Industry and Policy Updates: HIPAA Compliance and Enforcement for Alarming Trends in Data Safety

These reports discuss data breaches in 2022 and highlight where healthcare organizations should be focusing their HIPAA compliance efforts going forward. Additionally, they include important data on the number of HIPAA cases investigated, areas of noncompliance and insights into trends like cybersecurity readiness.

Healthcare organizations are facing huge data security and compliance issues. As systems become more and more automated, and as the efficiencies and benefits grow, so too do data security, privacy and compliance issues. The U.S. Department of Health and Human Services (HHS) - Office for Civil Rights (OCR) understands this trend and is increasing efforts to support policymakers and healthcare organizations with more information. OCR Director, Melanie Fontes Rainer notes “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. (We) continue to work with Congress and the healthcare industry to drive compliance and protect against security threats.”  HHS released a department-wide Cybersecurity strategy for the health care sector in December 2023, and in January 2024, HHS released voluntary cybersecurity performance goals to enhance cybersecurity across the health sector.

These recently released reports reflect the latest moves by HHS to support the privacy and security of health information; and back up previously presented data.  

The 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR, and the outcome of each review. 

The 2022 Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information that were reported to the Secretary of HHS during the calendar year 2022 and the actions taken in response to those breaches. It also shows that hacking (IT) incidents remain the largest category of breaches - a continuing trend at 77% of reported breaches for 2022 - these risks will only continue and grow. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including: risk analysis and risk management; information system activity review; audit controls; response and reporting; and person or entity authentication. Medsien is doing all of these things. 

The Federal Trade Commission (FTC) also has warned about potential risks to patient data, warning medical organizations of serious concerns about patient information safety that can be associated with sharing patient data when using hospital and medical practice websites or mobile apps. Health entities have a responsibility to protect against the unauthorized disclosure of personal health information. But with due diligence, when selecting a partner, patient data safety is completely possible.

As your healthcare organization and practices grow and expand, and you add important remote care management efficiencies and benefits to your practices and healthcare organizations, it’s important to partner with companies that not only help you expand your remote care management services, but also have the essential protections and safeguards built into their software systems and programs to protect you and your patients from the outset. 

Proper safeguards are an absolute necessity to ensure data safety

While the risks are real, concerning and definitely growing - with due diligence when selecting a remote care management partner - patient data safety is completely possible.  Data sharing and data protection is a real problem and a real risk if you are not careful to work with a company that understands safety, data and compliance. It takes a lot of work, sophisticated systems and numerous safeguards to ensure the safety of your data, and it takes seamless electronic health record (EHR) integration to ensure safety, compliance and peace of mind. 

For organizations looking to work with a remote care management company - it is imperative to do your due diligence. There are many companies sprouting up that work in remote care management. A lot serve as a third party technology manager; few offer staffing solutions in conjunction with software; many do not have the understanding of healthcare and the technical or software expertise to ensure effective programs and data safety mechanisms. It’s important to be very careful about the company you choose to go forward with when selecting someone to help develop your remote care management programs. It’s definitely possible to have highly reliable and compliant software and to have completely safe and secure patient data sharing and patient management within the practice. You just have to ensure that you are working with a team and company that understands the complexity of medical software, the EHR and considers data security and HIPAA compliance to be important and an essential component of developing remote care management software and programs. 

At Medsien, we take data security and compliance very seriously.  It is built into our systems and programs to ensure safeguards and data security are integral parts of all of our remote care management. Medsien is the industry leader in seamless EHR integration and safe, effective and compliant remote care management programs. Hundreds of organizations trust Medsien’s unparalleled technology solutions to deliver a quality patient experience. If you’re struggling to provide quality patient care with disconnected systems and outdated tools, Medsien offers the most advanced, automated platform to power up your practice. You can count on our technology expertise, deep experience and understanding of technical infrastructure and our exceptional software to create secure programs.  We can help you transform your organization and the remote care you provide - quickly, efficiently, effectively, reliably and most importantly - safely. Read more about the benefits of hiring experts. 

EHR integration, combined with well-designed software is the key to data safety and security

Medsien’s technology was created with safety and security in mind.  We prevent data breaches and fraud - and protect your patients, your practice and your data through highly technical software design and integration with the EHR.  Key factors and safeguards that make Medsien remote care management programs secure:

1. All in one platform with a single source of truth = extra security
2. Automated and EHR integrated data, no manual data sharing = safety
3. Automatic logging = accuracy and backup
4. Third party HIPAA assessments = compliance
5. Cyber liability insurance = peace of mind 

Read-only software makes the data doubly secure

Some companies that sell remote care management programs create a user ID in the client's EHR and have many different people logging on to see, access and even potentially change key personal patient data. With Medsien, the source of truth for patient data is the client’s EHR. There is no ability to change any data. All of our programs have read only access and we do not change any information in patient’s charts. Medsien’s program and EHR integration are designed to ensure that there is no ability to access or change the data whether intentional or accidental. 

