Top 3 HIPAA Compliance Challenges of This Year

November 17, 2022 - In the years since HIPAA was first enacted in 1996, technological and societal developments have left covered entities with no shortage of compliance challenges. This year was no exception.

“This has been quite the year for those who have to ensure compliance with HIPAA at their organizations,” Rebecca Herold, CEO and founder of The Privacy Professor and member of IEEE, a nonprofit technical organization, said in an interview with HealthITSecurity.

“Not only for the legal issues with Dobbs,” Herold said, “but also new technologies and the fact that these new technologies are bringing awareness of issues that the organizations have never had to deal with before.”

Reflecting on the past year, it is clear that recent events and developments have continued to shape HIPAA compliance approaches in unique ways. As organizations look toward 2023, they can use the lessons learned over the past year to inform future compliance strategies.

Dobbs Decision Raises HIPAA Questions

The Supreme Court’s June 2022 decision on Dobbs v. Jackson Women’s Health Organization endangered abortion rights in different ways across the country. It also presented unique challenges when it came to HIPAA compliance.

Providers questioned the complexities of balancing their duty to protect patient information under HIPAA with law enforcement requests for data.

“What covered entities need to understand is HIPAA does allow for exceptions for law enforcement and so on,” Herold explained.

“However, what many organizations don't realize is that that's not a default that they have to provide that information to law enforcement. The only time they're truly compelled is if there's a warrant.”

OCR cleared up this confusion via a detailed guidance document issued shortly after the Supreme Court’s decision. Within the guidance, OCR explained that if a law enforcement official went to a reproductive healthcare clinic and requested abortion records without a court order, the HIPAA Privacy Rule would not permit the clinic to disclose protected health information (PHI). If the clinic did disclose PHI, it would be considered a breach.

However, with a warrant, the covered entity would be permitted to disclose only the PHI authorized by the court order.

“Providers who may be concerned about their obligations to disclose information concerning abortion or other reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws,” OCR stated.

Herold recommended that covered entities have a point person available to handle these interactions to ensure that any PHI requests by law enforcement are dealt with properly.

“Another thing that the Dobbs decision has brought to light when it comes to common HIPAA compliance problems is the fact that too many covered entities and their business associates who are supporting them oftentimes keep way too much PHI beyond the point in time that they need it to support treatment, payment, and operations,” Herold also noted.

“It's always been a privacy-preserving practice to only keep or only collect the PHI necessary to support the reason that it's being collected.”

It is crucial that covered entities take care to collect only the information needed for clinical care, operations, and payments, leaving out additional information that could be misinterpreted or taken out of context.

Breaches Highlight Third-Party Risk Challenges

Third-party risk has always been a HIPAA compliance consideration. HIPAA-covered entities are required to enter into business associate agreements (BAAs) with any third party that handles PHI. This year has shown that, like in years past, managing third-party risk remains a challenge for HIPAA-covered entities.

Seven of the ten biggest healthcare data breaches reported to OCR this year so far (as of September) originated from third-party vendors. For example, a breach at third-party mailing and printing vendor OneTouchPoint impacted 2.6 million individuals and 35 organizations.

The Meta pixel case in particular served as a cautionary tale for third-party risk. Multiple healthcare entities reported that they had used the Meta pixel tracker on their websites for the purposes of tracking user activity and patient preferences, not realizing that it had potentially been sending personal information back to Facebook in the process. The social media giant denied allegations that collected health data.

But the case brought up questions about what the pixels were really doing on hospital websites in the first place. Tracking pixels are commonly used for targeted marketing along with tracking user activity. This issue may stem from the fact that the business associates or web developers contracted to create and maintain hospital websites may not know the ins and outs of HIPAA and PHI, pointing to a need for greater education and thorough BAAs.

“So when they are putting in different types of trackers on the website for a portal that they created for a hospital where patients go to enter their information or check their records, business associates may not be protecting what they view as simply online technology and not PHI,” Herold suggested.

Herold urged covered entities to ensure that business associates have appropriate oversight and are protecting PHI as required by HIPAA. Specifically, business associates should undergo risk assessments annually, or whenever significant operational or organizational changes are made, share an executive summary of the risk assessments with the covered entity, and provide a copy of their security and privacy policies to the covered entity.

“Those three things alone could help to strengthen safeguards and compliance posture of both the covered entity and the business associate that they contracted,” Herold said.

IoT, Emerging Tech Requires New HIPAA Considerations

As previously mentioned, HIPAA was enacted well before many of the technologies that are now commonplace in healthcare were relevant. For example, healthcare organizations now rely heavily on Internet of Things (IoT) devices and internet-connected medical devices. In addition, the pandemic spurred an uptick in telehealth use, which comes with its own set of security and privacy risks.

The Health Sector Cybersecurity Coordination Center (HC3) recently issued a brief that explored how various emerging technologies, such as artificial intelligence (AI), 5G, and smart hospitals could impact healthcare cybersecurity.

Herold, who has played a role firsthand in the creation of National Institute of Standards and Technology (NIST) information security and privacy standards and research, noted that it can be challenging to continuously manage and monitor all the new technologies and devices that are part of an organization’s ecosystem. With each new technology comes a new set of compliance considerations.

“It is important for covered entities and business associates to realize that once they have their compliance program established, they have to continue to evolve that program as new risks, new technologies, and new practices are also added into their digital ecosystems,” Herold explained.

Additional federal guidance would be welcome in this space to help healthcare organizations navigate this uncharted territory. Herold stressed the importance of federal agencies including stakeholder input in the creation of new guidance. For example, NIST released an updated draft of its HIPAA Security Rule guidance in July and actively sought feedback from industry stakeholders.

HIPAA compliance challenges are unlikely to go away any time soon. But covered entities that view compliance as an ongoing journey rather than a one-time action can successfully reduce risk.