Healthcare News & Insights

IT-related compliance challenges in the new HIPAA rules

The Department of Health and Human Services (HHS) recently published updated HIPAA regulations that will be put in place this month. Here’s how hospitals’ IT operations might be affected. 

153446595The new HIPAA rules, which go into effect on September 23, were designed in part to update the law based on changes in the way providers use technology to store and work with sensitive patient data.

These are some of the biggest changes and how they’ll create new challenges for hospitals:

Mobile devices and BYOD

More and more healthcare data breaches are being caused by the loss or theft of portable computing devices that hold patient data. In many cases, those devices are issued by hospitals, but an increasing amount are owned by doctors and other employees as more hospitals adopt bring your own device (BYOD) programs.

As the types of breaches that occur are changing, the feds are also adjusting providers’ requirements for reporting breaches. Previously, incidents had to be reported if there was a significant risk of harm for the affected patients.

However, the new HIPAA rules state that a reportable breach will be presumed to have occurred unless the provider can prove there’s a low risk that patients’ data will be used maliciously.

One way to do that: Make sure all devices that hold patient data are encrypted. If data is encrypted, the provider won’t have to report a breach even if the device is lost or stolen, says the American Medical Association in guidance covering the new HIPAA rules.

Cloud computing

Another tech trend having a big impact in health care is the adopting of cloud computing services for health IT tools. Many providers are now contracting with cloud vendors, who are being given access to sensitive patient data.

One bit of good news in the new HIPAA rules: Those vendors and other business partners are getting a greater share of the liability when data breaches occur. Those business associates must now meet many of the same rules that providers have been covered by.

However, providers are still responsible for taking some steps to ensure that their business partners are protecting patient data.

One requirement is that providers have their partners sign agreements guaranteeing that they’ll meet those HIPAA rules. The new HIPAA regs expand the types of vendors that will need to sign those agreements to include those who don’t actually work with patient data but will have “persistent access” to it. That might include cloud-based storage providers.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.