The new year is here, and as we look ahead we see more changes coming for healthcare security. Below are our predictions for HIPAA 2015.
The Office for Civil Rights, the department responsible for enforcing HIPAA, is likely to increase investigations in 2015.
All signs point to a rise:
These factors combine to make it highly likely the OCR will increase pressure on covered entities in 2015 with more investigations.
The top three causes of healthcare data breaches are related to negligence, according research from the Ponemon Institute:
The top three have remained relatively steady compared to the fourth major cause: criminal attacks.
The number of healthcare organizations hit by a criminal attack doubled from 20% in 2010 to 40% in Ponemon's 2014 report.
That 100% increase leads us to assume criminal attacks will continue to rise in 2015 and may enter the top three causes of healthcare data breaches.
Last year the OCR delayed its second round of compliance audits. It originally planned to audit 350 randomly selected covered entities between Oct. 2014 and June 2015.
The audits are now planned for some time in 2015. What does this mean? 350 lucky covered entities will have to show practical application of privacy and security policies throughout their organizations, as well as documentation and a host of other details.
Only 11% of the organizations audited in the first round were free of issues, according to HITECH Answers.
2014 was the year of the business associate agreement. Healthcare providers and their associates had until Sept. 22 to sign a contract that obligated them to protect patient health data.
2015 may be the year of the “agreement refresh.”
Covered entities and their associates may have rushed to sign agreements as the 2014 deadline loomed. Knowing that business associates may be responsible for up to 60% of all major PHI breaches, we expect all parties to give their agreements a closer look this year.
Patients cannot sue a provider for violations under HIPAA, but they can use HIPAA as a standard of care in some lawsuits, according to a ruling by the Connecticut Supreme Court.
From the Fox Rothschild blog:
“The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.”
What does this mean? You can expect more lawsuits from individuals on state breach of privacy using HIPAA’s requirements as the standard of care.
Health data is valuable. With proper processing and management, it can yield insights that improve patient outcomes and the bottom line.
But health data is also a liability. Anyone that touches it is obligated to protect it under HIPAA.
De-identification is the process of stripping health data of information that can be used to identify individuals. The goal is to mitigate privacy risks so the data to be more easily used by third parties who wish to mine it for insights.
As more healthcare organizations wish to leverage the power and value of their data, de-identification may rise as a way to extract its value without disproportionately increasing risk and liability.
The concept of telemedicine – providing medical care electronically from a distance – is an attractive way to reduce barriers to care and possibly cut the costs of providing care in rural areas.
As the technology decreases in cost, we expect to see more interest in telemedicine. However, this opens a list of legal questions in regards to 2015 HIPAA compliance.
We expect these questions to increase barriers and slow the adoption of telemedicine until adequate resources are allotted to address compliance and security.
HIPAA Hazards: Avoid the business associate trap
HIPAA: How to bend the security rule ‘reasonably’ and ‘appropriately’
Healthcare IT Security: Compliance nightmare on horizon