Why We All Need HIPAA Compliance
Chuck's Cyber Wall
Anyone who works with Protected Health Information (PHI) knows that some HIPAA Compliance security rules can be challenging. Beyond the effort of putting security in place and training personnel to keep this data safe, patients often get frustrated with some of the restrictions on how their data is shared.
It can be discouraging for everyone involved, but it doesn’t have to be.
Generally speaking, it’s not the security rules that are the problem, rather, it’s how and why they are applied. For this blog, I’ve broken down the reasons we need HIPAA Compliance in the medical world and put them into terms that apply to those who work in the field, as well as all of us patients.
HIPAA COMPLIANCE IS NOT VOLUNTARY
Let’s start here. Whether you work in a medical office or are a patient, abiding by the security rules isn’t an option, it’s the law. Just as you can’t drive 100 mph through a school zone or walk out of a grocery store with a cart full of food without facing the consequences, healthcare organizations can face fines of $25,000-$50,000 for a single violation if they are out of compliance.
These standards were created to ensure patient privacy by establishing rules for the legal use and disclosure of medical information. For most people, medical information is extremely personal, yet before these security rules existed, rarely enforced and inconsistent state laws were all we had. Congress had passed privacy statutes protecting driver’s license records, cable TV records, school records, and even phone records back in the 1970s, but it wasn’t until the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 that the government finally protected this most personal of information.
No matter how it sometimes feels, these rules were implemented to protect us all.
THE RULES ARE EVOLVING
The primary reason it took so long to get security rules in place is that critics assailed it from all sides.
- Office workers complained that sign-in sheets were too disruptive
- Administrators worried about not being able to share medical records with family members
- Doctors did not want to share their notes
- Patient rights advocates wanted stronger enforcement
- Many feared that enforcing compliance would bankrupt the healthcare industry
- Big business enjoyed all the legal loopholes that allowed them to collect confidential data
It was the Department of Health and Human Services (HHS) that put the rules in place, but it was up to the Office for Civil Rights (OCR) to enforce them. Early on, this proved problematic, and the first decade of its existence provided much of the negative reputation that HIPAA still struggles to get out from under. Between the OCR’s inability to investigate breaches and inadequate enforcement, it seemed that all the critics of the HIPAA Security Rule were right.
A string of laws, including a HIPAA Compliance Deadline in 2003, the HITECH Act in 2009, and the final HIPAA Security Rule in 2013, proved that not only could these security rules work, but that the HHS was willing to adjust them to changing digital needs and the OCR had the teeth to enforce them.
WHAT HIPAA COMPLIANCE MEANS TO US
As human beings, one of the things we struggle with most is inconsistent standards of behavior. We dislike it when someone can do something we are not allowed and get away with it. The HIPAA Security Rule ensures that we all have the same rules. No one gets an unfair advantage.
Beyond this, it exists to protect individuals and ensure that we all have full access to a copy of our personal medical records without worrying about this information being shared without our knowledge or consent. It is ultimately a civil rights issue that applies to anyone who creates, transmits, or uses individually identifiable health information. Of course, this doesn’t come without a cost.
For healthcare workers, it means following specific guidelines set forth by the HIPAA Security Rule that include:
- using strong, unique passwords
- not sharing workstation logins
- managing minimum access to records
- attending mandated training
And as patients, we have to do our part to keep our personal medical information safe by:
- reading and signing disclosure forms
- using patient portals whenever possible to get information
- securing accounts with strong, unique passwords
- working with healthcare providers, not against them
For some, the HIPAA Security Rule affects how we work, and for others, it affects how we communicate, but ultimately it’s about keeping patient medical information secure for all of us.
HIPAA COMPLIANCE CHALLENGES
Within the current landscape, we’re all experiencing more challenges. Healthcare has undergone sweeping changes that make maintaining privacy compliance even more difficult. Among these, we have:
- Telehealth Visits – many patients prefer virtual visits, and maintaining data protection over the internet requires new and more complex security procedures
- Increased Patient Ratios – with the potential of more visits in a day, things can get hectic, creating the opportunity for HIPAA Compliance mistakes
- Multiple Care Providers – primary care physicians often receive results from multiple labs, which means data moving at a faster pace that could lead to a higher rate of security errors
Maintaining secure PHI is important to everyone. It all begins with a Risk Assessment – one of the many services provided by CLARK, so if you’re not sure where to get started, give us a call at 301-456-6931 or send an email to [email protected].
Director of Cybersecurity and Marketing
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small businesses, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com