance reports that detail all changes taking place to PHI and report on any critical changes in real time. This kind of solution will help reduce the time it takes to identify and respond to a breach, as you will be able to notice unauthorised or irregular changes much faster.