Interview with Paul Hales, Attorney at Law and National HIPAA Expert
Q: What is the most common mistake people make about HIPAA?
The most common mistake is to think that HIPAA compliance is taken care of through the use of an electronic health records (EHR or EMR) system. HIPAA goes way beyond electronic records and IT matters. A total HIPAA compliance program guides everyone in the organization, from the front desk to the health care professional in how to communicate with patients, family members and friends, including with social media; how to conduct an annual risk assessment – of the whole office, not just the electronic records; how to assess whether a breach of protected health information has happened (and what to do if it has); how to prevent Ransomware attacks; how to prepare for a HIPAA audit; and regular workforce training. Even the best EHR/EMR system does not cover all of these issues, because these issues go beyond IT.
Q: Does HIPAA enforcement affect small-to-medium size health care providers?
Yes. Last fall the Office for Civil Rights, the agency which investigates HIPAA breaches, announced that it was stepping up its review of breaches that affect fewer than 500 individuals. There are far more small-to-medium size providers than there are large ones across the country, and they typically do not have adequate HIPAA policies and procedures in place.
Q: What is your biggest concern about HIPAA today, in 2017?
My biggest concern is the growing threat of Ransomware. The U. S. Department of Justice reports that Ransomware is the fastest growing and most dangerous threat to the security of health information in the United States. More than 4,000 daily Ransomware attacks were reported in 2016 – a 300 % increase over 2015 and it continues now, in 2017. Not only does this harm patients whose data is stolen but it can be extremely disruptive and costly to health care providers.
From the perspective of HIPAA, the U. S. Department of Health and Human Services (HHS) says that a Ransomware attack on a Covered Entity or Business Associate that encrypts Protected Health Information (PHI) is presumed to be a HIPAA Breach. This means if you’re hit by Ransomware you must provide notice to all the affected individuals, the HHS and, if the attack locked up PHI of 500 or more individuals, prominent media outlets. HHS presumes a Ransomware attack is a Breach because the encrypted EPHI “…was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Q: What is one piece of advice you have about HIPAA for someone who wants to improve their compliance?
The secret to HIPAA is that it’s easy to comply once you know the rules. Find a complete solution with step-by-step guidance to walk you through it, then instill a culture of compliance in your office with your workforce.