Article

Health Care Data Insecurity in the Era of HIPAA

In the health care world, data security has long been a top-of-mind issue.

Earlier this month, Facebook CEO and founder Mark Zuckerberg was grilled in back-to-back congressional hearings about whether his company is doing enough to protect its users’ data. For many, the hearings—and the data disclosures that prompted them—were an eye-opening event, bringing to the forefront the dangers of data insecurity. In the health care world, data security has long been a top-of-mind issue. But instead of congressional hearings, administrative scrutiny occurs in a different form: the audit.

Indeed, while Congress debates what, if any, regulation is needed to protect users’ privacy on social media, health care providers have lived under the Health Insurance Portability and Accountability Act (HIPAA) for more than 2 decades, and the Health Information Technology for Economic and Clinical Health (HITECH) Act for nearly a decade. The latter of the 2 authorized the US Department of Health and Human Services’ Office of Civil Rights (OCR) to conduct audits to ensure compliance with health privacy regulations.

Rachel V Rose, a Houston-based attorney whose practice focuses on health care and corporate law, said there are generally 2 pathways to a HIPAA audit: a complaint by a consumer, or a random audit as part of OCR’s audit program. The vast majority of audits happen as a result of patient complaints. Since 2003, nearly 26,000 investigations sparked by patient complaint have led to corrective actions. Meanwhile, the second phase of OCR’s random audit program started in 2016 and results were released last year. The random program included 166 audits.

Rose said health care organizations must think ahead in order to avoid HIPAA violations. “While an OCR Pilot Program Audit cannot be avoided if one's name comes up from the random sample, an organization can avoid adverse audit findings,” she told MD Magazine. “Being proactive is crucial and the best way to avoid fines is through compliance.”

When she advises clients, Rose asks them these questions: Are you undergoing annual risk assessments by third parties? Do you have an adequate Business Associate Agreement in place with all required entities? Do you have annual trainings and are their policies and procedures adequate? Is your data encrypted, both at rest and in transit? Do you have current HIPAA releases signed and kept in patient medical records?

Click to continue reading on MD Magazine.

Related Videos
Image Credit: © Birdland - stock.adobe.com
Image Credit: © alenamozhjer - stock.adobe.com
pharmacogenetics testing, adverse drug events, personalized medicine, FDA collaboration, USP partnership, health equity, clinical decision support, laboratory challenges, study design, education, precision medicine, stakeholder perspectives, public comment, Texas Medical Center, DNA double helix
Pharmacy, Advocacy, Opioid Awareness Month | Image Credit: pikselstock - stock.adobe.com
pharmacogenetics challenges, inter-organizational collaboration, dpyd genotype, NCCN guidelines, meta census platform, evidence submission, consensus statements, clinical implementation, pharmacotherapy improvement, collaborative research, pharmacist role, pharmacokinetics focus, clinical topics, genotype-guided therapy, critical thought
3 KOLs are featured in this series.
3 KOLs are featured in this series.
Hurricane Helene, Baxter plant, IV fluids shortage, health systems impact, injectable medicines, compounding solutions, patient care errors, clinical resources, operational consideration, fluid conservation, sterile water, temperature excursions, training considerations, patient safety, feedback request
Image Credit: © Andrey Popov - stock.adobe.com