Going beyond HIPAA compliance for your EHR data security

As healthcare technology enables the greater portability of patient data, the risk of a data breach also increases. The growing data security risk is evidenced by the fact that, according to OCR healthcare data breach statistics, there were 253 healthcare breaches in 2015 that affected 500 individuals and over 112 million healthcare records. When coupled with the massive increase in non-healthcare data breaches one can hardly pass the issue of healthcare data security off as scaremongering or a passing trend. In fact, data breaches will likely become a more pressing risk that providers can only offset by taking every possible step to mitigate this risk.

With the inherent risk of data breaches present, healthcare practices should understand that the issue of security and legal compliance with data management regulations such as HIPAA and HITECH are two separate matters. Theoretically, one can be in conformity with the law and still be at grave risk of a data breach. As such, the following points focus on further mitigating risk above and beyond the legal requirements of HIPAA and HITECH.

1. HIPAA and HITECH compliance are critical, but they should be viewed as a baseline for security.

One may be inclined to assume that practices which were unlucky to have suffered a breach were not legally compliant with HIPAA and HITECH. Although it is certainly true that HIPAA and HITECH provide a regulatory framework to assist practices in compromising protected information, the reality is that HIPAA and HITECH only provide baseline standard of data security.

Recommended Reading: EHR Vendor Guide - Find an EHR vendor offer HIPAA compliance

In many of the most high-profile data breaches providers complied with the law, their security, however, was breached by flaws in their security infrastructure. As such, the standards contained in HIPAA and HITECH should be viewed as the foundation on which to build a stronger security infrastructure. With the idea that HIPAA and HITECH should be viewed as a starting point for security, rather than an end, what steps can practices do to strengthen their data protection policies?

2. Look at HIPAA security controls and find practice specific weaknesses

The most recent HIPAA Security Rule requires providers evaluate data security against a list of 75 specific security controls. It is important to look at these security controls as a roadmap provided by regulators to understand the potential weak points in an EHR system. As such, best practices (HIPAA requirements) dictate conducting an annual security risk analysis not only to check for compliance but also to look at each of these security controls and ask if any measures can be taken to bolster security in these areas.

3. Think outside the healthcare box

Data security is not solely a healthcare concern, in fact, it is a concern that plagues any industry that handles sensitive, some with even more high-risk data than healthcare providers. Thus, it is important not to confine a security strategy to methods used within healthcare. Data security is data security, whether you are handling financial information or healthcare information, think regarding the measures used in other data-sensitive industries to see if these safety measures can be applied to your practice.

One should bear in mind that despite the legal protections provided to patient’s personally identifiable information the threat posed by hackers and by accidental disclosure of healthcare data has not dissipated. In fact, the problem has become more widespread as healthcare data has become more valuable on the black market. If practices are willing to come to terms with the fact in any electronic transactions whether it be credit cards or healthcare date, there is some inherent risk. As such, a practice should treat data security not only as a legal requirement but also as in investing in valuable cost avoidance as the fines and potential liability for a breach could be potentially devastating.