Health network security and compliance is a serious concern these days. The Office of Civil Rights (OCR) reports that as of Sept. 30, 2015, it has received more than 121,576 HIPAA complaints with case settlements totaling more than $22 million. To make matters worse, last year, the FBI warned that hackers are targeting healthcare networks.
Given the urgency and serious nature of healthcare IT security, it is easy to see why senior living executives have their hands full as they struggle to balance security with the adoption of promising new ways to improve senior care through the use of passive remote monitoring for memory care, fall alerts, vital sign alerts, preventative care monitoring and care coordination technology.
The electronic health records, in-house data storage and the cloud, used to retain the information gathered from all of this technology is equally as vulnerable as it is useful.
In addition to the senior care organization’s network, there is the matter of the residents themselves, and their personal use of technology to worry about.
Healthcare information technology is evolving rapidly, and so is the average senior’s interest in using it. A recent study of more than 10,000 seniors found that seniors are actively using self-care technology, wearables, patient navigator solutions, health record management for healthcare purposes, along with participation in online healthcare communities.
According to OCR, all electronic protected health information (e-PHI) created, received, maintained or transmitted by an organization is subject to the 2003 HIPAA Security Rule. The Security Rule requires providers to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of electronic protected health information, or e-PHI.
What is security risk?
Federal regulators define health IT risk as “a function of the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization.” The government says that health IT security risk isn’t caused by a single factor or event. Instead, it is caused by a combination of factors or events–including threats and vulnerabilities–that may have an adverse impact on the organization.
How can senior living communities keep health records safe?
Risk analysis should be the first step in an organization’s HIPAA Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of its e-PHI.
Federal guidance issued by OCR includes security assessment tools that can help senior living organizations establish effective and appropriate administrative, physical, and technical safeguards to secure e-PHI.
Senior living communities may also opt to garner the expertise of compliance experts, or infrastructure services that include compliance help, particularly when senior care organizations use a variety of electronic monitoring of patients that transfers data to the cloud and/or to electronic health records.
Does the Security Rule cover seniors’ use of technology?
The HIPAA Security Rule has set national standards for protecting the privacy and security of health information a senior care organization has stored in its network, but it does not cover the health information that residents:
- Store in a mobile app or on a mobile device, such as a smartphone or tablet.
- Share over social media websites or health-related online communities, such as message boards.
- Store in a personal health record (PHR) that is not offered through a health provider or health plan covered by HIPAA.
Because seniors are busy using their laptops, wearables and other devices, especially for healthcare, they may assume that their senior living organization will keep this information safe. That’s why it is so essential to train residents on what is covered under HIPAA and what is their own personal responsibility. The federal government offers a number of training fact sheets that can be useful when training residents.
To sum it up
Security Rule penalties are no joke, and neither is the damage a security breach could cause to a senior living organization’s reputation. That’s why it is absolutely essential that in this day of increasing use of technology to monitor and care for seniors, that senior living executives make sure they have adequate compliance support. The value of a compliance expert cannot be stressed enough.
How is your organization handling the security risks associated with the increased use of the cloud, remote monitoring, electronic health records and senior residents’ use of technology?