In highly-regulated industries like healthcare, organizations need to preserve all records and communication data, including electronically stored information (ESI) and ensure it is stored safely in a secure and private repository. In healthcare specifically, discussions with patients or other professionals and patient records with sensitive information (PHI) need to be kept secure while remaining available for future reference.

Keeping electronic information safe in the healthcare industry is not only best practice, but also a regulatory necessity. The issue is further complicated by recurring data breaches and continual leakage of sensitive information. In hospitals, clinics or health insurance companies, a large number of emails contain confidential information including patient info, protected health information (PHI) and attached documentation.

The Significance of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and amended in 2013, is a notoriously complex law that regulates how healthcare providers manage the Protected Health Information (PHI), including medical records and payments. It obliges healthcare organizations to regulate policies and protect patient confidentiality.

The Act consists of five titles in total, but Title II is vital for today’s story as it deals with email, other electronically stored data and the prevention of healthcare fraud and abuse. When HIPAA was first enacted, this Title imposed new challenges on healthcare organizations to assess and transform their existing systems in order to comply with strict guidelines on digital data archiving and electronic communication, especially when dealing with sensitive patient data. To meet those guidelines, healthcare providers now have to employ high-class technical archiving solutions to ensure fast and easy retrieval of data, accessibility to patient records and facilitate eDiscovery procedures.

The changes enacted in HIPAA’s Security Rule in 2013 are especially important. Although not explicitly prohibiting the use of email to communicate protected health information (PHI), the amendments introduce several requirements which ensure that your organization’s email communication is HIPAA compliant:

According to the 2013 HIPAA amendments, it is necessary to assign information security officers in healthcare institutions, sign business associates agreements with third-party members who would have access to sensitive data, establish transparent risk assessment procedures, organize trainings and develop appropriate information management policies.

The healthcare provider needs to be able to control the devices that are used to store electronic PHI. It has to carefully explore equipment specifications and have physical access to servers and hardware on which electronic PHI is contained.

It is necessary to specify individuals who can access PHI databases remotely as well as define audits and monitoring mechanisms.

According to a summary from the HIPAA Journal, in order for healthcare providers to be HIPAA compliant, they need to restrict access to PHI, be able to monitor how it is communicated, ensure its integrity and protect it from unauthorized access.

Data Breaches

When HIPAA was revised and amended in 2013, the notion of data breach was also redefined. A data breach now occurs when there is an unauthorized exposure of electronically stored PHI unless the healthcare organization can prove that patient data was not compromised. The best way to prove this is through encryption, as encrypting patients’ personal information, medical histories and current health-related information would make them unreadable and useless.

The single largest cause of data breaches is human error. There have been numerous cases of employees misplacing flash drives, sharing sensitive data via BYOD phones, posting patient info on social media and doctors’ laptops stolen from their cars. HIPAA Journal’s 2017 data breach report showed that there has been a 305% increase in the number of records exposed in data breaches, which makes this year “yet another worst year ever for data breaches”. Meanwhile, Reuters reported that a person’s sensitive health information is worth 10 times more to hackers than their credit card info on the black market.

Penalties for Non-Compliance

Data breaches, criminal attacks and employee negligence are just some of the threats that healthcare organizations need to neutralize. According to the recent KPMG cyber security report, 56% of healthcare executives believe that HIPAA violations and compromised privacy are their number one security concerns. Non-compliance with HIPAA can mean heavy penalties like fines and mandatory audits for organizations.

Any impermissible disclosure of EPHI can result in a financial penalty. Non-compliance with HIPAA typically entails lengthy and onerous penalties for organizations. In some cases, it involves lawsuits against anyone who violates HIPAA in a Federal District Court and those lawsuits tend to include statutory damages. If you fail to comply with HIPAA, you will be made to provide clarification on “wrongful disclosures” because it is a criminal offense to violate the Privacy Rule’s authorization requirements. HIPAA also contributes to the significant increase in civil money penalties for non-compliance.

HIPAA fines apply to anyone that willfully neglects to comply with the regulation and range from $10,000 to $50,000 depending on the violation. In extreme cases, fines can be as high as $1.5 million per violation. The largest HIPAA fine was levied in August 2016 and amounted to $5.55 million. The most common violations include disclosure of sensitive patient info due to theft or loss and careless handling of protected health information.

How Email Archiving Technology Helps with HIPAA

When it comes to compliance and governance technology, health organizations often put sensitive patient data at risk by employing external or cloud software solutions. The benefits of an on-premise email archiving solution lie in the fact that the data is stored internally, within the organization, regardless of its size or the number of employees. An in-house email archive allows you to store emails in a tamper-proof format, together with their metadata and be able to locate, retrieve and export individual messages in a matter of minutes. In addition, on-premise solutions have more advanced long-term data protection and integrity verification capabilities, customizable access levels, audit trail, legal hold features and configurable retention policies.

To see how Jatheon’s on-premise archiving solutions can help you achieve HIPAA compliance, contact us or schedule a personal demo.