Prime Factors Blog

Potential HIPAA Changes in 2017

Posted by Pete Flagella on Mar 14, 2017 10:00:00 AM

Find me on:

HIPAABlog.jpgA new government means new priorities and agendas — which can lead to new compliance rules that you'll inevitably need to learn. These changes can throw a company into chaos as everyone struggles to decide upon the straightest line from current policies to better security. Understanding more about the political, economic, and tech climate can make these changes easier to digest.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Privacy in a New Age

When the government has trouble keeping their own private information to themselves, it may seem like a futile mission to regulate confidential data in other industries. But HIPAA does serve a number of functions, even if companies can often fall woefully short of all it entails. For many years, enforcement of the law was lax at best, but times have changed. More officials and regulators have been assigned to investigate healthcare companies’ adherence to the rules, both before and after an event occurs. And it's not just hospitals and insurance companies. Vendors, suppliers and business associates may all be held to the same standards if they come into contact with any Protected Health Information (PHI.) The consequences of failure to protect the information are such that more and more companies are putting the time and effort into avoiding a debacle of their own. Just this year, Memorial Hospital System had to pay $5.5 million to settle accusations of violations of the privacy law. HIPAA (and its addendum HITECH) compliance rules both deserve your attention — sooner rather than later.

More Audits Ahead

The Office of Civil Rights (OCR) enforces HIPAA, and they seem to be giving more attention to investigating how healthcare companies go about ensuring privacy in 2017. Every year brings new methods for hackers to exploit a wealth of financial and medical data. The OCR seeks to address what's new in hacks and breaches so that their regulations are actively combating them. More specifically, the OCR plans to perform more audits and make changes that will specifically address the innovations in technology the healthcare industry has seen. Employee mistakes are consistently known to be at the heart of leaked information, so staff education and training at every level will be a major concern for the OCR. The audit program is currently evaluating which entities should be audited next, with the OCR attempting to target a wide range of entities. From tiny start-ups in the middle of nowhere to established conglomerates in the major cities, they're not sparing anyone. So regardless of whether you're a private or public company, you're at potential risk for an audit this year. Audits will be conducted onsite and review the full scope of HIPAA laws. If there are major violations, this could lead to even more involved compliance reviews.

Understanding the Cybersecurity Information Sharing Act (CISA)

The OCR wants to make use of CISA act for HIPAA compliance, implementing the guidance standards for cybersecurity within the covered entities and all of their associate companies. It will include the National Institute of Standards and Technology framework too. The OCR is concerned about the use of big data, and will attempt to address the sheer quantity of the health information that's being collected every day. Wearable technology such as FitBits continue to build up huge databases of potentially valuable information. The OCR wants to lay out a better system of collecting data that is stored in the cloud. Big data has helped businesses make better decisions based on facts, but it's also incredibly difficult to manage. These complications only grow as patients struggle to understand exactly how to access their own files and health information. When everyday people can get health information from their doctor as well as from a device on their wrist, there are a lot of questions the OCR has to answer when it comes to regulating access and protection.

Using the Cloud

Entrusting PHI to a third party can save money, time, and effort, but picking the right cloud provider can be tricky. With companies flocking to the exploding business, service providers may have a difficult time keeping up with the influx of clients. For these reasons, the OCR will be keeping a closer eye on what service providers promise and what they actually do in 2017. The contract between a covered entity and a services provider should be written and agreed upon by both parties before transferring data. But healthcare entities cannot become complacent even after the transfer, as moving the data does not absolve them from responsibility. If a covered healthcare entity hands over encrypted data to the provider but does not provide a decryption key or a way to authenticate users, the cloud services provider would not be held liable should something go wrong with the information. HIPAA is as much about distributing responsibility for mistakes as ensuring they don't happen in the first place.

The Real Effects

When it comes to many of the OCR's goals, it's important to note that the specifics are somewhat lacking. Because the technology is often only fully understood by the developer, it makes it difficult to implement their goals when it comes to their control over companies. While their promises sound great, they are too generic right now to expect exact details about many of the more complex topics. Government agencies will continue to debate how to encourage free enterprise without endangering the public. The OCR will struggle with the language as new technology and hacker upgrades come out faster than laws can be made. In the future, the results of these conversations and initiatives will likely inspire administrative as well as legislative changes as they determine further what is permissible and what is not. For now, companies need to be prepared for more scrutiny about their security, as HIPAA spells out that companies need to be doing everything within their power to protect PHI.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: encryption, PCI Data Encryption, hipaa