No file sharing or file exchanges - ever 

Integrated, automated data exchange ensures safe data sharing, data security and HIPAA compliance. With Medsien, there is no manual file sharing or file exchange.  When you have EHR integration -  which incorporates using APIs (application programming interface) with the EHR - you have a safe incorporation of data. APIs are software intermediaries that allow two applications to talk to each other and facilitate a safe and accessible way to extract data within and across organizations. Manual data sharing leaves you extremely vulnerable to data leaks or data breaches. HIPAA regulations explicitly state that health data is never to be transferred this way, yet many companies still do it - as is evidenced in the FTC warning sent out this month. Without the technical and software skill sets essential to creating safe, accurate and compliant remote care programs, many companies are left using manual data transfers and unsafe programs. Using Medsien’s highly technical software and EHR integration allows for the safe incorporation of data  - with no leaks, no breaches, and no unintentional - or untracked - sharing with individuals.

Medsien never asks anyone to send reports of patient data, conditions, medications, personal information, etc. Other companies manually share files -  we never do. Our data transactions are completely safe, reliable and fully HIPAA  compliant. All of the servers we use and work with are HIPAA compliant as well  - which further helps us to keep all communication channels and all of our data secure. 

Automatic timestamps ensure accuracy and backup  

With an automatic timestamp, you will always know exactly when the system was accessed. If you just manually send a file, you do not know who, or when or how many people are looking at or accessing the data. Also, you don’t know if the file is further shared again and again.  Even if there are no ill intentions, this is a severe violation of patient privacy, safety and security. When you have EHR integration and Medsien software, you always have a timestamp on each interaction and entry, offering important backup protections. With EHR integration, the automatic timestamp ensures that you know exactly when data is accessed every time. The timestamp is insurance - it’s a backup of everything that occurs ensuring safety and accuracy. 

3rd party HIPAA assessments show commitment to safety and compliance

To identify vulnerabilities and continuously protect patient information, organizations must frequently analyze their security situation. Conducting regular HIPAA risk assessments takes care of this - and actually is mandatory for true HIPAA compliance even though not everyone does it. Updated security risk assessments can help you in maintaining information security and preventing any fines and penalties due to a violation of HIPAA regulations.

Medsien as a company, and all Medsien remote care management client programs, go through a third party HIPAA assessment. Third party assessments - assessing administrative, physical and technical risks - help identify and address any issues that could potentially arise in an office that deals with protected health information. These audits are especially important in the case of a HIPAA security breach or privacy violation. At Medsien, we run everything we do through these assessments to ensure compliance. Read more about Medsien and compliance  and audit proofing a practice 

Cyber liability insurance offers protection and peace of mind

Cyber liability insurance protects companies in the event of a network cybersecurity failure that causes your business to give way to malware, ransomware, business email compromise, distributed denial of service, attacks or data breaches. A cyber liability policy typically covers your business’ (or client’s) liability for a data breach involving sensitive customer (patient) information. Medsien carries cyber-liability insurance for our company and for any clients to protect against any data security breaches or privacy violations. This further ensures safety, compliance and peace of mind for us as a company as well as providing quality and safety protections for any client programs. 

Reimagine remote care management with Medsien 

As previously mentioned, Medsien is the industry leader in seamless EHR integration and safe, effective and compliant remote care management programs. The real value of EHR integration and highly specialized software is that it ensures the accuracy, effectiveness and safety of all patient data. APIs ensure our software is secure and there’s no ability to change that data. With EHR integration, you can be sure that any data in the EHR is accurate, up to date and safe. 

Medsien programs are intentionally designed to avoid and decrease any breaches in patient data, ensure HIPAA compliance and to decrease putting patients and organizations at any risk. Our programs, software and EHR integration - key data safety safeguards -  ensure that the data from our clients is safe and reliable and that we are always compliant about patient care and patient data. 

References: 

1. https://www.hhs.gov/about/news/2024/02/22/hhs-office-civil-rights-delivers-annual-reports-congress-hipaa-compliance-breaches-unsecured-protected-health-information.html 
2. OCR’s 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
3. OCR’s 2022 Report to Congress on Breaches of Unsecured Protected Health Information. https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html
4. Electronic Medical Records in Healthcare. HHS Cybersecurity Program. Published Feb 17, 2022. Retrieved Oct 6, 2022 from https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.
5. FTC and HHS warn hospital systems and telehealth providers about privacy and security risks from online tracking technologies. July 20, 2023. Contact: Juliana Gruenwalk Anderson, FTC office of Public Affairs. https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-hhs-warn-hospital-systems-telehealth-providers-about-privacy-security-risks-online-tracking?utm_source=govdelivery