HIPAA compliance programs can be tricky for providers and covered entities, regardless of size. I discovered this first-hand late last year when my wife called to set up her own appointment with a provider I also visited. As soon as my wife gave her information, the assistant on the other end of the line recognized our shared last name and proceeded to discuss my scheduled appointments with her.
Intentional or not, this provider just committed a HIPAA violation, as my wife was not on my Protected Health Information (PHI) disclosure list. While there was no real damage done, such incidents serve as a cautionary tale for how easy it is for breaches to occur. This incident also introduces a larger question: How do covered entities create an effective HIPAA compliance program, despite a growing market for PHI and increasing security challenges in an ever-changing healthcare landscape? To answer this, first, we need to understand the risk.
UNDERSTANDING YOUR RISK FOR HIPAA VIOLATIONS IN THE INFORMATION AGE
If you’re a provider or covered entity placing their HIPAA compliance on the back burner, you aren’t alone. As of November 2022, HHS noted 68% of their investigated complaints found HIPAA-required entities that were not HIPAA compliant. While the penalties for noncompliance vary depending on a number of factors, the potential risk for violations has grown with a burgeoning information market for PHI. 2021 was a record year in HIPAA violations nationwide due to multiple risk factors, including:
1. The adoption of remote work and telehealth. As remote work has flourished, so too has access to PHI shared across unsecured networks or with third parties. Team members working from home often lack the physical and digital safeguards of offices. Meanwhile, telehealth provides more avenues for information to be stolen electronically.
2. The rise in patient demands for PHI. Patients are demanding greater access to their health data. What used to require a phone call or in-office visit can now, largely, be shared digitally. With this change, opportunities for potential violations have increased.
3. The failure to establish compliance agreements with businesses associates. Not all covered entities are providers, but everyone who has access to PHI is required to keep it safe. Often, business associates that partner with providers or institutions have access to PHI, but the business agreement itself isn’t HIPAA compliant. If one of these business associates suffers a breach, the provider or partner institution is liable.
4. The incentive for bad actors to intercept PHI. Individual healthcare records are now worth hundreds of dollars on the dark web. This has created a powerful incentive for hackers to secure this data. This contributes to a growing number of cybersecurity threats, including ransomware attacks.