HIPAA’s demands on the IT industry
We’re familiar with signing our lives away at the doctor’s office on HIPAA paperwork, but how is this policy affecting the IT industry?
Since the mid ’90s, the Health Insurance Portability and Accountability Act has regulated health insurance coverage and health care transactions. HIPAA protects patient privacy to ensure safekeeping of all medical information the patient may not wish to disclose. Long story short: HIPAA creates a higher standard to protect patient privacy and confidentiality. HIPAA holds institutions, organizations and offices responsible for protecting private patient information — and provides a framework for punishment when violators unlawfully access or share protected information.
In the past, HIPAA primarily affected hospital procedures. However, a large shift in policy created a ripple that stretched out to the IT industry. The Health Information Technology for Economic and Clinical Health Act of 2009 added technology and financial associates to the list of regulated parties. Things changed even more in 2013 when lawmakers added the Final Omnibus Rule, which significantly expanded the act's Protected Health Information regulations. This ruling greatly changed the relationship between HIPAA and the IT industry.
The rule’s provisions allowed HIPAA to administer new regulations on modern technology and the IT industry. The Final Omnibus Rule paid special attention to cloud storage, mobile devices and remote technologies that offer new ways to access patient information — and, consequently, provide more opportunities for privacy and security breaches. Formerly, a security breach was only considered a breach if the information contained birthdates or ZIP codes. Under the Final Omnibus Rule, all breaches of limited data must be handled the same, regardless of their content.
So, where does this leave the IT industry? When a cloud database administrator or independent IT consultant works directly with protected health information, the person or company automatically becomes a business associate who is subject to the rules and penalties of HIPAA. Since health care providers and their system administrators already know HIPAA regulations well, the IT industry and service providers are now playing catch-up. This means the IT industry has to learn the new regulations quickly and thoroughly to ensure the rules are being followed accordingly. For those still playing catch-up, or those that need a refresher course, allow us to summarize the rules of Title II:
The Privacy Rule —Gives patients more control and protection over their confidential information.
The Transactions and Code Sets Rule — Keeps transactions standard throughout the industry.
The Security Rule — Updated to accommodate for the technological advances and thus the new forms of security breaches.
The Unique Identifiers Rule — Standardizes and protects the communication between health care providers and insurers.
The Enforcement Rule — Includes harsh penalties for HIPAA violations.
For people working with medical and patient data on a daily basis, HIPAA's privacy and security rules directly affect both the hardware and the software used to store and send data. According to the U.S. Department of Health & Human Services, everything from Drug Enforcement Administration numbers to vendor finances to patient identities can be subject to security breaches in health care databases. With so much at risk, the IT industry must be aware of the new regulations and be prepared to provide counsel on security and backup plans.
IT companies have come up with several solutions for security and backup that are HIPAA compliant, due to an increased need after 2013. Cloud computing offers ease of access, reliable backups and streamlined communication. Additional private cloud options were created with HIPAA regulations in mind — making sure all operations are secure, smart and compliant. With a private cloud, data is separate, safe and in an identifiable location. Only the particular client has access to the data in private clouds, perfectly complying with HIPAA policy.
New regulations are always a headache for database administrators, but HIPAA might settle the score with its new rules by preventing many more problems in the future. Hopefully, stricter privacy regulations and more defensive systems will emphasize the importance of innovative, up-to-date storage centers and solutions.