What do you need to know about HIPAA in 2020? This year, the changes are not so much about HIPAA itself, but about things that directly affect how organizations operate in the shadow of HIPAA. There is a lot of chatter in the data security and privacy world right now about GDPR in Europe and CCPA in California - and rightfully so. But let’s not forget that HIPAA, especially for companies in the healthcare field, or those in the medical device area, is ever-present and should be top of mind when handling sensitive information.
Breaches on the rise
When planning for 2020, it is worth reflecting on what we can learn from 2019. The recent report from the Department of Health and Human Services’ Office for Civil Rights breach portal shows a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. So we know that breaches are on the rise and should be a concern for businesses in 2020. CISOs and IT directors need to keep cybersecurity and HIPAA requirements top of mind as they plan their 2020 budgets and objectives. The Office for Civil Rights even maintains a “wall of shame” breach portal where it lists companies currently under investigation with incidents including hacking, unauthorized access or disclosure, and theft of equipment.
To prevent your organization from featuring on that OCR breach list it is important to consider the lengths scammers will go to. With the recent coronavirus outbreak we are now seeing warnings about phishing scams that attempt to gather patient data based on fear over the spread of the virus. Organizations should keep their teams up-to-date on the latest phishing scams with basic cybersecurity training to avoid an unsuspecting employee clicking on a suspicious link with disastrous consequences.
With regard to staying HIPAA compliant, The HIPAA Journal recently reminded readers about the ways patient information can be shared during outbreaks of infectious disease. The Dept of Health and Human Services confirms that in emergency situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).
What are the HIPAA rules
A quick refresher with your team on some of the basic HIPAA rules is important to stay current. The rules apply when you are collecting or storing any “Protected Health Information” or PHI (also known as ePHI when collected or stored electronically.) This can include: names, email addresses, mailing addresses, social security details, dates directly related to an individual, etc. Any company who comes into contact with, or stores, PHI should follow HIPAA rules to protect the data.
Basic HIPAA rules include:
HIPAA Privacy Rule: The Privacy Rule dictates how, when and under what circumstances PHI can be used and disclosed.
HIPAA Security Rule: The Security Rule sets the minimum standards to safeguard ePHI.
Breach Notification Rule: The Department of Health and Human Services must be notified if a data breach has been discovered.
Enforcement Rule: Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out.
According to the HIPAA guide, violations of HIPAA often result from the following:
- Lack of adequate risk analyses.
- Lack of comprehensive employee training.
- Inadequate Business Associate Agreements.
- Inappropriate disclosures of PHI.
- Ignorance of the minimum necessary rule.
- Failure to report breaches within the prescribed time frame.
HIPAA Compliance in 2020
In 2020 HIPAA compliance is important but it should be part of your overall security strategy. Companies need to have an overall company-wide cybersecurity strategy and incorporate their HIPAA compliance into that strategy. The best way to be ready for regulations and laws that are yet to come is to have a robust security program already in place so you will find it easier to comply with new regulations as they come into effect. Ostendio has experience working with organizations of all sizes to build security programs. We work with our customers to maintain HIPAA compliance using the cloud-based MyVCM platform. Ostendio also helps with Professional Services where our experts assist companies directly with building their security program. For more information on how the Ostendio MyVCM platform can start or improve your HIPAA compliance program request a demo.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.