Why HIPAA compliance is becoming more challenging

Why HIPAA compliance is becoming more challenging

Your traditional approach to solving HIPAA compliance is no longer good enough. When HIPAA regulations first became commonplace, there was a surge of compliance effort. Your organization may have hired trainers to guide your staff. You might have modified or installed new technology systems. For a time, these compliance measures kept you on the right side of the law.

However, the world has changed, and your earlier HIPAA compliance efforts are unlikely to take care of today’s challenges. Let’s take a quick look at a few trends that are making HIPAA compliance more difficult than ever before.

Four Reasons Why HIPAA Compliance Is Getting More Difficult

These trends are exerting pressure on health care providers, patients and the rest of society. If a specific trend has not impacted your organization yet, take a breath. That means you still have some time to rebuild your HIPAA compliance program. If the trend has impacted you, you need to take action to get back on track.

1) Increased Volume of Digital Health Data

Compared to a few years ago, patients and health care providers are producing and collecting far more health data than ever before. Some of these health data points are relatively low risk, like health and fitness tracking devices. However, the volume of medical tests being conducted in 2020 has dramatically increased as a result of pandemic screening. According to the CDC, there have been more than 41 million pandemic tests in the United States in 2020 alone.

Besides, millions of people are being tested every year for cancer and chronic illnesses. All of these tests generate highly sensitive data. Finally, universities and labs are continuing to conduct medical research to develop new therapies.

As a consequence, it is now much more difficult for HIPAA compliance administrators to stay current with the sheer volume of health data.

2) Increased Health Data in the Cloud

If the raw increased volume of health data wasn’t enough of a challenge, health data is now getting more challenging to track.

Put yourself in the shoes of a HIPAA compliance professional at a large research hospital. Each year, there are thousands of patients, nurses, doctors and researchers coming through your doors. You may have a seat at the table for significant health research projects to ensure that proper HIPAA protocols are observed. However, you may not cover everything. For instance, a few researchers may decide to explore a new cloud health analytics app and pay for it using outside research funding. In that scenario, maintaining comprehensive coverage in your HIPAA compliance program may be undermined.

3) Public Expectations For Data Security And Privacy Are Increasing

While there has also been a certain level of sensitivity regarding health data, public expectations have shifted over time. Since 2016, multiple privacy and data security scandals have rocked the world. On a regulatory front, we have seen the rise of new requirements in Europe, such as GDPR (General Data Protection Regulation) and the California Consumer Privacy Act (CCPA).

While these laws are not directly related to HIPAA, they are important. Specifically, there is less tolerance and patience for mistakes and oversights in data security and handling privacy requirements. If you had a limited scope approach to fulfilling HIPAA compliance in the past concerning security, you might need to enhance those processes to keep pace with changing expectations.

4) HIPAA Problems Are Making The News

While HIPAA requirements have been around for years, these expectations may not have been top of mind for your organization. That’s one reason why we need to take note of a few HIPAA-related developments in 2020.

According to an article in Health IT Security, “After two years of litigation and a partial dismissal, UnityPoint Health has reached a proposed $2.8M settlement with the 1.4 million patients impacted by two phishing-related data breaches.” In addition to the settlement amount, the organization was required to make other changes to improve its systems and processes. From a HIPAA compliance perspective, the organization failed to inform patients about the nature of the breach accurately and inform them as required by the law.

Monetary penalties and required system changes are just one of the consequences of failed HIPAA compliance. HIPAA Compliance Journal reports, “Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.” Unfortunately, the individual improperly accessed several thousand patient records before being terminated. Improper access to health records will cause more stress and anxiety for patients in addition to legal difficulties.

Your Road Back To HIPAA Compliance Starts Here

Keeping current with HIPAA compliance is getting more difficult. The consequences of failure can lead to hefty fines, lawsuits, negative publicity and job losses. To reduce the chances of an incident like this happening to your organization, it is important to take proactive steps. The single best way to improve HIPAA compliance is to make your security protections automatic and comprehensive.

Apply The Principle of Least Privilege

IT security software tools make that much easier. For example, you may make it a priority to reduce the number of users with access to patient health data. Apply the principle of least privilege to your user accounts so you limit the number of people with access to this sensitive data.

Introduce Multi-Factor Authentication (MFA) For Access To Health Records

Unauthorized access to thousands of health records is a nightmare! Training employees on the importance of HIPAA compliance will help. However, we also need to realize that most employees do not spend their days thinking about HIPAA. Therefore, it is vital to equip employees with robust security tools that make improper disclosure less likely. For example, consider requiring the use of biometric authentication before granting access to large medical databases. If your organization has never used this type of security, read our overview of biometric authentication here.Once you decide to get started with multi-factor authentication, you might find the implementation process time-consuming. It doesn’t have to be. Use our guide to implement multi-factor authentication faster with FIDO2.

Written by Nelson Cicchitto