Healthcare in the United States is changing.
Across the system, providers are moving away from volume based care, in which income is derived from the quantity of services provided, and toward value based care. The hope is that through this effort, hospital stays will decrease in length, and public health will benefit.
mHealth, or mobile health, technologies and population health management are two developments that are both playing a big role in this effort. Intranets too are providing collaboration, knowledge sharing, and employee engagement benefits to organizations.
With all of these new tools functioning over the internet by definition, it’s paramount for healthcare service providers to understand HIPAA requirements.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was a law passed in the United States in 1996. It established national standards and guidelines for maintaining the privacy and security of individual health information and addressing issues of fraud and abuse in the healthcare system.
HIPAA’s Privacy Rule and Security Rule, which went into effect in 2003, are perhaps most relevant for companies using collaboration software. Organizations are required to secure all private health information from unauthorized access. Violating HIPAA carries both civil and criminal penalties, and it is very strictly enforced.
Failing to keep up
Unfortunately, HIPAA data breaches are all too common, and they are on the rise.
According to a 2014 study, there had been 29.3 billion breaches since 2009 that exposed Protected Health Information (PHI). Breaches were also up 138% since 2012. Another study from the following year showed an additional 25% increase in breaches.
Of those breaches in 2014, a full 40.8% were due to organizations using unencrypted software to store PHI.
What about hackers, those terrifying but vague entities we think of as causing all major data theft? It turns out they were only responsible for 14% of the breaches.
This is a huge problem.
Those companies that lost data or had it stolen because they neglected to encrypt it are fully culpable. HIPAA requires all covered organizations to use encryption, and there is plenty of information available on exactly how to do so sufficiently.
Not only can those organizations be prosecuted under the law, but they have exposed their customers’ health data to the world. Who knows what kind of consequences that might open up for people who trusted those companies with their private information?
HIPAA and intranets
As of last year, 37% of American workers said they had telecommuted or currently telecommute for work.
If your company uses an intranet, it’s very likely that workers will need to use it outside of the office and outside of normal working hours. In our age of connectivity and digital tools, that is the new reality.
Because data will be passed over networks and potentially accessed outside your place of work in using an intranet, it is extremely important to ensure that all healthcare intranets are HIPAA compliant.
If you’re an IT employee and responsible for your organization’s cybersecurity and digital tools, it’s your responsibility to audit your systems for compliance.
So to keep in mind going forward, here are 5 warning signs your healthcare intranet is not HIPAA compliant.
You don’t have autologout
Something that lots of blogs on HIPAA compliance discuss is the security risk inherent in screensavers. Namely that someone can walk away from their computer once the screen goes blank or it goes to a screensaver, without putting up a password.
The problem here is that any user unauthorized to see PHI can access it as soon as the screen is refreshed. The fact that this scenario is possible is in itself a HIPAA violation.
Similarly to this, intranets need to have autologout in place in order to be HIPAA compliant. If someone is using their intranet and has access to any PHI, their intranet has to automatically log them out if they are idle for too long.
This is especially relevant any time computers are shared. There are many reasons why computers may be shared at a healthcare organization. For example, shift workers might use computers that are at specific stations, rather than bringing their own device to work. In this case, they need to ensure that no one will navigate to the intranet and come upon someone else’s account already logged in.Even if there’s not PHI there, if it’s anywhere on the intranet and you don’t have autologout, that’s a HIPAA violation.
Lack of strict access controls
Not everyone who has access to a person’s healthcare data will have access to the exact same data.
That is to say, nurses won’t be able to see all the same information as doctors. Primary care physicians may be able to see more than a specialist. An mHealth software provider probably won’t have access to hospital information.
The problem is that an intranet may be used by many of these groups, all of whom should be seeing different data from one another. If a nurse isn’t supposed to see all the data a doctor does but they can see that data, you’ve got a HIPAA violation.
That’s why intranets need to have strict access controls. Every intranet user should be restricted to seeing the pages that are necessary and authorized for them to see. Beyond that, intranets need to have a built in function that keeps them from accessing anything else.
Those access controls ensure that no one will be able to get unauthorized access to PHI, and that is necessary to maintaining HIPAA compliance.
Staff that don’t understand HIPAA
It should go without saying that IT staff at a healthcare organization need to understand HIPAA rules and compliance, but there is certainly the possibility that this is overlooked.
Any good IT staff will have strong cybersecurity awareness, but it’s important that they understand HIPAA law as well. That’s necessary for ensuring intranet security has all bases covered.
Of course, understanding is never enough.
IT staff should do routine audits of all their security, making sure it’s strong and compliant. This can include penetration testing, training for non-IT staff, monitoring servers, and more.
IT also shouldn’t be alone in any of this. In shopping for an intranet, make sure that your service provider is not only HIPAA compliant but does audits of their own software and security practices. If a violation occurs on their end, you’re still the covered organization that could be found responsible.
HIPAA actually requires that all covered organizations have a Privacy Officer. This is a person with a strong understanding of HIPAA requirements, who monitors the organization and prevents violations.
What the law does not require is that the position be fulltime or that a Privacy Officer not hold any other position within the organization. That opens healthcare organizations up to many possibilities for who they employ as their Privacy Officer.
For organizations that are particularly large and have a complex digital ecosystem, hiring a fulltime Privacy Officer may be advisable. However, others may be able to get away with having an IT person or even someone in HR take over the task.
For organizations that use intranets, it’s a very good idea to have a Privacy Officer who works with the intranet on a regular basis. Because there is so much that needs to be done to ensure HIPAA compliance on an intranet, Privacy Officers should be well versed in this side of their business.
Not using proper encryption
Again, we return to remote or flexible workers and what their intranet usage means for HIPAA compliance.
HIPAA has very strict guidelines around data encryption, and any data that is transmitted between machines must be encrypted. Since intranets by definition are networks that transmit data between machines, all of the data on an intranet has to be encrypted.
The two types of encryption – at rest and in transit – are both important for organizations to practice. At rest refers to data that is not currently being transmitted, and so that is less prone to a HIPAA violation than data in transit, but you should certainly cover all your bases by encrypting all of your data in order to minimalize the possibility of a breach occurring.
Remember that the vast majority of the breaches that occurred in 2014 were the result of unencrypted software. Your intranet is a prime location for those breaches to occur if you’re not careful.
HIPAA compliance isn’t just a legal issue. It’s an ethical one as well.
The privacy of healthcare data is extremely important to customers for a number of reasons. While intranets are becoming more ubiquitous and organizations are reaping the benefits of their improved productivity and engagement, they cannot neglect privacy through those actions.
Take some time today, and make sure your intranet is HIPAA compliant!