A heartfelt Happy Thanksgiving from the Hushmail team. Although our headquarters are in Vancouver, and we celebrated our Canadian Thanksgiving last month, many of our customers are celebrating in the U.S. today with pumpkin pie, football, good friends, and family.
Since today is a day to give thanks, we thought we’d take a moment to express gratitude for something that might not receive much appreciation throughout the year: the Health Insurance Portability and Accountability Act, better known as HIPAA.
If you’re a healthcare professional, you’ve likely acknowledged the necessity of HIPAA, but you’ve also probably experienced moments of frustration while setting up your practice management software or conducting a data security audit that didn’t exactly inspire gratitude. And if you've been a patient and wondered why so many forms are necessary... you have HIPAA to thank.
HIPAA might not be our first object of thanks today, or any other time, but when we consider how chaotic managing healthcare information online would be without it, we might want to concede a warm nod of appreciation for how HIPAA keeps our personal data secure. Today, we will take a grateful look at how three HIPAA rules serve healthcare professionals and their patients.
The HIPAA Privacy Rule requires secure communication of PHI
Without HIPAA, our protected health information (PHI) could be passed back and forth online regardless of who might be viewing or stealing it. It’s a frightening consideration. As it is, medical records are worth more on the black market than credit card data. Consider what’s contained in your file. Demographic, insurance, and billing information, not to mention highly personal medical histories. Now that medical records are vulnerable to the hacking attempts of sophisticated cybercriminals, HIPAA has become a crucial protection against abuse of our PHI.
The HIPAA Privacy Rule requires that practices apply reasonable safeguards for how they handle PHI over email, phone, and fax. A reasonable safeguard might be as simple as verifying a new fax number with the recipient or involve the purchase of an encrypted email service such as Hushmail for Healthcare.
The important thing is, the HIPAA Privacy Rule requires practices to give some thought to how PHI is transferred and provides some recourse when it’s mishandled. Without HIPAA to uphold a clear expectation, what might seem like common sense could quickly be forgotten in the shuffle of managing a busy healthcare practice. HIPAA serves as a constant reminder to remain vigilant against negligence and the threat of cybercrime.
The HIPAA Breach Notification Rule holds you and others accountable
HIPAA fines can be considerable when there’s a breach, reaching into the millions for large healthcare systems. The penalties serve as powerful reminders to establish and maintain a secure medical records system. Because there’s often a considerable cost for implementing a HIPAA-compliant electronic health record (EHR), substantial fines provide an incentive to take that step.
In spite of precautions, breaches may still occur. When they do, the HIPAA Breach Notification Rule ensures that those who are affected are informed so they can take steps to protect themselves. The notification must occur within a specific time frame following the breach and must include how the breach occurred, the types of information it affected, what’s being done to remedy the situation, and what affected individuals can do to protect themselves from harm.
This rule gives us some assurance that if we lose control over our PHI, we’ll at least be made aware of the situation so we can take steps to regain control and mitigate the damage. Without HIPAA, we would likely discover security breaches too late to prevent considerable damage.
The HIPAA Security Rule allows patients to feel safe
Perhaps the most significant reason to give thanks for HIPAA is that it allows us to relax when visiting a healthcare practice, knowing that our highly personal information will be kept confidential. The HIPAA Security Rule requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.
If you're a practitioner, the last thing you want is for your patients to be wondering how you're storing their PHI and if it’s secure and safe from unauthorized access. You want them to focus on their health and the care they’re receiving, not your practice’s technology and security measures.
HIPAA isn’t the enemy, but sometimes it might feel that way
A serious HIPAA breach can be devastating to a practice because patients are paying attention. As we hear more stories about cybercrime and leaked personal data, practices with stellar reputations in care and security will thrive, and those that take shortcuts won’t last very long. We say this not to scare practitioners who are doing their best to meet HIPAA requirements, but to point out the quality baseline HIPAA establishes for the good of both practitioner and patient.
If you're a practitioner and find yourself undergoing a particularly taxing HIPAA audit, or if you're a patient feeling overwhelmed with forms to fill out, take a step back and consider what our world would be like without HIPAA. HIPAA isn’t just a regulation that checks a box; it’s an indispensable guide for any healthcare practice that wants to grow and serve patients in our connected, interoperable world.
As you sit around the table giving thanks with friends and family today, take a moment to consider how HIPAA is making the world a safer place to give and receive care. A little thoughtful gratitude throughout the year can go a long way toward making your next encounter with HIPAA an experience you can appreciate.
There are many reasons to give thanks for HIPAA this year. A close examination of the three main rules affecting healthcare practitioners illustrates how the regulations are helping practitioners and patients protect PHI, and gives us good reason to include HIPAA on our gratitude lists.