In highly-regulated industries like healthcare, organizations need to preserve all records and communication data, including electronically stored information (ESI), and ensure it is stored safely in a secure and searchable repository.

In healthcare specifically, discussions with patients or other professionals and patient records with sensitive and protected health information (PHI) need to be kept secure while remaining available for future reference.

Keeping electronic information safe in the healthcare industry is not only best practice, but also a regulatory necessity. The issue is further complicated by recurring data breaches and continual leakage of sensitive information.

In hospitals, clinics or health insurance companies, a large number of emails contain confidential information like patient info, protected health information (PHI) and attached documentation.

The Significance of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and amended in 2013, is a complex law that regulates how healthcare providers manage the Protected Health Information (PHI), including medical records and payments. It obliges healthcare organizations to regulate policies and protect patient confidentiality.

The Act consists of five titles in total, but Title II is vital for today’s story as it deals with email and other electronically stored data and the prevention of healthcare fraud and abuse. When HIPAA was first enacted, this Title imposed new challenges on healthcare organizations. They had to assess and transform the existing systems to comply with strict guidelines on digital data archiving and electronic communication, especially when dealing with sensitive patient data.

To meet those guidelines, healthcare providers today have to employ high-class technical archiving solutions to ensure fast and easy retrieval of data, accessibility to patient records and facilitate ediscovery procedures.

The changes enacted in HIPAA’s Security Rule in 2013 are especially important. Although not explicitly prohibiting the use of email to communicate protected health information (PHI), the amendments introduce several requirements which ensure that your organization’s email communication is HIPAA compliant. What is a key for success to HIPAA compliance?

It lies in the measures listed below:

Administrative Protection Measures

It is necessary to establish the following administrative processes to protect data:

assign information security officers in healthcare institutions,

in healthcare institutions, sign business associates agreements with third parties who would have access to sensitive data,

who would have access to sensitive data, establish transparent risk assessment procedures ,

, organize training sessions and

and develop appropriate information management policies.

If you’re wondering who is responsible for overseeing HIPAA compliance and what their main activities are, the HIPAA Journal lists the duties of a HIPAA Compliance Officer relevant to both Covered Entities or Business Associate organizations.

Physical Protection Measures

The healthcare provider needs to be able to control the devices that are used to store electronic PHI. It has to carefully explore equipment specifications and have physical access to servers and hardware on which electronic PHI is contained.

Technical Protection Measures

It is necessary to specify individuals who can access PHI databases remotely as well as define audits and monitoring mechanisms.

According to a summary from the HIPAA Journal, in order for healthcare providers to be HIPAA compliant, they need to restrict access to PHI, be able to monitor how it is communicated, ensure its integrity and protect it from unauthorized access.

HIPAA and Data Breaches

When HIPAA was revised and amended in 2013, the notion of data breach was also redefined. A data breach now occurs when there is an unauthorized exposure of electronically stored PHI unless the healthcare organization can prove that patient data was not compromised.

The best way to prove this is through encryption, as encrypting patients’ personal information, medical histories and current health-related information would make them unreadable and useless.

The single largest cause of data breaches is human error. There have been numerous cases of employees misplacing flash drives, sharing sensitive data via BYOD phones, posting patient info on social media and doctors’ laptops stolen from their cars.

Hackers and ransomware pose another threat – this month only, the health information of over 763,837 people has been exposed. UnityPoint Health proposed a $2.8 million settlement to resolve a data breach lawsuit in what could turn out to be one of the largest ever healthcare data breach settlements.

HIPAA Journal’s 2019 data breach report showed that there was a 196% increase in the number of records exposed in data breaches when compared to 2018, which makes 2019 year “the second worst year in terms of the number of breached records”.

Meanwhile, Reuters reported that a person’s sensitive health information is worth 10 times more to hackers than their credit card info on the black market.

Penalties for Non-Compliance with HIPAA

Data breaches, criminal attacks and employee negligence are just some of the threats that healthcare organizations need to neutralize. According to the recent KPMG cyber security report, 56% of healthcare executives believe that HIPAA violations and compromised privacy are their number one security concerns. Non-compliance with HIPAA can mean heavy penalties like fines and mandatory audits for organizations.

