The future of HIPAA compliance will bring more demanding electronic security regulations for healthcare organizations—or at least, that’s my prediction. But there are good reasons for making this prediction, and change will likely come sooner rather than later.
First, it has happened before. HIPAA was originally passed in 1996. Incredibly, it took the government nearly a decade to issue the HIPAA Security Rule, which sets requirements for the protection of electronic Protected Health Information (ePHI). But HIPAA was widely seen as lacking teeth, because fines for violations were low and there was no budget for enforcement.
Partly in response, Congress included tough new security requirements in the HITECH Act of 2009. These new requirements included much higher fines, a permanent enforcement budget for random audits and breach investigations, and tougher rules on what constitutes a breach, among others. HIPAA went from being toothless to having jaws like a Spinosaurus.
But there was a double whammy in HITECH that most providers failed to anticipate. The primary purpose of HITECH was to jump-start the adoption of EHRs and other Health IT. By most accounts, HITECH has been a success. Certainly, the Meaningful Use EHR Incentive Program has super-charged adoption of EHRs among ambulatory providers. But Meaningful Use also had a huge impact on security compliance, because it required providers who attested for incentive payments to prove that they were HIPAA compliant.
The first specification of the Security Rule has always been that providers must conduct a Security Risk Analysis (SRA), which is essentially an audit to confirm overall compliance. But many providers ignored the requirement for an SRA until Meaningful Use made it a core objective. With tens of thousands of dollars of incentive money on the line, providers upped their efforts to comply.
Another factor was that Meaningful Use has a much more aggressive audit program than HIPAA does. HIPAA’s audit program has been notoriously slow to get started, and it reaches far fewer than 1 percent of providers each year. By contrast, the MU program audits 5 to 10 percent of providers who attest each year. Providers should expect to be audited at some point in their participation. Incredibly, more than 20 percent of ambulatory providers fail the audit process. And the main reason why providers fail an MU audit is because they did not perform an adequate SRA.
Now, providers have moved on to Stage 2 of Meaningful Use, which was substantially revised this year. The first objective of Modified Stage 2 requires providers to protect ePHI, both through an SRA and by encrypting data on all end-user devices. In fact, the Security Rule has always required encryption, for data at rest (stored data) and data in transmission (emails, etc.). Some providers have misunderstood these specifications as optional because they are classified as “addressable” rather than “required.” But all this really means is that providers have more flexibility in how they meet the specification, not that they may ignore it. Indeed, the government has assessed heavy fines for ignoring the encryption requirements.
But the inclusion of encryption in Meaningful Use has spurred greater compliance from providers, because MU auditors will demand proof that providers have addressed encryption.
So what comes next? Starting in 2019, the government’s pay-for-reporting programs, including Meaningful Use, PQRS, and VM, will merge into a program called the Merit-Based Incentive Payment System (MIPS). MIPS will constitute a major transition toward pay-for-performance, as a large percentage of reimbursements will be tied to satisfactory participation. And it is a safe bet that one of the MIPS requirements will be improved digital security, especially if the security environment for healthcare organizations continues to deteriorate.
What might these new requirements include? One area that is ripe for improvement is network security. The SRA already requires providers to perform a network scan, to identify gaps and vulnerabilities. But a one-time scan is limited, because it cannot identify new threats with the urgency they warrant. By contrast, the industry standards for protecting credit card data (PCI DSS) require continuous monitoring for large organizations. Continuous monitoring scans networks on an ongoing basis, to promptly identify and protect against new threats.
Along these lines, the requirements might also address Bring Your Own Device (BYOD). Surveys suggest that about 90 percent of providers allow BYOD, which is a major vulnerability if the devices are allowed onto an otherwise secure network. Healthcare is hardly alone in suffering from this problem. Smartphones have become vital productivity tools, but American businesses have mostly outsourced the costs to employees. In the end, this is a losing strategy, because businesses cannot control the security features of private phones.
Healthcare providers who want their employees to use smartphones as productivity tools should make a modest investment in providing staff members with business phones. These phones can be overseen and controlled by security specialists. Among other security features, they typically offer a private and a business partition. Only the business partition is allowed access to secure networks, and it can be wiped remotely in case the phone is lost or employment is terminated.
Whatever comes next, it is safe to assume that some new set of requirements is on the horizon. Providers cannot know what is to come, but they can prepare by ensuring that they have met all the requirements already in place, as each new set of regulations builds on those that have come previously. Providers should conduct an SRA, implement encryption, secure their networks, and address smartphone security. Any provider who has suffered the expense and embarrassment of a major breach will tell you that strong security is an investment well worth making.
Editor’s Note: Do you need training and certification in HIPAA and security compliance? Sign up for 4Medapproved’s CHSP Compliance Officer Accelerated Workshops for practical, convenient guidance on meeting security requirements. These online workshops can be viewed live or in recorded form, with unlimited access to all course materials for one year. The first workshop starts December 2, so sign up today!
