3/09/2021
Those in the healthcare industry should be familiar with and must stay on top of many ever-changing regulations. One of the most popular of these, is the Health Insurance Portability and Accountability Act, better known as HIPAA.
Background
HIPAA is a federal law enacted in 1996 by the Department of Health and Human Services that protects patient health information from being used or disclosed without their authorization or knowledge. (Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC) HIPAA includes the Privacy Rule and The Security Rule that directly and indirectly impact clinical trials.
The Privacy Rule protects patient’s “protected health information” or PHI by covered entities. Protected health information includes identifiable health information that can be in paper, verbal, or electronic form. Covered entities include health plans such as medical insurers, HMOs, Medicaid, Medicare, healthcare providers, healthcare clearinghouses and business associates. These covered entities may disclose patient health information for certain purposes that can be found here (Permitted Use and Disclosures | HIPAA | HIPAA). Some healthcare providers also conduct clinical trials as part of their healthcare services offered to their patients.
The Security Rule specifically protects electronic data referred to as electronic protected health information (e-PHI). As the healthcare industry has evolved over the years, patient records went from being stored on physical documents to electronic records. Electronic records are promoted to be more convenient and efficient, however, as many healthcare providers began to adopt new technologies for keeping patient health records, the more security risks presented themselves. The Security Rule was developed as a safeguard and requires covered entities to provide protections of sensitive patient electronic health data. (Summary of the HIPAA Security Rule | HHS.gov)
How is the Healthcare Industry Complying?
According to the requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH), periodic audits are necessary for covered entities mentioned above. The Office of Civil Rights (OCR) with the DHHS issued its audit findings from the 2016-2017 HIPAA Audits Industry Report on December 17, 2020, and 166 covered entities and 41 business associates were audited. Findings found that most of the entities and business associates were not compliant. The OCR provided the results of the findings below:
Most did:
Provide timely security breach notifications
Provide a distinguishable post about their Notice of Privacy Practices on their websites
Most did Not:
Provide the complete content on their Notice of Privacy Practices
Provide required content for notice of breach notifications to individuals
Implement individual right of access requirements, like action within 30 days or a reasonable access fee
For more information on right of access, see the following release: OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative | HHS.gov
Most covered entities and business associates did not implement risk management or analysis for the HIPAA Security Rule (OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules | HHS.gov)
The audit findings show that many business associates and covered entities are not following many important parts of HIPAA. The OCR states they will continue their enforcement and auditing as many of the expectations are not being met for the security of sensitive electronic health data. Covered entities and business associates should take preventative risk cost-based requirements for access to patient health data to reduce security threats. Visit this page for the full audit report- OCR Phase 2 HIPAA Compliance Audits: Industry Final Findings Report 2018 (hhs.gov)
If you are unsure how HIPAA is relevant to your clinical trial, Clinical Pathways offers HIPAA training, live streaming, webinars, and in person training (post pandemic).
- The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.