New technology known as Blockchain has significant promise for improving HIPAA compliance. It is a system of recording information, which reportedly makes it difficult or impossible to change, hack, or cheat the system. Every block on the chain has a specific number of transactions, and every time a new transaction occurs on the Blockchain it is recorded. Subsequently, a record of every transaction is added to every ledger. “Along with cloud, Blockchain can introduce significant protection and security to electronic PHI,” Bailey said. “There is no reason why this cannot be a success.”

HIPAA compliance specialist Susan Lucci, a senior privacy/security consultant with tw-Security based in Tucson, Arizona, would like to see an update of security terminology, with more precise nomenclature around today’s technology. HHS also should provide greater clarification and guidance on accounting of disclosures versus access audits. Many times, a patient may request an accounting of disclosures, but what they really want to know if anyone has been accessing their records internally without authorization (snooping). These are two entirely different processes. One has to do with disclosures made outside the organization while the other is essentially a privacy complaint that needs to be acted upon, investigated, documented and resolved. 

Lucci also would like to see significant changes in how investigations of data breaches and the associated corrective action plans along with financial settlement agreements are handled. “The findings should apply fully to business associates as well as the covered entities when compliance documentation is missing,” she said. “Right now, covered entities (CEs) are the ones who must report a breach to the OCR, and they appear to be the ones being investigated more fully than the business associate that had the breach in the first place.”

While right-of-access enforcement has gotten off to a good start, Lucci said it will likely include the requirements under Information Blocking in the future. “I’d also like to see OCR HIPAA compliance auditing resume for both CEs and business associates. If you look at the HIPAA Wall of Shame (breaches involving 500 or more individuals on the HHS website), it’s clear that business associates have caused about a third of breaches. Those breaches impact about two-thirds the number of people impacted based on reporting over the last year. So business associates should be audited and then be accountable just as CEs have been in the past,” Lucci said. The business associate HIPAA audit protocol has never been released to my knowledge.

Continue Reading

HIPAA could benefit from some updating, simplification and clarification to help all healthcare organizations do a better job of complying with the regulation.

This article originally appeared on Renal and Urology News