Is HIPAA More Flexible Than We Thought?

By: Arieanna Schweber | 7/30/2015

Earlier this year, we penned an article asking, HIPAA is Outdated: Does it Need an Update? In the article, we address the growing rate of healthcare data breaches, as well as the growing cost associated with these breaches, and posit that HIPAA may not be keeping up with the current issues of healthcare data protection.

Countering that, John D. Halamka, MD, MS, and Deven McGraw, JD, MPH, LLM published a spotlight case on the Agency for Healthcare Research and Quality which looks into common misinterpretations of HIPAA and the ability of existing HIPAA rules to deal with the digital age. In particular, the authors note that HIPAA is actually quite flexible:

"HIPAA is not necessarily as behind the times as some allege. The Privacy Rule is medium-agnostic and sets rules for information on access and disclosure, regardless of whether the information is kept on paper or electronic format. The HIPAA Security Rule sets flexible safeguards that apply only to electronic health information."

The authors note that HIPAA’s framework may need to “flex and bend,” but that the framework itself provides adequate guidance on data security while continuing to support data exchange and use. These authors re-iterate our own thoughts on the idea of HIPAA being a part of best practices for protecting data.

Earlier, when addressing the possible limitations of HIPAA, we talked about how security standards and controls can only be the start. HIPAA, as it stands, would struggle to keep up with the rate of change in the security risk landscape. Instead, we talk about standards as the “base layer” upon which more layers of security are added.

In the article, the authors note that best practices include avoiding the use of paper records, ensuring use access is restricted on electronic records, encrypting and otherwise protecting mobile devices, and restricting the use of “shadow” resources, where data may be passed around on USB drives or cloud storage. The authors note that “technology, policy, and people (education) are all necessary prerequisites” to prevent security incidents.

In order to ensure HIPAA compliance, and go above-and-beyond these regulations to further minimize the risk of a data breach and to minimize its impact, conscientious IT leaders will take a layered approach to security technology to minimize the risk of lost or stolen devices. In a recent article in Advance Healthcare Network’s Executive Insight, Absolute’s Steven Treglia lay out seven steps to help secure healthcare endpoints and the data they contain.

Good endpoint security solutions, such as Absolute DDS, offer key security functions in governance, risk management and compliance (GRC) for protecting healthcare data. Our solution includes an audit trail to show who viewed the data, whether it has been changed, where it resides, and how it’s protected (including the status of encryption); if files are deleted, the audit trail can prove it. This is all supported by Persistence technology, which cannot be removed.

Financial Services