March 7, 2018

    Understanding HIPAA Changes: Ensuring PHI Safety & Compliance

    In the face of evolving technologies and sophisticated security threats, HIPAA compliance has never been more crucial for companies handling protected health information (PHI).

    To gain a better understanding of the relationship between HIPAA and today’s cybersecurity threats, Security Metrics recently conducted surveys of more than 300 different healthcare professionals responsible for HIPAA compliance. During these surveys, they uncovered key statistics from this past year that you might find surprising.

    • The average breached organization was vulnerable for 1,549 days
    • Sensitive data was captured for an average of 237 days
    • Sensitive data was exfiltrated for an average of 264 days
    • 45% of organizations were breached through insecure remote access
    • 39% of organizations had memory-scraping malware installed on their system

    These statistics reveal the ever-present threat of data security breaches, and the impact they could have on your company. Without the proper safeguards in place, your company could face major non-compliance risks like heavy fines or even jail time.

    To ensure you’re aligning with recent and even established HIPAA changes, let’s look at three key standards that have been set to maintain data security. And, in this article, you’ll also learn some tactics that can help you align with these rules.

    HIPAA Security Rule

    Prior to the establishment of the HIPAA Security Rule, there were few regulations in place to protect personal health data. In the face of constantly evolving technologies, it can be difficult to maintain a single security standard that would apply to all future iterations of PHI storage and data transfers. So, the HIPAA Security Rule is one that many companies are more lax when it comes to HIPAA compliance.

    However, the Security Rule is one that – in times where security breaches are increasingly common and sophisticated – needs focused attention from companies wanting to remain HIPAA compliant. In fact, according to Security Metrics report, the Health and Human Services Department’s Office for Civil Rights has experienced more than 1,400 breaches have occurred since 2009, primarily the result of electronic device loss or misuse.

    This shows both the glaring failures in many companies’ data security policies, and it reveals the major need to HIPAA’s Security Rule. Imagine how much PHI could be at risk if your file storage solution was compromised. This risk shows how imperative it is to follow the mandates outlined in the Security Rule, including:

    • Installing periodic security updates
    • Outlining procedures for protecting against malicious software
    • Enabling log alerting on critical systems
    • Establishing and enforcing password standards
    • Conducting security training for everyone in your company

    While these standards outlined in the HIPAA Security Rule may seems like a lot for your company to take on, it doesn’t have to be that difficult if you have the right safeguards in place. One such safeguard is a secure file sharing solution. An FTP solution with HIPAA compliant features can make preventing and detecting attacks far easier than taking on this goal alone.

    HIPAA Breach Notification Rule

    Sometimes, even with all the appropriate safeguards in place, a breach can occur. And, it’s often due to user error, like inadequate passwords or lost devices. In the event of a breach, companies dealing with PHI must align with the HIPAA Breach Notification Rule.

    This rule requires a business to notify the government when patient data has been compromised.

    There are some guidelines that companies who want to maintain HIPAA compliance need to know. For example, different procedures for data breaches that may have impacted less than 500 individuals and breaches that may have impacted more than 500 individuals.

    If a breach impacts less than 500 people, companies need to notify the Health and Human Services Department annually. For breaches impacting more than 500 people, the department needs to be notified within 60 days of the breach, though immediate notification is preferable.

    The thought of a breach is bad enough, but going through the notification process can be daunting, as well. What if you don’t immediately detect a breach? What if you’re unsure how many people were impacted?

    These could be major challenges if you’re using an in-house file storage solution. However, many hosted FTP providers have rapid breach detection, in addition to measures that halt breaches altogether. FTP solutions with HIPAA-compliant features can help you identify a breach as soon as it happens, so you’re able to take proper measures to address it.

    HIPAA Privacy Rule

    The HIPAA Privacy Rule has evolved over the years as electronic data storage has become more commonplace. As the preeminent standard on individuals’ rights regarding access to their person data, the Privacy Rule has a number of rules that ensure data is protected.

    One of the major HIPAA changes in recent memory was the evolution of the rule to include how electronic data is protected, in addition to physical data. And while you may think you have the Privacy Rule covered, vigilance is essential for staying HIPAA compliant.

    Noncompliance with the Privacy Rule could cause your company to face huge risks. From hefty fines to potential jail time, the consequences can be severe. Plus, not only is privacy protection mandated, your company is also required to notify the government if there is an intentional PHI leak by one of your employees.

    If someone in your company leaked PHI, they could face fines up to $50,000 or even face a year in prison. Moreover, if the Privacy Rule is violated under false pretenses, the fines can soar to $100,000 and violators could face up to 10 years in prison.

    These are risks you probably can’t afford to take. For many companies, paying a multi-thousand dollar fine could impact financial stability. However, with an industry-best file sharing solution, you have the capabilities to maintain Privacy Rule compliance.

    Using features like multi-factor authentication and granular access controls, you can restrict access to your most secure data.

    Ultimately, one of the most powerful tools to help you maintain compliance is a reliable, secure file sharing solution. Most top solutions have built-in HIPAA compliant features that make it easy to keep data safe, regardless of the threat.

    If you’re concerned about non-compliance risks, it’s ideal to partner with an FTP provider who can support your compliance efforts and help you adhere to any future HIPAA changes.



    Martin Horan

    Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.

    Other posts you might be interested in

    View All Posts