Instant Insight:

Enacted in 1996, HIPAA represented a significant expansion of federal regulation.
Intended to ensure healthcare insurance portability, HIPAA has greatly expanded.
Electronic Medical Records are now mandatory and fall under HIPAA regulation.
There are at least ten common errors and obstacles to HIPAA compliance.
Kure provides an easy-to-use means of reviewing and ensuring full HIPAA compliance as well as continuous quality improvement to healthcare.

Today every Google news feed, television and cable news broadcast, or printed newspaper is likely to carry a healthcare-related story at the top of its program or front page. With the worldwide impact of the COVID pandemic, since 2020 healthcare has become an even greater public concern than ever before. Access to care, skyrocketing costs, government funding, physician negligence, waste, delays as well as innovations and process improvements are all likely lead items for a daily headline. Part and parcel with these issues is government regulation and its impact on healthcare overall.

Perhaps the most visible role of government today in the field of healthcare is protection of patient information ⁠— second perhaps only to Food and Drug Administration (FDA) approvals of new wonder drugs such as a cure for COVID. The Healthcare Insurance Portability and Accountability Act (HIPAA) is the lodestar of government healthcare regulation and control, at least in recent years. It impacts not only physicians and hospitals, but also insurers, businesses and anyone utilizing or having routine access to patient records, including the patients themselves.

Because government regulations such as HIPAA also carry enforcement mechanisms, including large fines for violations, healthcare entities and providers must make every effort to comply. At the same time, doctor and patient concerns over the burden of burgeoning record keeping and the need for accuracy as well as privacy means that continuous quality improvement is a paramount concern. Process improvement is therefore essential in order to stay ahead of the curve. Rapidly changing digital record-keeping programs has also brought with it its own challenges.

The Advent of HIPAA

HIPAA was enacted by Congress in 1996. Because most aspects of healthcare have traditionally been regulated by the states, the act was a significant expansion of federal regulatory power, impacting millions of American lives and thousands of healthcare providers and insurance organizations and businesses.

“Patient privacy (Protected Health Information, or PHI) has become the main focus as we entered the digital age.”

HIPAA was originally intended to “improve the portability and accountability of health insurance coverage” for employees between jobs. It also contained provisions directed at combating waste, fraud and abuse in both the medical insurance and healthcare industries. However, patient privacy (Protected Health Information, or PHI) has become the main focus as we entered the digital age. Extensive rules and regulations, enforcement programs, and potentially large fines for violations can determine how medical facilities and programs are administered under HIPAA. The reach of HIPAA also now extends well beyond medical institutions and insurers to include any entity or business involved with patient records or health information.

In the nineties, securing patient records and files under HIPAA was largely a matter of physical control and access, with paper records. While some facilities utilized computers to create and store patient data, patient records were still largely “hard-copy.” The use of fax machines allowed for secure transfer of hard-copy records among providers, facilities or insurers. Secure file cabinets and record rooms, with access logs and locking doors, along with staff training on patient record security, were all part of HIPAA compliance. Electronic record-keeping and data security was an issue waiting to be born.

The Birth of EMRs (Electronic Medical Records)

Not too long ago, physicians were writing patient notes on 3x5 cards kept in the front-chest pocket of their white lab coats. At the end of a long day of seeing patients, it was the diligent doctor’s duty to transcribe these scribbled notes into the patient chart, usually through dictation given to a secretary who would then type a hard-copy record for the patient’s medical file.

Prescriptions and test orders were filled out by hand (some with “triplicate” carbon copies), duplicated on a Xerox machine, and then perhaps faxed to a lab for processing. Less diligent physicians might wait a day or longer to complete these and other record-keeping tasks, wasting time and perhaps losing memory of fine details in the interim. Those details would simply be lost. If a patient wanted or needed to see or copy his or her medical records, the process was often slow, expensive and cumbersome.

Medical records today are largely digital, with Electronic Medical Records (EMR) mandated by state medical boards throughout the country. The first EMR program emerged in 1972 at the Regenstrief Institute in Indiana, long before the birth of the Internet.¹ However, due to the cost and logistical issues associated with the large, punch-card based computers of the day², computer record-keeping was not widespread. It was the emergence of the Internet and Internet technology that revolutionized medical record-keeping, but also created the need for greater security.

