By Jason Silverstein, COO, PHIflow
In our last post, 2018 Reflections, we recapped key events from 2018.
As of the writing of this blog – 2019 is off to quite a start!
• Massachusetts enacted an updated breach notification law
• Office for Civil Rights (OCR) publicly announced its search for a new Deputy Director for Health Information Privacy
• The hacker behind the attack on Boston Children’s Hospital was sentenced to 10 years in prison
State and federal regulators clearly have their eyes and ears open and are ready for a busy 2019. News outlets are hungry for breach and incident news. So, what lies ahead for 2019? Below are predictions from our team and other industry experts for what we can expect for 2019.
1. Major data breaches – who’s next?
A major cloud hosting provider such as Amazon Web Services or Microsoft Azure will report a major PHI-related breach this year. The blockbuster event will shake the healthcare compliance world by proving that no organization (covered entities, business associate or cloud hosting providers large and small!) are immune to mishandling PHI.
2. Fines, fines, fines – but where does all the money go?
OCR will announce initial plans to formally establish a mechanism to distribute funds from penalties and settlements to individuals who are harmed by PHI-related violations. This also means, we can expect a massive increase in the size of penalties to support this.
3. More privacy laws – coming to a state near you
By the end of 2018, 12 states out of 50 have already updated their privacy laws regarding notification to patients, shortening the standard 60 days from the federal guidelines to 45 days and in some states (CO, FL) the breach notification window is down to 30 days. We predict that more than 25 states out of 50 will have shortened their notification laws by the close of 2019.
4. Digital health + online access to records = more breaches
Celine Chan – CTO, PHIflow
As a patient, being able to easily access my health records online and use digital health applications has made life much easier. As a technologist, I can’t help but question the technical safeguards that are in place (or not in place!) as I’ve watched the last of the smaller physician groups and hospitals transition to cloud-based EMRs. As we see larger, more mature organizations struggle with privacy and security, who is enforcing security measures for the smaller organizations or all of the new digital health companies? In my opinion, the worst is yet to come; we’ll see a 50% increase in the amount of reported breaches in 2019 than we saw in 2018 (total reported: 291 breaches).
5. Purchasing cyber insurance gets more sophisticated
Greg Waldstreicher – CEO, PHIflow
In 2018, healthcare organizations were the largest buyers of cyber insurance policies. In 2019, we will see the purchasing of cyber insurance become more sophisticated as healthcare organizations, and their cyber carriers, try to understand true enterprise risks and liabilities and take steps to mitigate those risks. We will see activities that are focused on risk that will have major impacts on cyber policies including breach preparation and response, vendor analyses and third-party assessments. When more data can be made available about enterprise risk, carriers can underwrite policies with more specificity.
6. Software will continue to reshape the legal services market
Ryan McClead – Principal, Sente Advisors
We’ve already started to see the consumers of legal services demand changes to the current model; the billable hour, while still prevalent for highly strategic legal work, is becoming less common for higher volume and lower risk work. Non-billable hourly pricing will continue to proliferate in 2019 for increasingly higher value work, as firms have more and more clients demand efficiencies via use of software and innovative new products. This will be the year that law firms begin to view so called ‘Alternative Legal Service Providers’ as direct competition, and will invest in software and business (non-legal) expertise to truly improve their efficiency and productivity, rather than to primarily promote their ‘innovation’ strategy.
7. Significant blockchain advances – by law!
Ruth Amos, JD, RN – CEO Practical Informatics, Partner Cogent Law, HIMSS Blockchain Task Force, HIMSS Legal Task Force
Fundamental blockchain standards will be formally established via NIST and IEEE surrounding healthcare data specifically, propelling additional legislative and regulatory initiatives in both the US and abroad. This means that US states will likely respond with blockchain bills focusing on healthcare data issues being introduced and/or passed in 2019. In the absence of federal law, which is also likely to pass in some form, I anticipate 35-40 states will advance blockchain legislation by the end of 2019.
And if your organization is going to set up a blockchain network, you have to know your ecosystem. You have to know who you share data with and what you share. For blockchain to work, you have to start with getting your BAA house in order!
8. BAA Management as part of Enterprise Data Governance
Terri Mikol – Data Governance Practice Lead, The Knowledgent Group / Accenture
In 2019, my specialty areas – Enterprise Data Governance & Health Information Management – will reach new highs. Organizations large and small are (finally!) recognizing and investing in their most important asset: data! I will be adding Business Associate Agreement (BAA) management as an important stepping stone for all of my Data Governance clients. Using BAAs, this is the year my clients are going to inventory where all of their strategic data assets are coming from, how the data is being used, what data is leaving the organization and for what purposes. ‘Who do we share data with, and what are we sharing’ are two very important question to answer accurately. BAAs go far beyond compliance!
9. Fighting the Opioid Crisis with Data – A Privacy Nightmare
Michael Wildsmith, MBA, CHCO – HIPAA Privacy & Security Officer, Cornerstone of Recovery
The opioid crisis must be fought, and must be won. And perhaps it could be fought with data. But there are conflicting mandates that make use of data harder than people think. HIPAA allows data sharing without a patient’s consent for the purpose of treatment, payment and operations. But Substance Abuse and Mental Health Services Administration (SAMSHA)’s federal statute (42 CFR Part 2) requires a patient’s consent to disclose treatment data. As a Substance Abuse compliance officer, I predict that fighting the opioid crisis with data will usher in a wave of new compliance challenges. We’ll see more Substance Abuse-related HIPAA violations this year as a result of misaligned regulations.
10. Increase in telemedicine-driven HIPAA violations
Kristen Cittadino, MA, MHA – Administrative Manager, Intake and Quality Assurance, St. Barnabas Hospital
Navigating the complexities of HIPAA compliance is already a major challenge for hospitals, but the implementation of technologies such as telemedicine comes with new challenges for data security and vendor management. Telemedicine makes healthcare very convenient, but is it secure? A giant misunderstanding around telemedicine (and other technologies) is that utilizing 'HIPAA compliant software' will always protect you from committing HIPAA violations. Healthcare staff are often not fully trained on how to apply HIPAA to new technologies. As more health systems implement telemedicine capabilities in 2019, we’ll also see a major increase in telemedicine-related violations as well.
PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.
530 7th Avenue, M1, New York, NY 10018