16 May 2016

Understanding HIPAA: Enforcement, Encryption, and Documentation

Author:

Email encryption is one of the strongest defenses that an organization can implement against data breaches brought on by the improper disclosure or distribution of medical records or protected health information (PHI). But without written policies and procedures governing the use of encryption services, these efforts mean next to nothing in the eyes of HIPAA auditors who have been redoubling their efforts to investigate non-compliance across the health care industry.

For example, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently levied one of the largest fines in the history of HIPAA enforcement against the Puerto Ricobased Triple-S Management Corporation. OCR found a culture of “widespread non-compliance,” including several instances where Triple-S failed “to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI,” bringing the final settlement up to a behemoth $3.5 million.

If the Triple-S breach can teach us anything, it’s that having policies and procedures that specifically address the privacy and integrity of PHI is essential to your organization’s HIPAA compliance. As per the 2013 Omnibus Rule, any organization that directly handles PHI is subject to these regulatory requirements as well, meaning that even organizations qualified as Business Associates are beholden to HIPAA as well.

If an organization has email encryption, they’ve taken the first steps toward protecting PHI, but the next step is implementing an effective compliance solution. RPost CEO Zafar Khan comments, “One issue that we have seen is that even though organizations have email encryption, these systems are often cumbersome to use at the recipient side (requiring log-ons, account set ups, downloads, etc.) and people then don’t use them. By contrast, RMail email encryption has been top rated due to its security, auditable proof of compliance, and simple user experience at the sender and recipient.”

An effective compliance solution is one that can accommodate the full extent of HIPAA regulation and give organizations a tool for managing compliance and controlling the privacy, security, and integrity of PHI. There are dozens of compliance solutions on the market today, but only a total solution will allow users to achieve compliance, illustrate full documentation, and maintain that compliance under the law.

– Contributed by Frank Sivilli at Compliancy Group.