“It was the emergence of the Internet and Internet technology that revolutionized medical record-keeping, but also created the need for greater security.”

The transition to EMRs was not always easy or smooth. The programs were new, bugs were prevalent, and physicians and staff all required training. Errors caused by inept programming or hardware issues could result in Medical Board investigations and complaints with the physician bearing the brunt of these issues. Only the medical licensing defense attorneys benefitted.

At the same time medical records were entering the digital age, patients were also becoming more Internet savvy and demanding access to their records. Patients today want instant access to exam and test results and to be able to transfer records among providers, insurers, employers, or to their attorneys—but they also want it all to be done securely. When patient information security becomes an issue, complaints abound. Federal representatives and regulators are then often contacted and involved.

Electronic health and medical record keeping (EMRs or EHRs) became mandatory throughout the United States on January 1, 2014. The American Recovery and Reinvestment Act required all public and private healthcare providers and other eligible professionals (EP) to adopt and demonstrate “meaningful use” of electronic medical records by 2015 in order to maintain their Medicaid and Medicare reimbursement levels. Financial incentives were provided to encourage compliance. Since that time, the use of EMRs has spread worldwide. Technical support for these systems has become a major economic engine.

“Anyone involved in software as a service must also learn the intricacies of HIPAA compliance or face the possibility of complaints, audits and potentially large fines.”

Since the inception of HIPAA, the federal government and its Department of Health and Human Services (HHS) has grown in size, scope and impact on healthcare administration generally. Its reach is now well beyond Medicare and other federal health programs. Private companies as well as government all fall under the umbrella of HIPAA regulation. Anyone involved in software as a service must also learn the intricacies of HIPAA compliance or face the possibility of complaints, audits and potentially large fines. The growth of hacking and identity theft has complicated matters, making electronic record security a key business concern under HIPAA.

Within HHS, the Office of Civil Rights (OCR) has responsibility for enforcing HIPAA’s Privacy and Security Rules. (45 C.F.R. Parts 160 and 164). OCR responds to complaints and also conducts compliance audits. An entire industry has now grown in response, with programs offered commercially to ensure OCR acceptance and HIPAA compliance. (These programs tend to work hand-in-hand with for-fee Cyber-Security programs generally.)

A key question is whether data breaches, in a medical record context, constitute HIPAA violations. The answer, as they say, “depends.” Data breaches have become commonplace. The best of security systems have been known to fail or have vulnerabilities. Cybercriminals target healthcare organizations. So far, no single program has proven impregnable.³

OCR understands that organizations may be vulnerable to data breaches despite good-faith efforts to secure patient records and data. The key is risk reduction. HIPAA compliance requires reducing risk to an acceptable level.⁴ However, if OCR investigates a data breach and discovers other HIPAA violations while doing so, fines may then be imposed.

Avoiding HIPAA Issues: The 10 Most Common HIPAA Violations

The ten most common HIPAA violations are³:

Snooping of private patient records by friends, neighbors or family members. Such activities may result in employment termination or criminal charges. Businesses housing the records are not usually subject to financial penalties.
Failure to perform an organization-wide risk assessment for potential security breaches. This kind of violation frequently results in six figure settlement payments.
Lack of a risk-management process. State health agencies as well as universities have been subjected to hefty penalties for failure to establish and maintain a Risk Management Process for patient privacy.
Denying patient access to records or exceeding timescale for access. Patients have a right to timely access to their records. Penalties are frequent and can be large.
Failure to enter into a HIPAA-compliant Business Associate Agreement. This violation occurs when a business or entity utilizing patient records shares these records with an outside entity or consult without first obtaining written assurance of HIPAA compliance. Fines for healthcare facilities have run into the millions of dollars for these violations.
Insufficient ePHI (Electronic Patient Health Information) access controls. Again, fines may be hefty.
Failure to use encryption or an equivalent means of safeguarding ePHI on portable devices. Encryption is not mandatory under HIPAA, but there must be a valid equivalent.
Exceeding the 60-day deadline for issuing breach notifications. OCR must be informed of breaches within 60 days or fines may be imposed.
Impermissible disclosure of PHI. Unauthorized disclosures, e.g., to a patient’s employer, or theft of an unencrypted laptop or computer due to careless security or handling may result in significant penalties.
Improper disposal of PHI. When PHI is no longer useful or expired, it must be securely disposed of. Paper records should be shredded or pulped. Electronic data or devices storing expired data may need to be permanently destroyed.

