During the 1990s, the medical world was undergoing a transition. For decades, hospitals and medical offices had kept physical copies of patient records in file folders. With the growth of the internet, these facilities saw the benefits of sending digital patient records between institutions. Electronic records made patient care faster, but they exposed sensitive patient data to security breaches.
The Health Insurance Portability and Accountability Act of 1996 sought to create measures to protect patient information while keeping it available to medical professionals. Since that year, every institution that handles protected health information (PHI) must comply with the guidelines.
The medical world’s dependence on online data transmission has expanded, and the legislation has grown with it. The U.S. Department of Health and Human Services is responsible for developing HIPAA standards. They began early on with the HIPAA Privacy Rule that spelled out general expectations for handling PHI. In 2003, the HIPAA Security Rule offered more guidelines around the safety of electronic patient records.
The 2009 HITECH Act acknowledged that business associates such as SaaS providers might handle ePHI. These organizations also must comply with HIPAA guidelines.
Also in 2009, HHS passed the Breach Notification Rule as part of HIPAA. This rule was more specific about an organization’s responsibility in response to data breaches. The latest rule added to HIPAA is the 2013 Final Omnibus Rule that outlines the standards for Business Associate Agreements.
The HIPAA legislation recognizes that not all healthcare organizations are the same. A complex medical center poses a larger security risk than a rural office with a single physician. The procedures and policies necessary to maintain HIPAA data security compliance will depend on factors such as the size, complexity and overall risk of the covered entity. The HIPAA rules also acknowledge that cost can be a factor for smaller organizations.
Keeping electronic patient data safe begins with examining risks and developing appropriate policies. Because electronic patient health information has become an essential part of medical care, there are many potential places for HIPAA violations. Organizations must strive to adopt a culture of data safety.
The simplest point of entry for a security breach is through the physical devices at a facility. Organizations must adopt practices that limit the risk.
IT professionals are responsible for the safety and security of an organization's network. They are the team that will configure and maintain the system for data protection.
Medical practices during the COVID-19 pandemic have created new challenges for HIPAA compliance. The increased numbers of emergency patients caused some facilities to relax standards. To maintain social distancing rules, more patient interactions happened over video conferencing platforms. As the pandemic lifts, covered entities must stay alert for HIPAA updates and reassess their compliance safeguards.
Looking for information on PCI security?
Check out our PCI DSS Compliance checklist for 2021.