Let’s consider a few scenarios.
Scenario 1: You text an abortion-determined client simply to check on her. A few hours later the client’s father storms into your clinic and asks about the message and if his daughter is pregnant. Can you communicate protected health information via a short message service (a.k.a. SMS message)?
Scenario 2: A client’s boyfriend calls stating his girlfriend is at your center getting tested. He asks for the results because he feels she lies to him a lot and he wants to be sure he is getting the truth. Can you share that information with him?
Scenario 3: You know that your neighbor’s daughter came in for a pregnancy test and your curiosity has the best of you, so you peek at her record and find out she is pregnant. Can you view records that are not within the scope of your job simply because you serve or work at the pregnancy center?
Scenario 4: After logging into your work computer, you notice you cannot access any programs or files. Is this a network issue, or is there something more going on? These scenarios are not uncommon and the Health Insurance Portability and Accountability Act, or HIPAA is an important piece of legislation that helps you to address these types of scenarios by establishing standards for the protection of protected health information (PHI) and electronic protected health information (ePHI).
The HIPAA Privacy Rule was the first of its kind to create national standards to protect individuals' medical records and other personal health information. Additionally, the HIPAA Privacy Rule gives patients more control over their health information and it sets boundaries on the use and release of health records. The HIPAA Privacy Rule provides your organization with guidelines for sharing and protecting the PHI held by your organization in a way that ensures an individual’s personal and medical information is kept secure and private. The HIPAA Security Rule establishes standards that protect the confidentiality, integrity, and availability of the ePHI held by your organization, while the HIPAA Breach Notification Rule details how an organization should respond to a breach, and the HIPAA Enforcement Rule explains how the Office of Civil Rights, or the State Attorney enforce the Rules in the event of a breach.
The security of electronic protected health information has taken center-stage in the health care sector with increased cyber-attacks such as hacking and phishing attacks. The organizational cost of a data breach can be devastating. Civil money penalties range from $127 per violation The Importance of HIPAA for a tier 1 violation up to $63,973 per violation for a tier 4 violation. In 2022, the Office of Civil Rights, or the OCR, imposed $2,127,140 in civil money penalties and 2023 is poised to easily exceed this amount. Civil money penalties are not the only organizational costs associated with a data breach. Additional costs to consider include legal fees, and depending on the number of individuals impacted, there may be costs associated with breach notification, and not to mention the damage to your organization’s good reputation. Despite the organization cost of a data breach, one must also consider the impact on the individuals whose protected information has been compromised.
When a patient utilizes the services provided at your center, they do so with the expectation that the very personal information they share will be safeguarded. However, in 2022, healthcare organizations suffered an average of 1,410 weekly cyberattacks per organization, which is an 86% increase since 2021. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record, which is 20 to 50 times more valuable than other personal data. The value of this information is increasing because the information is static and can be used for multiple types of fraud.
HIPAA may seem overwhelming due to it being multi-faceted, but taking some practical steps will help you overcome and conquer HIPAA compliance. First, start by conducting a security risk assessment. If you’re a member of NIFLA, you may have access to their risk assessment. Although the NIFLA risk assessment only identifies areas of vulnerability, it is a good starting point. Alternatively, you can go to learningiscreated.org and click the ‘Resources’ tab, then select Free HIPAA Resources from the menu options. The first item on the page is a link to a free program called the SRA Tool. SRA stands for security risk assessment and the tool helps you conduct a security risk assessment. The second link on the Free HIPAA resources page is a link to a video you can register and watch for free on Learning Is Created that introduces you to the SRA Tool. The SRA Tool reveals the areas where your organization is vulnerable, and it provides an action plan to close the gap in these areas.
The second activity that can and should be done simultaneously with the risk assessment is training. Training is the fastest and broadest compliance net you can cast. All pro-life organizations that receive, maintain, or transmit protected health information should be doing HIPAA training. HIPAA training raises awareness among your workforce and establishes a foundation to the culture of compliance every organization needs. Beginning with these two activities: conducting a security risk assessment and implementing HIPAA training, you are The Importance of HIPAA positioning your organization for success in the future, which is uncertain, especially at the federal level. Currently, there are at least three bills being considered at the federal level that will impact prolife organization that are not currently covered by HIPAA. First, is the American Data Privacy and Protection Act, second is the Protecting Personal Health Data Act, and third is the My Body, My Data Act, which is directly related to the criminalization of abortions after the overturning of Roe v. Wade.
The interesting detail about these bills is that they are very similar to HIPAA regarding how an organization protects protected health information (PHI) and electronic protected health information (ePHI) – especially when it comes to the Security Rule and cybersecurity. In that respect, pro-life organizations that are being pro-active with HIPAA compliance are ahead of the game when/if these bills become law. The one significant way these bills are different from HIPAA is how they define a covered entity. The definition suggested by the three new bills would likely include pregnancy centers and other pro-life organizations not currently required to comply with HIPAA. It seems inevitable that pro-life organizations that possess PHI or ePHI will be pulled into some form of compliance requirements in the future.
Dr. Missy Clifton, is the founder of Learning Is Created, a 501(c)(3) non-profit. She holds a Doctorate in Advanced Clinical Pastoral Psychology, a Master’s in Instructional Systems with a focus in Online Learning, A Master’s of Divinity with a focus in Biblical Studies, and is certified in Health Care Privacy and Security.
To access the above-mentioned resources or to connect with Dr. Clifton for training, please visit https://learningiscreated.org/hipaa-resources/