Why HIPAA Compliance Is Becoming More Challenging
In 2021, a record number of 713 major health data breaches affected more than 45.7 million individuals. In the first half of 2022 alone, 347 major health data breaches affecting more than 19.6 million individuals were reported.
Over the past few years, the number of health data breaches has steadily increased. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) archive shows over 4,000 major health data breaches affecting nearly 321 million individuals since 2009. This has included:
- 270 breaches affecting 112.5 million individuals in 2015
- 329 breaches affecting 16.7 million individuals in 2016
- 358 breaches affecting nearly 5.3 million individuals in 2017
- 369 breaches affecting 14.4 million individuals in 2018
- 512 breaches affecting 42.3 million individuals in 2019
- 663 breaches affecting more than 34 million individuals in 2020
This upward trend reflects what many healthcare organizations and business associates are already well aware of: HIPAA compliance is becoming more challenging in today’s rapidly changing cybersecurity and threat landscape. Read on to learn why.
6 reasons HIPAA compliance is becoming more challenging
The exponential growth of health data, changing HIPAA regulations, and increasingly sophisticated threats are just a few factors that are making it more difficult for organizations to comply with HIPAA and secure protected health information (PHI). Let’s take a closer look at these factors below.
1. Exponential growth of health data
Healthcare organizations and business associates are collecting, storing, and sharing more health data than ever before.
According to research by RBC Capital Markets, approximately 30% of the world’s data volume is being generated by the healthcare industry. By 2025, the compound annual growth rate of data for healthcare is expected to reach 36% — a higher rate than manufacturing, financial services, and media and entertainment.
The rapid growth of health data is making it more difficult for HIPAA-covered entities and business associates to put the necessary physical, electronic, administrative, and technical safeguards in place to protect it.
2. New technology
The healthcare industry has largely been digitized over the past three decades. Most hospitals and physician’s offices have moved from paper-based to electronic health record (EHR) systems. Many patients are usings apps on smartphones, tablets, and computers to access their health information. More healthcare organizations are embracing the cloud to store and share data.
Much of this technology did not exist when HIPAA was passed, which makes it difficult for organizations to understand how to collect, store, and share data using these technologies while remaining compliant with HIPAA.
For example, some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors. Because some were doing so in a way that violated HIPAA Rules, the HHS OCR had to issue a bulletin in December to explain how regulated entities can (and cannot) be using online tracking technology under HIPAA.
3. Increasingly sophisticated risks
New technology in healthcare has introduced new — and increasingly sophisticated — risks.
ePHI exists in more places across a healthcare organization than ever before: software, connected devices, legacy systems, and elsewhere across a network. That means there are more infiltration points for cyberattacks such as ransomware, malware, and email phishing.
Ransomware attacks on hospitals and healthcare organizations in particular have been on the rise. According to a 2022 survey of 132 healthcare executives by the Health Information Sharing and Analysis Center, ransomware is the number one cybersecurity threat, more than data breaches or insider threats.
In April 2022, the HHS Cybersecurity Program issued an alert to healthcare providers warning them to guard against an "exceptionally aggressive" ransomware group employing a wide variety of tactics, techniques, and procedures to encrypt and steal data.
Implementing security measures that are required by HIPAA has become more of an imperative to help prevent these increasingly sophisticated cyberattacks. Organizations that have been affected, like the University of Vermont Medical Center, have had to strengthen their advanced firewall protection and antivirus software and block access to personal email on work computers, among other measures.
4. Greater patient demands for health data privacy and accountability
In a 2022 survey by the American Medical Association, nearly 75% of patients expressed concern about protecting the privacy of personal health data and 90% of patients said they wanted to see companies held accountable for health data use.
As patients’ concerns about their health data privacy continue to grow, they are looking to governments and enforcement agencies to consider extending or passing new regulations to help address the privacy risks they face today.
For example, in a survey by The Pew Charitable Trusts, most respondents said they want to use apps on smartphones, tablets, and computers to access their health information. But those who expressed serious privacy concerns nearly doubled—from 35% to 62%—when they were told that federal privacy protections do not cover data stored on apps. Many said that extending these laws could help alleviate their concerns.
Doing so may result in more requirements for HIPAA-covered entities, like conducting privacy and security reviews of health apps that access PHI.
5. Changing HIPAA regulations
Since HIPAA was signed into law in 1996, there have been several significant updates, including the introduction of the Privacy, Security, Omnibus, Breach Notification, and Enforcement rules.
Many of these changes required healthcare entities to implement new measures to get and stay compliant, such as training employees on HIPAA requirements and best practices, assigning unique identifiers to users, and using data encryption on portable devices and computer networks.
Most recently, several updates to the HIPAA Privacy Rule were proposed to improve coordination of care for patients receiving treatment while strengthening critical privacy and confidentiality protections.
As HIPAA regulations continue to evolve to meet healthcare consumer demands, organizations are challenged with staying current on the latest regulations to mitigate legal, regulatory, and financial risk.
Recommended reading
How the HIPAA Privacy Rule Protects PHI
6. New privacy laws
In recent years, there have been dozens of new privacy laws passed around the world, including in the United States, Japan, South Korea, Brazil, and China. Most notable are the EU’s General Data Protection Regulation and the California Consumer Privacy Act.
These privacy laws have some overlapping requirements for personal health data. For example, GDPR allows the processing of personal health data (which falls under its definition of sensitive personal data) without the consent of the individual for reasons related to legal claims or public health, among other conditions laid out in Article 9. HIPAA, on the other hand, allows disclosure of some PHI without the consent of the individual for treatment purposes. Covered entities and business associates that must comply with HIPAA and GDPR are challenged with keeping track of these varying requirements.
The good news is that if your organization needs to be compliant with HIPAA and other privacy laws, then some safeguards can be used to protect data that falls under the scope of multiple laws.
However, ensuring that you have all the safeguards required for each applicable privacy law is more of a challenge than complying with one law — especially if you don’t have a single source of truth and system of record for security, privacy, and compliance.
How Secureframe can help you get and stay HIPAA compliant now and in the future
Secureframe makes it faster and easier to achieve and maintain HIPAA compliance by simplifying the process into a few key steps:
- Create HIPAA privacy and security policies
- Train employees on HIPAA requirements and best practices
- Manage vendors with access to PHI
- Ensure business associates protect PHI
- Monitor your HIPAA safeguards
Learn more about how you can automate your HIPAA compliance today.