The numbers are frightening. According to a report from the Department of Health and Human Services, since 2009 a reported 38,700,000 people have had their electronic personal health information (ePHI) compromised by HIPAA privacy and security breaches. 38.7 million people have had their Social Security numbers, their diagnosis, credit card numbers, and other personal and protected information compromised because their health care provider, insurance carrier, or other involved party didn’t take the all of the precautions they needed to take to protect the information in their possession.
I think it is safe to say that not one of these entities who experienced a breach in that time frame set out with the intention to compromise the ePHI in their possession. Most of them probably have worked diligently at compliance with the HIPAA Security rule, the problem was they saw compliance as a destination instead of a journey. And because of the advances in technology HIPAA compliance is most definitely a journey to a destination one never fully reaches.
In 1996 when the Health Insurance Portability and Accountability Act (HIPAA) became law the technology used to transmit and store personal health information was limited. Manilla folders, fax machines, telephone calls, and the occasional email request for information were about the extent. The ability to take information offsite on a laptop or a thumb drive, let alone store it on the cloud were beyond the realm of everyday reality.
Of course technology has advanced since 1996. In 2003 the department of Health and Human Services (HHS) issued the which detailed a series of administrative, technical, and physical security procedures which covered entities needed to address in order to assure the confidentiality, integrity, and availability of ePHI in the wake of advancing technology. It is against the measure outlined in the Security Rule that HIPAA compliance is determined.
As the transmission of ePHI continued to advance in the years following the publishing of the HIPAA Security Rule it was determined that further instruction was needed to address the widening circle of people who now had (potential) access to ePHI. In 2009 the HITECH Act was published to address the increased access. This Act widened the HIPAA circle to include not just the health professionals, health care clearing houses, and insurance companies but also business associates who might have access to ePHI.
So not only is the circle of HIPAA compliance increasing because of technological advances, those included in the circle of compliance is growing as well.
We are left with two choices when it comes to HIPAAA compliance.
- Ignore it and hope we don’t have problems.
- Address the issue of HIPAA compliance head on and begin the work toward compliance.
I know it can seem daunting to begin to address this widening circle involved in compliance. But just like any other journey, this journey begins with the first step.
That first step is figuring out where you begin. The professionals at MapleTronics and Skysail SoftWare would be happy to assist you with that first step and will walk with you on that journey toward compliance. Join us for a webinar on Thursday, September 25 at 1 p.m. EDT (Noon CDT) as we discuss the starting point and some of the steps along the journey toward HIPAA compliance.