The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 with the original purpose of improving the efficiency and effectiveness of the U.S. healthcare system. Over time, several rules were added to HIPAA focusing on the protection of sensitive patient information.
Covered entities under HIPAA include health plans, healthcare clearinghouses, and any healthcare provider that electronically transmits information such as health claims, coordination of benefits, and referral authorizations. Covered entities comprise individuals, organizations and institutions, including research institutions and government agencies.
In 2013, the Omnibus Rule, based on the Health Information Technology for Economic and Clinical Health (HITECH) Act, extended HIPAA to business associates, which can include attorneys, IT contractors, accountants, and even cloud services.
Consequences of Noncompliance
HIPAA requires covered entities including business associates to put in place technical, physical, and administrative safeguards for protected health information (PHI). These safeguards are intended to protect not only privacy but also the integrity and accessibility of the data.
The Department of Health and Human Services Office of Civil Rights (OCR) enforces noncriminal violations of HIPAA. Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per calendar year.
Many OCR HIPAA settlements have resulted in fines over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.
In addition to civil penalties, individuals and organizations can be held criminally liable when obtaining or disclosing PHI knowingly, under false pretenses, or with the intention to use for commercial gain or malicious purpose. Criminal offenses under HIPAA fall under the jurisdiction of the U.S. Department of Justice and can result in imprisonment for up to 10 years, in addition to fines.
The Privacy and the Security Rules
The HIPAA Privacy Rule establishes standards for protecting patients’ medical records and other PHI. It specifies what patients rights have over their information and requires covered entities to protect that information. The Privacy Rule, essentially, addresses how PHI can be used and disclosed. As a subset of the Privacy Rule, the Security Rule applies specifically to electronic PHI, or ePHI.
The Security Rule mandates the following safeguards:
Defined as the technology and the policies and procedures for the technology’s use that collectively protect ePHI as well as control access to it.
Technical safeguard standards include:
- Access — refers to the ability/means to read, write, modify, and communicate the data and includes files, systems, and applications. Controls must include unique user identifiers and automatic logoffs and could include access procedures during emergencies as well as data encryption.
- Audit controls — refers to mechanisms for recording and examining activities pertaining to ePHI within the information systems.
- Integrity — requires policies and procedures for protecting the data from being altered or destroyed in an unauthorized manner.
- Authentication — requires the verification of the identity of the entity or individual seeking access to the protected data.
Defined as physical measures, policies, and procedures for protecting electronic information systems and related equipment and buildings from natural/environmental hazards and unauthorized intrusion.
Physical safeguard standards include:
- Facilities’ access control — these are policies and procedures for limiting access to the facilities that house information systems. Controls could include contingency operations for restoring lost data, a facility security plan, procedures for controlling and validating access based on a person’s role and functions, and maintenance records of repairs and modifications to the facility’s security.
- Workstation use — addresses the appropriate business use of workstations, which can be any electronic computing device as well as electronic media stored in the immediate environment. For example, the workstation that processes patient billing might only be used with no other programs running in the background, such as a browser.
- Workstation security — requires the implementation of physical safeguards for workstations that access ePHI. While the workstation use rule outlines how a workstation containing ePHI can be used, workstation security standard dictates how workstations should be physically protected from unauthorized access, which may include keeping the workstation in a secure room accessible only by authorized individuals.
- Device and media controls — requires policies and procedures for the removal of hardware and electronic media containing ePHI in and out of the facility and within the facility. The standard addresses the disposal and the reuse of media, recordkeeping of all media movements, and data backup/storage.
Defined as administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI and manage employee conduct related to ePHI protection.
More than half of HIPAA’s Security Rule is focused on administrative safeguards. Standards include:
- Security management process — includes policies and procedures for preventing, detecting, containing, and correcting violations. A critical part of this standard is conducting a risk analysis and implementing a risk management plan.
- Assigned security responsibility — requires a designated security official who is responsible for developing and implementing policies and procedures.
- Workforce security — refers to policies and procedures governing employee access to ePHI, including authorization, supervision, clearance, and termination.
- Information access management — focuses on restricting unnecessary and inappropriate access to ePHI.
- Security awareness and training — requires the implementation of a security awareness training program for the entire workforce of the covered entity.
- Security incident procedures — includes procedures for identifying the incidents and reporting to the appropriate persons. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.”
- Contingency plan — requires plans for data backup, disaster recovery, and emergency mode operations.
- Evaluation — requires periodic evaluation of the implemented security plans and procedures to ensure continued compliance with HIPAA Security Rule.
- Business and associate agreements — requires all covered entities to have written agreements or contracts in place for their vendors, contractors, and other business associates that create, receive, maintain or transmit ePHI on behalf of the HIPAA covered entity.
Ensuring HIPAA Compliance
HIPAA was designed to be flexible and scalable for each covered entity and as technology evolves over time, rather than being prescriptive. Each organization has to determine what are reasonable and appropriate security measures based on its own environment.
Although some solutions may be costly, the Department of Health and Human Services (HHS) cautions that cost should not be the sole deciding factor. HHS places an emphasis on performing risk assessments and implementing plans to mitigate and manage the risks.
While the Security Rule is technology-neutral — meaning it doesn’t require a specific type of security technology — encryption is one of the best practices recommended. A large number of HIPAA data breaches reported to OCR result from the theft and loss of unencrypted devices.
In the last two or three years, more and more incidents are also resulting from cyber attacks. Encrypting protected data renders it unusable to unauthorized parties, whether the breach is due to device loss or theft, or a cyberattack. As a side note, encrypted data that is lost or stolen is not considered a data breach and does not require reporting under HIPAA.
As organizations transition to the cloud, they must also consider how using cloud services impacts their HIPAA Security Rule compliance, and explore 3rd party cloud security solutions such as a CASB. A cloud service that handles ePHI is a business associate under HIPAA and thus must sign a business agreement specifying compliance. However, due diligence — and ultimate responsibility — lies with the covered entity, even if a third party causes the data breach.
OCR not only investigates reported breaches but has also implemented an audit program. In the last few years, both the number of HIPAA settlements and the fines have been growing. Violations that resulted in fines range from malware infections and lack of firewalls to failure to conduct risk assessments and execute proper business associate agreements.
According to the HIPAA Journal, the average HIPAA data breach costs an organization $5.9 million, excluding any fine levied by OCR. While the OCR fines themselves can add up to millions of dollars, noncompliance may result in various other consequences, such as loss of business, breach notification costs, and lawsuits from affected individuals — as well as less tangible costs such as damage to the organization’s reputation.