The original rules for HIPAA security compliance were compiled in 2003 – and enacted in 2004 – in order to ensure the confidentiality, integrity and availability of Protected Health Information (PHI) both at rest and in transit. As HIPAA security is an ongoing responsibility of the Department of Health and Human Resources´ Office for Civil Rights, amendments to the rules for HIPAA security compliance were introduced in the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009.
Since 2009, there has been a substantial increase in the implementation of BYOD policies. To reflect these changes in working practices, further amendments to the rules for HIPAA security compliance were introduced in the Final Omnibus Rule in 2013 – the most significant of which being changes to criteria for reporting breaches of PHI. This revised criteria has implications for covered entities that have not embraced HIPAA security compliance, as they could now be exposed to financial penalties of up to $50,000 per day, per offence.
Avoiding Data Breaches is the Best Way to Avoid Fines
The revised criteria – and increased fines – prompted healthcare organizations and other covered entities to look more closely at their HIPAA security compliance. Many healthcare organizations – including four of the largest paid-for healthcare organizations in the country – identified secure messaging solutions as the best way of avoiding data breaches. They subsequently implemented the solutions to ensure the confidentiality, integrity and availability of PHI, and to take advantage of some of the benefits offered by compliance with HIPAA.
The primary benefit of HIPAA security compliance is the elimination of data breaches. All PHI is encrypted to make it unusable if it were to be disclosed or access without authorization, while safeguards exist to prevent PHI being transmitted outside a healthcare organization´s network or saved to an external hard drive (The loss or theft of USB Flash drives is one of the leading causes of PHI breaches). Further security mechanisms allow for the remote deletion of PHI received on a mobile device that is subsequently lost or stolen.