Healthcare data breaches expose demographic or financial information, putting patients at risk of fraud or identity theft. Third party vendors are a frequent cause of a patient data breach. That’s why it’s important for healthcare entities to choose a HIPAA-compliant medical transcription company for their EHR-related documentation requirements. At the recently held “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference focused on the Health Insurance Portability and Accountability (HIPAA) regulatory framework, the federal Office for Civil Rights (OCR) highlighted the increasing number of breaches related to hacking/IT incidents.
Patient Privacy Breaches on the Rise
The latest Protenus Breach Barometer reveals that patient privacy breaches may be on the rise, with hacking causing the majority of security incidents in 2019. Other causes identified by the study include phishing attacks, malware or ransomware, extortion of ransomware, and data theft. Key findings in the report:
- Up to 31.6 million patient records were breached in the first half of 2019 , double 2018’s total of 15 million.
- There is at least one health data breach per day
- There was a total of 285 incidents from January to June 2019
- Hacking accounted for 60% of the total number of breaches during the first half of 2019, with 168 hacking incidents involving 27.8 million records
- Hospital insiders were responsible for more than 3 million patient record breaches during the reported timeframe (in 60 incidents)
- 45 percent of Business Associate (BA) breaches were caused by an outside hacker
- The largest single largest breach in the first half of 2019 was the hacking of over 20 million patient records that involved a third-party billing collections firm
“Hacking continues to threaten healthcare organizations, with a distressing number of patient records breached in the first half of the year,” researchers wrote. “Breaches of patient privacy continue to loom throughout the healthcare industry and seem to be on the rise in the first half of 2019.”
HIPAA Enforcement Initiatives a Top Priority in 2020
At the 11th annual HIPAA conference, OCR highlighted top HIPAA enforcement initiatives. Moving into 2020, organizations handling health data need to take steps to adhere to standards to ensure protected health information (PHI) is secure and should be aware of
- Shifting OCR enforcement priorities
- Regulators’ continued attention to key HIPAA compliance activities
- The changing threat landscape for health data, and
- New guidance and frameworks for health data not regulated by HIPAA
The conference emphasized OCR’s focus on the following:
- Ensuring patients and their families have access to important information
- Action to enforce HIPAA Right of Access
- Importance of responding in a timely and appropriate manner to breaches and complaints
- Importance of compliance cornerstones – OCR stressed “risk analysis at the front end” as a major point of enforcement
- Increasing incidence of phishing attacks and network attacks, and also insider attacks
- New tools and guidance on privacy and security best practices
HIPAA 2020 Requirements for Healthcare Entities
Organizations in the healthcare industry need to implement “reasonably appropriate” protections to protect and secure patient’s PHI. This will minimize the risk of experiencing a healthcare data breach. The Compliance Group lists the HIPAA requirements for 2020 as follows:
- Technical: This refers to implementing cybersecurity measures such as encryption or firewalls to protect PHI on electronic devices.
- Physical: The security of an organization’s physical site should be maintained with measures such as video cameras, alarms, and keypad locks with unique access codes for each employee.
- Administrative: All employees must be trained on the specific policies and procedures that apply to the organization’s business processes.
Organizations need to conduct self-audits of their privacy and security practices to ensure that they meet HIPAA 2020 standards.
HIPAA and Third Party Vendors
Healthcare organizations need to ensure that the third parties they partner with (business associates, partners, and subcontractors) should also meet HIPAA regulations. For example, a medical transcription company that handles EHR-related documentation is required to comply with HIPAA regulations and safeguard the patient information it stores, creates, transmits, or maintains in compliance. Healthcare providers are responsible for the privacy and security of their patients’ information at all times. That’s why it’s essential to partner only with a HIPAA complaint third party vendor.
Before outsourcing medical transcription or any other office task, practices need to evaluate whether the company is HIPPA-compliant. Having a checklist that covers the technical, physical, and administrative facets of HIPAA compliance can help physicians choose the right medical transcription service provider. Vendor evaluation should cover the following points:
- Vendor’s HIPAA risk assessment, security policies and procedures
- Protocols in place for responding to a breach/emergency
- Written contracts on how client data will be handled – who within the company will have access to the data and how is that controlled
- Whether there is a provision for regular data backups of stored data in standard format
- How frequently activity logs are audited
- Whether they are carrying out regular HIPAA risk assessments
- Encryption of sensitive data both at rest and in transit
- Workstation policy
The vendor should be required to sign a Business Associate Agreement to the effect that the vendor will abide by security laws and all pertinent conditions as mandated by HIPAA. It should be clarified in the written contract that the vendor does not have ownership of any personal data, but has a limited license for use of the data outlined in the written contract. A liquidated damages clause should be created that clearly states the vendor should fairly compensate the Provider if any stored data is lost, destroyed, or breached (ITPAC Consulting). Have an expert on HIPAA expert review these conditions and confirm that they are sufficient for maximum security.