Anyone working in the health sector is sure to have heard of HIPAA — the set of security standards for protecting health information. However, even those outside of a hospital or medical practice — service providers who process patient data on behalf of the sector, for example — are also subject to the rules. Including subcontractors, those involved with insurance processing and companies that manage the networks. Patients have the right to keep their medical records and personal information secure and private. So, this data needs to be secured and managed appropriately and access to it controlled at all times. HIPAA IT compliance is mainly concerned with ensuring that all provisions of the HIPAA security rules are followed.
HIPAA is the acronym for Health Insurance Portability and Accountability Act. In the health industry, everyone knows it as the “mandatory health regulation” that must be followed strictly. First enacted by the U.S. Congress in 1996, the law aims, firstly, to safeguard the security and confidentiality of patient information and, secondly, to ensure continuous health insurance coverage.
In a nutshell, initially, it came about to improve the efficiency and effectiveness of the health-care system in the U.S. To achieve this, it comprises many provisions to ensure national standards for electronic healthcare, unique identifiers, and security. Also, with the advancement in electronic technology, there was a notable risk to the privacy of health information. So, provisions were included for safeguarding the privacy of personally identifiable health information in late 2000 in the form of the “HIPAA Privacy Rule” (last updated in 2002). The “HIPAA Security Rule” was published in early 2003, which set the standards for protecting the confidentiality, integrity, and availability of electronic health information with compliance obligatory from 2005-2006.
The Security Rule helps to satisfy the Privacy Rule by providing organizational guidelines for technical and organizational processes. Organizations must implement these to comply and protect patient information, also in electronic form (ePHI).
Twenty-plus years on, HIPAA continues to be a focal point wherever patient data is processed. As medical data is highly valued by both the individual to whom it belongs and criminals that want to exploit it, HIPAA must be satisfied. If a breach does occur, the procedure to follow is laid out in the “breach notification rule.” Although HIPAA may seem vague at first glance, all the requirements are laid out and ignorance of the law is not tolerated as a valid excuse for noncompliance.
The responsibility for protecting patient data is spread across many businesses. So, it’s essential to know the importance of HIPAA and understand your role as an IT pro. This includes anyone working in the health sector and even those outside of a hospital or medical practice, service providers who process patient data on behalf of the industry are also subject to the rules.
For IT compliance, the HIPAA Security Rule and Privacy Rule, in particular, are primary to protecting patients and their data.
Those who must comply are grouped as follows:
All individually identifiable health information, including digital, paper or oral, must be protected. It is often referred to as PHI or ePHI if it is digital.
This rule controls how ePHI can be used and disclosed and sets limitations. It demands the appropriate protection measures to safeguard the privacy of personal health information. It provides patients with the primary rights to their information (as does the GDPR). Patients can also decide how their information is used and shared.
This rule comprises the standards to secure ePHI at rest and in transit. It guides how to safeguard data and applies to any person or system with access to the data. It aims to prevent breaches when processing (sharing, creating, storing and disposing of) health information.
The Security Rule encompasses the following required safeguards:
Technical safeguards, which involve technologies used to secure information.
Physical safeguards, which involve physical access to information (no matter its location).
Administrative safeguards like policies and procedures for employees to follow (these align the Privacy and Security rule).
All of these require different standards and some safeguard mechanisms are explicit whereas others are negotiable with regards to the procedures used and allow the organization some flexibility and choice. In this case, the specification must be addressed but does not need to be done in a specific manner.
Encryption and decryption
Facility access controls
Management of workstations
Measures need to be implemented to protect personal health information and at the same time, govern the workforce. Administrative safeguards aim to address this.
Risk assessments and risk management
Employee security training and awareness
Develop a contingency plan and test it
Information access management
Incident procedures and reporting
HIPAA compliance is a legal requirement as health information is very sensitive, valuable and sort after. Lost or stolen data as a result of an attack or accidental error can result in far-reaching consequences. Although financial penalties for noncompliance are high, a penalty can range from a minimum of $100 per violation to a maximum of $50,000 per violation depending on the type of violation. With an annual maximum penalty of $1.5 million for repeat violations. So, this is a valid concern but is not the only ramification if a breach were to occur.
Reputational damage and further legal issues are significant too. HIPAA compliance does not guarantee complete security from every eventuality or threat. However, it provides a robust foundation for securing the information and processes in the industry. This is why, in the health-care sector, it is obligatory as a minimum on which the industry can further build.
The HIPAA Enforcement Rule is a way that HIPAA compliance can be monitored by the regulator, and fines can be issued for noncompliance.
Audits will confirm if requirements to protect ePHI are addressed for areas like risk management, privacy practices, access management, training, transmission security, and device security, to name a few.
Generally, HIPAA compliance is being prioritized by business associates with particular attention to the Privacy and Security Rules. It could be that the enforcement of the GDPR in 2018 has had some influence on this as the two regulations have similarities and share some requirements.
Featured image: Shutterstock
Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…
Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…
As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…
What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…
Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…
Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…