Any impermissible disclosure of EPHI and non-compliance with HIPAA can result in a financial penalty. In some cases, it involves lawsuits against anyone who violates HIPAA in a Federal District Court and those lawsuits tend to include statutory damages.

If you fail to comply with HIPAA, you will be made to provide clarification on “wrongful disclosures” because it is a criminal offense to violate the Privacy Rule’s authorization requirements. HIPAA also contributes to the significant increase in civil money penalties for non-compliance.

HIPAA fines apply to anyone that willfully neglects to comply with the regulation and range from $10,000 to $50,000 depending on the violation. In extreme cases, fines can be as high as $1.5 million per violation.

The HITECH Act specifies four severity-based categories of violations and the maximum penalties associated with each:

The covered entity was unaware of the violation ($25,000)

The violation was not the consequence of neglect but had a reasonable cause ($100,000)

The violation was a consequence of neglect but was fixed by the entity ($250,000)

The violation was a consequence of willful neglect and was not fixed on time ($1.5 million)

The most common violations include disclosure of sensitive patient info due to theft or loss and careless handling of protected health information.

What Is the Largest Ever HIPAA Fine?

In late 2018, it was published that Anthem had agreed to pay $16 million to OCR as a settlement for the largest ever data breach in the healthcare industry after the EPHI of 79 million people had been exposed in 2015. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR by Advocate Health Care in 2016.

5 Benefits of HIPAA Compliance

Maintaining compliance with HIPAA is important for many reasons. Here are the chief benefits of HIPAA compliance:

confidence that the organization will pass a federal audit in case there is a data breach ensures that every employee knows how to handle patient information and establishes a culture of information governance protects the organization’s reputation (as there will be a public record of any incidents, aka the HIPAA Wall of Shame) helps with gaining and maintaining patient/client trust and loyalty helps with risk management and reduces liability

How Email Archiving Helps with HIPAA

Although there are no specific HIPAA medical records retention requirements (each state has its own laws that govern their retention), there are requirements that cover HIPAA-related documents, including policies. The law stipulates that these documents should be retained for a minimum of 6 years after the document was created or was last in effect.

It’s also important to note that such HIPAA requirements preempt individual state laws, should they specify shorter retention periods.

Many official business decisions and documents, including policies, are communicated via email, shared in attachments or discussed in corporate chat systems. That’s why these channels need to be retained in order for a Covered Entity or Business Associate to meet compliance with HIPAA.

When it comes to HIPAA email compliance technology, most medium to large healthcare organizations still opt for on-premise email archiving solutions because the data is stored internally and is under their control. To minimize costs, smaller organizations typically go with cloud-based archiving software.

HIPAA Compliance Solutions: What to Look For

Apart from choosing the right deployment method, healthcare organizations should pay attention to the HIPAA compliance requirements the archiving software should meet.

Here are the crucial functionalities your data archiving software should possess based on the safeguards listed in the HIPAA Security and Privacy Rules.

1. Support for various formats

The HIPAA compliance software should be able to capture and retain various formats of electronic communication (email, social media, instant messages, text messages, audio and video calls) depending on which channels are used for official communication

2. User authorization and access controls

It should allow role-based access and different permission levels to ensure that that sensitive patient info can be accessed only by specific people

3. Redaction

It should support data redaction to conceal sensitive or identifiable patient info in case of an open data request

4. Prevent evidence spoliation

Electronic records must be preserved in a non-rewritable and non-erasable format. This means that the HIPAA compliance archiving solution must store data in a tamper-proof WORM format and be designed in a way that prevents deletion and alteration and preserves message content together with all the relevant metadata. The ability to verify message integrity is a nice bonus too.

5. Audit trail and monitoring

To prevent insider threats and misuse of information, the data archiving software should allow HIPAA compliance officers to keep track of user activities on the archiving platform, conduct HIPAA compliance monitoring, search for suspicious actions and respond to issues in a timely manner.

6. Data Backup

Every data archive should be backed up for data redundancy purposes.

7. Encryption

The archiving software should be able to ensure confidentiality of data contained in the archive, both in transit and at rest.

Jatheon is an email and social media archiving specialist with 16 years of experience in the healthcare industry. To get more information on how Jatheon’s archiving software can help you achieve HIPAA compliance, get in touch with us or schedule a personal demo.