What does HIPAA-compliant mean anyway?

0
702

By Danny Muchoki, Privacy Officer


During the COVID-19 public health emergency, the Department of Health & Human Services said that they would be exercising their enforcement discretion on certain parts of the HIPAA Privacy Rule.

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.

Which was, honestly, the right decision. Practitioners could breathe easier knowing that they would not get fined for using video conferencing with their patients. I work in public health and I’m a fan of technologies that expand access to care.

Even so, there are no shortcuts in good due diligence. So, it often frustrates me when vendors and practitioners say:

“This widget/service we bought is HIPAA-compliant.”

I don’t have a huge problem with the phrase “HIPAA-compliant” in itself. I do want to suggest “HIPAA compliant” nudges us away from the kind of cool, clever, and creative thinking HIPAA asks us to do. Which is unfortunate. A “HIPAA-compliant” widget may nevertheless be the wrong widget for your organization, staff, or customers.

Besides, “HIPAA compliant” can’t ever be an end-state. I am sure some organizations experience that level of zen – the kind where you perfectly balance the ever-evolving demands of customers, payors, regulators, shareholders, children, and the gods. Maybe the Jedi were like that? For the rest of us, complying with HIPAA is a constant and never-ending process.

To understand why “HIPAA-compliant” can’t ever be an end-state, consider HIPAA’s two central requirements:

  1. Use reasonable physical, technical, and administrative safeguards to
  2. Protect the confidentiality, integrity, and availability of protected health information.

If you’re more visually inclined (as I am), HIPAA compliance looks kind of like this:

Physical Safeguards

Technical Safeguards

Administrative Safeguards

Confidentiality
Integrity
Availability

 

“HIPAA-compliant” means every single space in that table is filled by people, technology, and procedures all wrapped up in policies that need to be updated almost as soon as they are written. Budgets rise and fall. People change positions. Technology advances. Opportunities and threats shift every day. Tools only available to well-moneyed organizations now filter down to the lone practitioner. A few years ago, large language models were out of reach for all but a few. Now they’re everywhere.

Patients expect their providers to be up to speed with the latest health trends. Patients want to send you their Fitbit data because it shows they’re taking your advice to walk more often. Patients wonder why you don’t use Venmo or accept bitcoin.

Can you use Venmo? What about bitcoin?

Are they … HIPAA-compliant?

I’ve often found myself repeating to anyone who will listen – HIPAA asks for reasonable safeguards. Not perfect ones.

What is reasonable for a large organization may be complete overkill for a solo practitioner. With this standard, HIPAA challenges us to constantly re-evaluate the tools we use and the contexts we use them. This requires a lot of creativity in any health care organization.

For instance. Curious whether using Venmo in your practice is okay? Well, reasonable people will disagree. But here’s a way to approach the question:

  1. Think about your obligation to protect the confidentiality, integrity, and availability of information.
  2. Think about the safeguards you will have to deploy.

Then think about:

  • Is Venmo a way you can grow revenue, increase access to services, and protect information? Or is there another service out there that does the same thing?
  • What would the perfect service look like to you? Does it exist at all? Does it exist at a price point you’re comfortable with?
  • Maybe your patients will embrace this alternative because it’s similar enough to Venmo or SnapCash or the payment app du jour?

The result? You’ve made a well-reasoned choice for yourself. The world changes quickly, and HIPAA asks us to use reasonable efforts to adapt. That’s probably the best any of us can ever do. And, maybe I’m just weird, but I kind of enjoy adapting to new things. It gives me faith that people out there are still trying to make a better world.

So going forward, don’t just pick up the first “HIPAA-compliant” widget you see. Don’t simply rely on a vendor’s “HIPAA-compliant” promise.

Stop for a moment. Think about what HIPAA wants you to do. HIPAA wants you to think creatively about the risks you face, the resources you have, the customers you serve, and the opportunities that lie open to you. Embrace the challenge!

Once you do, you will see just how broad your options really are.