- All healthcare organizations can work on improving their privacy and security by focusing on their cybersecurity preparation, HIPAA compliance, and staying people-oriented, according to a recent blog post on the Journal of AHIMA.
AHIMA’s 11th annual Privacy and Security Institute highlighted several ways that entities can focus on the larger trends and apply lessons to their daily operations, wrote contributor Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS-TR.
For example, Boston Children’s Senior Vice President for Information Services and Chief Information Officer Daniel J. Nigrin, MD, MS, explained in a session that cybersecurity preparation is essential. Organizations need to incorporate appropriate preventative measures into their daily operations.
“He highlighted that when [Boston Children’s] discovered the possibility of an attack, they were not sure if the threat was legitimate or not, but decided not to let the validity of the threat stop the organization from preparing in the event an attack happened,” the post explained. “After three weeks of silence, they thought their organization was ‘out of the woods’, but low and behold, an attack did start.”
“Because the organization had taken the threat seriously and implemented contingency plans in case of an attack, they were able to execute their plan and minimize organizational impact when the attack did pick up.”
Cybersecurity preparation, such as backing up data, has also been underlined by OCR. A data backup plan, a disaster recovery plan, and an emergency mode operation plan are not only required elements under the Security Rule, but are greatly beneficial, OCR wrote in a September 2017 release.
Sensitive data needs to remain protected during times of crisis, such as in the aftermath of a hurricane or following a cybersecurity attack, but ePHI also needs to be accessible to ensure proper patient care.
“The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur,” OCR said. “The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI (ePHI) during an emergency such as a natural disaster.”
The blog post also stressed that covered entities need to understand that HIPAA has grey areas, and is not a “one-size-fits-all black-and-white experience.”
For example, what is considered a “reportable breach” will likely differ from one organization to the next.
Ransomware is one increasingly debated issue, with organizations questioning whether or not a ransomware attack is considered a HIPAA data breach. HHS states a breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Under ransomware guidance released in July 2016, OCR said each situation must be treated individually, as it is a “fact-specific determination.”
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack," OCR said. "A breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule.”
People will always remain at the center of the healthcare industry, the AHIMA blog post added. This aspect covers organization needing to incorporate regular and comprehensive employee training, and also includes entities having to ensure patients can access their own PHI.
“Even with the advent of health information exchanges (HIEs), enterprise data warehouses (EDWs), and health information service providers (HISPs), technology does not mean an automated patient experience,” the post explained. “Compliance will still be involved to verify authorizations in the case of third-party PHI disclosure or in cases of mental health, behavioral health, and substance abuse treatment.”
The healthcare industry – and its associated technologies – will only continue to change, Wickenhauser continued. Organizations must remain educated on any federal or state changes, which will help entities maintain compliance.
“Compliance and healthcare professionals alike can expect many changes with interoperability and the increasing frequency and methods of data exchange,” she wrote. “As the healthcare industry changes and evolves, so will healthcare compliance.”
Finally, the AHIMA Institute showcased how stakeholders can continue to learn from one another, and that working with one another will help organizations stay educated and engaged. This further instills the growing need for information sharing, and how organizations can benefit from joining an information sharing and analysis organization (ISAO).
“One of the most helpful and powerful parts of the Privacy and Security Institute was hearing from other people who had been there, such as Nigrin’s Hacktivists presentation and April Carlson’s session on her experience going through an OCR audit,” the post said. “When we participate in conversation, pursue education, and share our experiences, we all help advance healthcare and compliance.”