- Changes to the HIPAA Privacy Act are expected this year
- At their core, these changes will improve healthcare provider interoperability and empower patients with more rights around their health data
- Now more than ever, healthcare organizations must embrace cloud DLP to keep up with the changing regulatory landscape
It’s been a long time since there’s been any update to the Health Insurance Portability and Accountability Act (HIPAA). But, this year, things are going to change with new additions to the HIPAA privacy rule expected to be announced in the coming months.
Read on to discover how HIPAA will evolve this year and what your company needs to do.
What is HIPAA?
HIPAA is a federal law in the United States. It mandates security and privacy standards around patient health information – both in paper and digital forms. HIPAA is enforced through the HIPAA Privacy Rule, which puts measures in place over how patient data must be treated. The HIPAA Security Rule focuses on protecting the confidentiality, integrity, and availability of all electronically protected health information.
Background on the upcoming changes
It’s been a long minute since any new HIPAA regulations have been signed to law so, in a way, these changes have been a while coming. They are also not a surprise; there’s been chatter and movement with the federal system around HIPAA for a while. It’s just that nothing concrete has come out of these proposals thus far.
For context, the last update to HIPAA occurred in 2013, with the introduction of the HIPAA Omnibus rule. This introduced rules around the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The most recent proposal – that’s relevant now – is from the Office for Civil Rights (OCR). In December 2020, it issued a Notice of Proposed Rulemaking (NPRM) that features many changes to the HIPAA Privacy Rule.
The final ruling on this is expected to come this year. As always with these things, proactivity is key – which is why we’re delving into the changes ahead of time.
What are the proposed changes to the HIPAA Privacy Rule?
The proposed changes to the Privacy Rule aim to make care more seamless and interoperable, improve patients rights to access their medical records and lessen administrative burdens on healthcare providers.
The fundamental changes to note are:
- Empower patients with more access to their medical records
- Improve interoperability between providers by making it easier to disclose PHI for coordination reasons
- Revise Notice of Privacy Practices to ensure patients understand their rights regarding their personal health data
The proposed changes to the HIPAA Privacy Rule have proved pretty controversial. Privacy advocates are worried that patient health data could be at risk.
Moreover, any regulatory change naturally requires the healthcare provider to update their policies and technologies, and train their people – which comes at a cost.
Despite this, the HIPAA changes are meant to be a good thing. Essentially, HIPAA is trying to help health providers modernize by enabling PHI to flow more freely.
How to meet HIPAA’s upcoming requirements
These changes mean it is more important than ever for healthcare providers to obtain deep, granular visibility of patient information. This will be essential to both keeping up with patient demands for access to their data and sharing data with other health providers in a secure way.
We must also consider that a lot of this communication and data sharing will occur through cloud-based systems, which are fast becoming the future of healthcare.
In this context, cloud-based data loss prevention is essential. Using APIs, cloud-enabled DLP extends data protection outside of the corporate network and directly into SaaS applications, giving security teams much needed control and visibility over how data is being used, stored and who it is shared with – no matter where it travels.
Here’s how DLP can help you meet HIPAA requirements:
Create granular policies
A robust DLP solution is the foundation of data governance. It can act as a virtual compliance officer within your security team. For HIPAA, GDPR, you can enforce DLP policies that capture, redact and protect PPI and PHI as it travels through collaboration tools. This ensures that PHI is only shared with intended recipients.
Prevent data breaches
Through data classification, you can inform your DLP solution what data must be protected at all costs. It can detect PHI, preventing this data from being unlawfully shared, transported or accessed by unauthorized parties. Moreover, because next-generation DLP works in-app, it doesn’t hinder employee productivity or disrupt the workflow. This means that employees can continue to collaborate as normal.
Real-time threat detection
Moving beyond data, next-generation DLP solutions are also contextually-aware. This means that they can protect against insider threats by spotting and responding to suspicious activity in real-time. For example, suppose a user attempts to download a patient’s file without authorization. In that case, the DLP solution will block the action and alert the IT team at the same time so they can review the request in more detail. Rather than being on the back foot and responding to breaches when it’s too late, your team can become proactive security guardians.
Guide employees towards compliance
Best-in-breed DLP solutions don’t just safeguard data; they help employees to make better decisions. Security training is an integral part of HIPAA, but training courses rarely have the desired impact. By contrast, our DLP solution offers in-app nudge functionality, which checks in on employees as they make decisions to remind them of compliance best practices.
Discover lost data
Unstructured data is a considerable compliance risk – and cloud applications often contain a wealth of it. DLP can empower you to get a handle on unstructured data. It offers mining capabilities for SaaS applications. It can automatically scan messages, files, and chats for unstructured PHI data.
As a next-generation data loss prevention (DLP) provider, Polymer is well-placed to help you meet HIPAA requirements. Our solution identifies, alerts & secures sensitive healthcare data in real-time over chats, file storage platforms, ticketing systems & codebases.