Managing HIPAA Compliance Risk with Helpshift
By Jonathan Chang, Sameer Patil
Jackson Health System (JHS) is a non-profit academic medical system in Miami, Florida which operates six major hospitals and numerous other facilities and clinics. In October of 2019, the U.S. Department of Health and Human Services imposed a civil money penalty of $2.2M against JHS for HIPAA violations between 2013 and 2016. There were incidents in 2013, 2015, and 2016 where JHS failed to meet HIPAA standards.
JHS waived its right to a hearing, did not contest OCR’s findings, and paid the full $2.2M penalty. That said, JHS’ penalty could’ve been much worse as fines can be as much as $50K per violation and include criminal litigation.
If you’re not familiar with HIPAA, you might be asking yourself what it is. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law which created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA was introduced in 1996, primarily to address insurance coverage for individuals who are in between jobs. A secondary goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Subsequently, these requirements were also extended to sub processors and business associates of Healthcare service providers who may have access to Patient Health Information (PHI). Today, all healthcare service providers, insurers, and other processors of patient data must ensure they are compliant with HIPAA standards and requirements.
Helpshift worked with a leading HIPAA audit firm who independently evaluated Helpshift’s security and privacy controls in its environment to certify that Helpshift is HIPAA compliant. The independent assessment was performed in lieu of the HIPAA Security and Privacy requirements and, during the assessment, Helpshift demonstrated its compliance to HIPAA requirements. This further validates Helpshift’s commitment to data privacy and security by adhering to HIPAA’s standards around “Patient Data Handling Best Practices”, “Patient Data”, “Proactive Data Protection”, and “Risk Mitigation”.
Patient Data Handling Best Practices
Maintaining HIPAA compliance means demonstrating that Helpshift’s handling of sensitive data, personal information and patient data in general, is appropriate throughout the organization as per the requirements laid out in the HIPAA act. Specifically, how customer protected health information (PHI) and electronic protected health information (ePHI) is accessed, stored, transmitted, and shared has a significant impact on the level of risk for a breach or incident of non-compliance. Achieving and maintaining HIPAA compliance has required the assessment of how PHI is moving through Helpshift’s systems, including knowing exactly where it is going and who has access to it along the way. The requirements set forth in HIPAA support a wide range of data security best practices that don’t necessarily have to do with PHI. By implementing HIPAA controls and compliance protocols, Helpshift has demonstrated that all of its customers’ sensitive data is secured and protected. With today’s landscape of active and persistent threats, Helpshift’s approach to security and privacy provides a high level of defense through system-wide vigilance.
Proactive Data Protection
Implementing a comprehensive patient data security risk management strategy that is in line with HIPAA requirements allows Helpshift to proactively protect its systems containing sensitive data against current risks. At the same time, an intelligent data protection plan enables Helpshift to quickly adapt to new threats on the market. As new technologies are being introduced at a seemingly blinding pace, Helpshift is taking steps to safeguard against tomorrow’s threats as well. As a result, Helpshift has heightened cybersecurity posture that comes with compliance and is one of HIPAA’s top benefits.
Perhaps the single greatest advantage of achieving and maintaining HIPAA compliance is the confidence in knowing one won’t be subject to corrective action over HIPAA non-compliance. Corrective action can take a number of forms, but each can have a significant monetary cost associated with them. For example, extensive training and retraining may be needed for staff and as well as replacing or overhauling non-compliant systems. Because Helpshift is committed to data privacy and security and its HIPAA compliance, your risk is significantly reduced.
With Helpshift, you’ll be confident its data privacy and security approach minimizes liability and risk. And, Helpshift’s HIPAA compliance is further validation of its commitment to protecting patients’ and its users confidential information.