Since 1996, HIPAA has required hospitals and other providers to strictly maintain the privacy and security of patient and clinical records.
In 2010, the Affordable Care Act (Obamacare) required them to digitize those records for greater transparency.
Today, some 96% of hospitals and 78% of doctors’ offices use electronic health records.
As a result, patients can instantly access the notes from their doctor visits, review their prescriptions, see their lab results, and email questions to the doctor(s) they’ve been seeing. And doctors, whether primary care providers or specialists, can have a patient’s personal information and medical history right at their fingertips.
Unfortunately, so can others.
In 2018, a total of 18 million patient records were hacked and phished. In just the first half of 2019, almost twice as many – 32 million – were.
Clearly, there’s a tug of war between privacy and transparency, and hospitals are the rope.
In 2018, the last year for which complete figures are available, hospitals paid out an average of more than $2.5 million in settlements and civil monetary penalties. That year, the HHS Office of Civil Rights conducted a total of 25,520 complaint and compliance review investigations. And even if the vast majority don’t lead to cash penalties, even the mildest OCR action – resolution after intake and review – can still cost you staff hours and money.
That’s one reason it pays to keep on top of all the latest HIPAA and ePHI changes.
Another is on the horizon for this year. Throughout 2019, OCR has been considering HIPAA regulation changes, and at least some of those should become final this year. Some of those could include easing “aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members.”
Others involve making it easier for hospitals and doctors to coordinate, and requiring instead of just allowing hospitals to share ePHI data with other providers.
That’s why alerts to changes practically as they occur, determining how they apply to you, then implementing and documenting compliance with no wasted time or money makes for good self-defense.
In the battle between privacy and transparency, see how we can keep you out of the crossfire.