HIPAA Standards, the ACA, and the Safety of Electronic Medical Records

The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, was passed in 1996 and signed into law by President Clinton. President Bush amended the law in 2002 to include the “privacy rule.” In 2015 President Obama’s Affordable Care Act mandated that health care providers switch their paper charts to electronic records, further emphasizing the need for HIPAA standards.

The internet has transformed society in the nineteen years since HIPAA was passed into law. Medical records have been transferred from the laborious, dusty manila folders in the backs of doctors’ offices to the ease and rapidity of cyberspace. The privacy rule is described on the website of The Department of Health and Human Services.

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

In the wild, wild west of the worldwide web how realistic is the “privacy rule?” Many experts are deeply concerned with the wanton proliferation of personal data that flows between institutions.

“The thing I worry about is not that we are doing it, but that we’re doing it without the right safeguards,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “We have been giving (medical providers) incentives to move into the electronic-health-records era. But we haven’t been giving them enough guidance on how they’re supposed to do it.”

One major threat that is emerging from the hornets’ nest of online medical information is a black market for stolen health care data. Health records contain details like mothers’ maiden names and social security numbers. This type of data brings a much higher return for hackers than stolen credit card information. Experts say this type of breach makes companies vulnerable to a type of corporate extortion that is very expensive to eradicate. In February NPR published a report on cybersecurity and health records.

Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last two years.

Jeanie Larson, a health care security expert, says cyber-standards are too low for hospitals, labs and insurers. “They don’t have the internal cybersecurity operations.”

Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret them loosely — in a way that gets around the basics, like encryption.

Do not leave your business vulnerable to attacks from cybercriminals or The Department of Justice. An ounce of prevention is worth a pound of cure. Medical providers need guidance to regulate information for myriad reasons. Anyone who uses Google knows that finding information is not a problem. The issue is streamlining and protecting information efficiently. Doctors, hospitals, and insurance companies must be able to share data with effective and legal methods. Contact us to help your company utilize and comply with HIPAA standards. Make sure that you and your clients are guarded against internet outlaws and reckless institutional practices.

Pathlock Technologies. Enterprise Solutions.  Beyond Boundaries.