Warakorn - Fotolia

Get started Bring yourself up to speed with our introductory content.

Securing protected health information starts with HIPAA

The term 'HIPAA' is discussed so often that it can be easy to lose track of what it was created to do. Learn exactly what HIPAA is and how to stay on the right side of it.

As a frequent presenter and instructor on the topic of healthcare analytics and information management, I am frequently asked about HIPAA compliance. HIPAA is something that most people in healthcare have heard something about, yet relatively few truly understand the details, implications and impact of this important legislation.

HIPAA provides healthcare professionals (and anybody who needs to work with protected health information) with guidelines around how to protect it. It also helps determine when it's necessary to disclose such information when providing patient care.

Why is HIPAA necessary?

As more health data about individuals is collected, stored and transmitted electronically, the security of that electronic protected health information is paramount. This is complicated by the fact that the collection and storage of private health-related information is growing as more healthcare organizations adopt health information technology such as EHRs.

Perhaps an even greater challenge stems from the growing popularity of mHealth devices and apps. Because there are so many touchpoints in healthcare information management, professionals in all healthcare fields (not simply health information management) need to be aware of the rules and regulations associated with HIPAA compliance.

There are still many healthcare administrators, clinicians and analysts who consider information security and protection of privacy to be in the realm of the IT professionals. This common but too-narrow view belies the many ways in which protected health information can be exposed, and the many necessary precautions required to counter the threat of data breaches.

It's not just compliance, it's patient care

Healthcare data, along with financial information, is perhaps an individual's most sensitive information. Therefore, maximum effort must be given to ensure that the privacy of this data is maintained at all times. As more data becomes available, its use for purposes other than purely clinical needs (such as quality and process improvement initiatives) is also increasing.

Clearly, then, security and privacy concerns extend beyond the clinical use cases of data and provider-to-provider exchange of information. Threats to the security of protected health information are many, ranging from deliberate theft to negligent losses.

A recent report from HIMSS Analytics reported that upward of 56% of survey respondents stated the source their security breaches was unauthorized access to information by an employee. Only 3% of hacks were the result of a network breach by an outsider. Nearly a quarter (22%) of respondents reported breaches due to theft of laptops or handheld devices, and 10% the participants reported breaches due to data being housed by a third-party vendor.

A multi-front war against data breaches

In a separate article, I discuss the main types of incidents identified by the U.S. Department of Health and Human Services (HHS) that have resulted in large breaches affecting more than 500 records.

  • Theft -- Thiscan occur when traditional paper records or electronic media such as laptops, tablets and devices are stolen, and is the largest category of breach reported by HHS.
  • Loss -- The loss of paper records or the loss of electronic media (e.g., laptops, tablets, or and backup devices) can result in a breach of health data.
  • Intentional unauthorized access -- This can result from deliberate attempts to access sensitive computer systems through the use of phishing, hacking or similar methods of obtaining login and password information. In these cases, individual computers and/or network servers are accessed by unauthorized persons to obtain sensitive information.
  • Human or technological errors -- These include failure to take adequate care of protected health information by misdirecting the shipping/mailing of paper records (due to an incorrect mailing address, for example) or if unencrypted information is inadvertently emailed to an incorrect and/or unauthorized recipient.

With the security of information and privacy of individuals at risk due to so many threats, how are organizations held accountable for following established best practices for privacy and security? This is where government legislation plays a role.

About the author:
Trevor Strome, M.S., PMP, leads the development of informatics and analytics tools that enable evidence-informed decision making by clinicians and healthcare leaders. His experience spans public, private and startup-phase organizations. A popular speaker, author and blogger, Strome is the founder of HealthcareAnalytics.info, and his book, Healthcare Analytics for Quality and Performance Improvement, was recently published by John Wiley & Sons Inc.

Next Steps

Get your HIPAA compliance audit-ready

Ransomware program threatening HIPAA safety

Convenience of text messaging overshadowed by privacy rules

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)