In 2013, HIPAA guidelines were amended in the Final Omnibus Rule. The extension of HIPAA to include “Business Associates”, as were the regulations that related to a patient’s right to access their healthcare information. These changes brought in in the 2013 HIPAA guidelines were widely expected and caused relatively minor concerns among HIPAA covered groups.
However, a major change in the 2013 HIPAA guidelines was a revision of the rules regarding when a breach of Protected Health Information (PHI) should be made known to the Department of Health and Human Resources Office of Civil Rights (OCR). This much less reported revision has major consequences for HIPAA covered entities and healthcare groups in particular.
Whereas previously, healthcare groups had a duty to report a breach of PHI if there was a high risk of harm to a patient´s reputation or finances, the revised rules state that any breach, loss or inappropriate disclosure of PHI has to be made known unless it can be established and documented that the risk of harm is minor.
Along with this revision of reporting obligations, the OCR introduced tougher financial penalties for breaches of PHI in the 2013 HIPAA guidelines. The higher limit of financial penalty was increased to $50,000 per breach per day, with a yearly limit of $1.5 million. The extra income generated by the OCR will be used for more stringent enforcement of the HIPAA regulations – meaning that healthcare groups not yet in compliance with HIPAA should take immediate action to prevent unauthorized access to, and the inappropriate disclosure of, PHI.
New Procedures in 2013 HIPAA Guidelines
The 2013 HIPAA guidelines also shut certain gaps in the procedures that had evolved since the original HIPAA legislation was passed in 1996. For example, amendments to the HIPAA Information Access Management Rule now mean that authorized users can only be permitted access to PHI once healthcare groups have completed a documented process that establishes the identity of the user and determines their need to access PHI. This replaced the earlier accepted procedure of blanket authorization for an entire workforce.
This new procedure should make it more simple for a HIPAA covered entity to determine where a breach of PHI has begun and take measures to prevent a breach occurring for the same reason again. It also helps covered entities determine whether the breach still has to be reported to the OCR by completing a risk assessment to establish:
- Whether the ort of data that has been accessed presents a risk of harm to a person.
- Whether there is a minor risk of data misuse because of the person who accessed the data.
- Whether the breach of PHI actually lead to in an unauthorized disclosure.
- Whether the danger of damage to a patient has been addressed by the destruction of the disclosed PHI.
Preventing Data Breaches with Secure Messaging
Ultimately, it is in a HIPAA covered group’s best interests to prevent unauthorized access to, and the inappropriate sharing of, PHI. Many HIPAA covered groups – including four of the top five paid-for healthcare groups in the country – have chosen to use secure messaging solutions to avoid breaches of PHI.
Secure messaging solutions help healthcare groups adhere with the 2013 HIPAA guidelines by creating a private communications network, within which all PHI is encrypted, and through which all messages including PHI are sent and received.
In compliance with the HIPAA Information Access Management Rule, only authorized users are given access to the network via secure messaging apps that can be installed onto desktop computers or mobile devices. The apps have mechanisms in place to stop PHI from being sent outside of the private communications network, copied and pasted, or stored on a USB Flash drive (lost and stolen USB drives are the second most common reasons for PHI breaches that lead to lost and stolen laptops).