Compliance mandates are (intentionally) stringent and difficult to meet. The reasons behind this are to force organizations to apply the strictest data security policies to ensure that customer data is secure. The Healthcare Insurance Portability and Accountability Act (HIPAA) is no exception to this rule.
In many ways, due to the evolving use of technology in the healthcare industry, HIPAA compliance is becoming harder to meet. The advent of wearable technology, automated voice assistants and other new innovations are making it more of a complex task to identify where ePHI is stored and processed and keep an eye on its security.
In some ways, HIPAA compliance was written in a way that left it open to advances in the technology market, as Nicholas Heesters, a HIPAA compliance and enforcement official for the U.S. Department of Health and Human Services, noted at InfoSecurity North America. “The HIPAA security rule gets a lot of grief for being too vague,” he said. “By design, it’s not vagueness, but it’s the fact that it’s flexible, scalable, technology-neutral.”
So how have organizations adapted to the newest innovations in technology in light of HIPAA regulations?
Does HIPAA Apply to Smartwatches?
With the rise of smartwatches like the Apple watch and Fitbit, questions have been raised about whether data collected from these devices falls under HIPAA. Many users of these devices like to collect what could be considered as health information in the form of calorie intake, heart rates and the number of steps taken per day. Sometimes this data is gathered specifically for clinical use.
HIPAA only applies when covered entities or business associates get involved (such as insurers, healthcare providers or vendors). If a user is simply collecting this data for their own personal use, then HIPAA does not apply.
However, as soon as a covered entity gets involved, HIPAA comes in to play. For example, if a doctor advises that a patient download a health app onto a wearable device to collect health data, the moment that data is integrated into an electronic health record, it is bound by the laws of HIPAA compliance.
Similarly, the company that developed and markets the app responsible for collecting the data will also be bound by HIPAA compliance – as they are collecting, storing and processing health data at the behest of a covered entity.
Alexa, Is My Healthcare Data Secure?
Voice assistant, led by Amazon’s Alexa and Apple’s Siri, are growing drastically in adoption rates and becoming more sophisticated with every iteration. The commercial success of these devices have enjoyed has led to some start-ups attempting to integrate this technology into the healthcare industry.
Now, as you might expect, creating voice assistants in such a way as to be compliant with HIPAA standards is tough. In fact, it’s so difficult that Elena Elkina, a former attorney and data privacy and protection expert, states “if someone tells you right now that they’re complying with HIPAA in this area, don’t believe them […] it hasn’t happened yet.”
However, as previously mentioned, HIPAA is flexible enough to accommodate such advances in technology, so it is only a matter of time before voice assistants become standard practice in healthcare organizations. Whether that means that the technology providers will have to integrate auditing, monitoring and alerting capabilities into these products, or the healthcare providers will have to deploy it themselves, is yet to be seen.
Why Are We Seeing More HIPAA Breaches?
In our experience, the number of HIPAA violations have drastically increased over the last few years, but a HIPAA violation does not necessarily mean a crippling penalty. In fact, the OCR has undertaken far more investigations into HIPAA violations than it has doled out penalties.
However, we are seeing that the OCR are prepared to dish out severe penalties to those companies that experience data breaches involving ePHI. Anthem, for example, were forced to pay $16 million to settle privacy violations stemming from a 2015 data breach involving 78.8 million customer records.
We think the most likely reason that healthcare organizations fail to meet HIPAA requirements is because they don’t undertake regular risk assessments of their IT environment. They don’t know where their ePHI resides, who has access to it, what changes are being made to it and how secure the surrounding IT environment is. Most organizations will find themselves needing to deploy a data-centric audit and protection solution to help with meeting HIPAA compliance.
If you need help conducting a risk assessment to ensure you don’t fall foul of HIPAA regulations, contact Lepide today.