Beyond these ten common HIPAA violations, there are a myriad of other potential problems that may result from cavalier treatment of patient information:

Use of personal email to transmit patient information should be avoided.
Taking records home for work or accessing patient data on a personal computer to make a spreadsheet is probably a HIPAA violation.
Maintaining security over computers and equipment at all times is a must.
Inadvertent theft of a laptop storing patient data can balloon into a major HIPAA problem.
Disclosing patient data without the patient’s written authorization will also land the discloser in hot water.
Failing to properly identify a patient who is requesting records before providing the records is also a HIPAA violation (even if it turns out the patient was entitled to see the records).

Obstacles to HIPAA Compliance

Chart: "What is the most difficult aspect of remaining HIPAA compliant?" — Source: HealthITSecurity

External data security threats, employee training and evolving technology have all been cited as potential obstacles to HIPAA compliance.⁷ Technical advancements have advantages, but security must be in the forefront, including cloud storage and secure messaging protection.⁸

Employee negligence, changing state and federal regulations, and the evolving threat landscape are also listed as key causes for concern regarding HIPAA compliance. Many healthcare organizations and related businesses are turning to increased data encryption for protection, combined with mobile device management. The latter (MDM) can be enhanced using multi-factor authentication as a means of securing patient data. High-end firewalls for PC’s are also cited as an effective means of improving security.⁹

In recent years, large-scale healthcare providers such as Anthem, Premera and Excellus have all experienced significant data breaches. However, according to HealthITSecurity, these large-scale breaches did not necessarily impact smaller or related organizations. HIPAA compliance is actually one way of assessing the security risk before a breach occurs.

As stated above, compliance and process improvement means risk analysis, risk management, and reasonable risk reduction, not perfection. This requires balancing innovation with security. Regular risk assessment and routine risk management based on data analysis and physical inspection, can mean the difference between compliance and patient privacy security, and fines and lawsuits.

The Kure for HIPAA Compliance

Every organization that faces a potential OCR audit or possible HIPAA complaint needs to take a proactive approach of continuous process improvement. Preparing for an OCR audit may seem daunting, especially for a small or medium-sized business. However, with a little planning and the right tools, HIPAA compliance can also be a way to improve and optimize digital record processes as well as overall security.

Fishbone Diagram: Violated HIPAA Compliance

Kure, with its Process Optimization Path™ (Patent Pending) application provides every organization and its employees as well as managers with HIPAA compliance concerns—with a readily available, easy-to-use means to identify, map-out, and resolve HIPAA compliance issues before they morph into investigations and penalties.

Kure can help your organization comply with HIPAA in the following ways:

Support project-based activities to improve organizational performance while ensuring HIPAA compliance with step-by-step Process Optimization guidance record system optimization by analyzing current processes, identifying waste and eliminating opportunities for errors using tools like 8 Wastes, 5 Whys and Solution Selection Matrix
Identify and remove obstacles to HIPAA compliance with the Root Cause Exploration™ path
Developing Process Maps and conducting Process Walks to identify specific HIPAA compliance vulnerabilities
Create innovative solutions to HIPAA compliance vulnerabilities using the Kreative Solution™ path
Create a manage long-term plans for ongoing HIPAA compliance with the Implementation Planning path
Address new HIPAA compliance issues and concerns as they arise using a Monitoring & Response Plan

START A PROJECT ➔

¹ See: The Development of Electronic Health Records, Anthony Pappas, Elation (Jan. 28, 2020).
² Early “main-frame” computers utilized punch cards to input data. There was no ability to transfer data outside of the in-house system.
³ See: HIPAA Journal, Dec. 2021
⁴ Id.
⁵ Id.
⁶ Id.
⁷ “What are Top HIPAA Compliance Concerns, Obstacles?” Elizabeth Snell, Health IT Security, January 25, 2016.
⁸ Id.
⁹ Id.