Why HIPAA Security Practices Are a Hot Topic This Fall

By Devin Partida, Editor-in-Chief, ReHack.com
Twitter: @rehackmagazine

The Health Insurance Portability and Accountability Act (HIPAA) is a popular topic of conversation today. While these regulations and how they pertain to hospital security practices have always been relevant, they’ve attained unprecedented press recently.

Google searches for HIPAA skyrocketed in March 2020 and again in May 2021. Discussions over HIPAA security practices will likely continue to populate the internet and business meetings throughout the fall, too. Health care professionals, who are already familiar with this area, may wonder why HIPAA has seen such a quick surge in interest.

Here’s a closer look at why HIPAA security practices are a hot topic this fall.

Growing Misinformation

The first reason behind this trend is a plague of misinformation. As the COVID-19 pandemic has grown, so too has the public’s misunderstanding of what exactly HIPAA covers. With more nonmedical businesses asking for proof of vaccination, many people, including some elected officials, have demonstrated a belief that HIPAA is broader than it actually is.

Social media has enabled this misinformation to spread rapidly throughout communities. Despite companies like Facebook’s best efforts, artificial intelligence (AI) models have proved ineffective at identifying misinformation, allowing it to continue spreading. These misconceptions may become more widespread the longer the pandemic goes on.

As businesses and governments take additional steps to combat COVID-19, it will likely incite more misunderstandings about HIPAA. Consequently, conversations about what the act does and doesn’t cover will likewise rise.

Health App Data Concerns

There are entirely valid concerns over HIPAA that have emerged recently. Many organizations and governments have suggested or even implemented mobile app-based health services to counter the pandemic, such as contact tracing apps. While these systems hold much potential for fighting outbreaks, the data they collect and share raises privacy concerns.

For example, Singapore has invested in two contact tracing apps that use Bluetooth signals and location data to better track potential outbreaks. These systems, while effective, can provide a record of who was at a given location at any time. Should a breach occur, hackers could gain sensitive information, and as more apps carry private health care data, that becomes a HIPAA concern.

Health apps that rely on third-party hosting services may also run into HIPAA compliance issues. Health care providers may end up giving these third parties access to patients’ private health data, however unintentionally. Medical organizations must therefore consider whether their new digital tools jeopardize patient privacy in the name of convenience.

Recent HIPAA Updates

HIPAA itself has seen recent changes, making it a more relevant concern for health care organizations. In January 2021, the government amended the Health Information Technology for Economic and Clinical Health (HITECH) Act. The amendment requires the Department of Health and Human Services (HHS) to consider recognized security practices in HIPAA investigations.

These “recognized security practices” refer to relevant industry cybersecurity standards, such as National Institute of Standards and Technology (NIST) guidelines. Under this new amendment, HHS officials will also consider organizations’ compliance with these standards when investigating potential HIPAA violations.

Failure to comply with relevant security standards won’t necessarily result in noncompliance, but it could affect audit results. Companies with HIPAA violations that do not meet these guidelines may face higher penalties. In light of this new regulation, medical organizations should consider implementing and demonstrating relevant security practices.

Stay Compliant and Secure

Health care companies should consider their HIPAA compliance in any situation. Given these recent trends, though, it’s perhaps more critical than ever to ensure all of an organization’s practices and services are HIPAA compliant.

As potentially risky apps become more common and new regulations emerge, companies that were once compliant may find that they are no longer. Just as with any cybersecurity initiative, HIPAA compliance is an ongoing process, not a one-time action.