Anyone working in the health sector is sure to have heard of HIPAA — the set of security standards for protecting health information. However, even those outside of a hospital or medical practice — service providers who process patient data on behalf of the sector, for example — are also subject to the rules. Including subcontractors, those involved with insurance processing and companies that manage the networks. Patients have the right to keep their medical records and personal information secure and private. So, this data needs to be secured and managed appropriately and access to it controlled at all times. HIPAA IT compliance is mainly concerned with ensuring that all provisions of the HIPAA security rules are followed.
What is HIPAA?
HIPAA is the acronym for Health Insurance Portability and Accountability Act. In the health industry, everyone knows it as the “mandatory health regulation” that must be followed strictly. First enacted by the U.S. Congress in 1996, the law aims, firstly, to safeguard the security and confidentiality of patient information and, secondly, to ensure continuous health insurance coverage.
In a nutshell, initially, it came about to improve the efficiency and effectiveness of the health-care system in the U.S. To achieve this, it comprises many provisions to ensure national standards for electronic healthcare, unique identifiers, and security. Also, with the advancement in electronic technology, there was a notable risk to the privacy of health information. So, provisions were included for safeguarding the privacy of personally identifiable health information in late 2000 in the form of the “HIPAA Privacy Rule” (last updated in 2002). The “HIPAA Security Rule” was published in early 2003, which set the standards for protecting the confidentiality, integrity, and availability of electronic health information with compliance obligatory from 2005-2006.
The Security Rule helps to satisfy the Privacy Rule by providing organizational guidelines for technical and organizational processes. Organizations must implement these to comply and protect patient information, also in electronic form (ePHI).
Twenty-plus years on, HIPAA continues to be a focal point wherever patient data is processed. As medical data is highly valued by both the individual to whom it belongs and criminals that want to exploit it, HIPAA must be satisfied. If a breach does occur, the procedure to follow is laid out in the “breach notification rule.” Although HIPAA may seem vague at first glance, all the requirements are laid out and ignorance of the law is not tolerated as a valid excuse for noncompliance.
The responsibility for protecting patient data is spread across many businesses. So, it’s essential to know the importance of HIPAA and understand your role as an IT pro. This includes anyone working in the health sector and even those outside of a hospital or medical practice, service providers who process patient data on behalf of the industry are also subject to the rules.
For IT compliance, the HIPAA Security Rule and Privacy Rule, in particular, are primary to protecting patients and their data.
Who must comply
Those who must comply are grouped as follows:
- Covered entities: Health-care organizations handling ePHI.
- Business associates: Service providers who process (receive, create, maintain, or transmit) ePHI for a covered entity.
- Workforce: Anyone working (with or without pay) for a covered entity or business associates such as employees, trainees, and volunteers.
Information you must protect
All individually identifiable health information, including digital, paper or oral, must be protected. It is often referred to as PHI or ePHI if it is digital.
- Name, address, birth date, social security number
- Patients’ health details — the physical or mental condition
- Patient care and treatment is given
- Payment details and personal information
- Any data that could identify the patient
Complying with HIPAA Privacy Rule and Security Rule
- HIPAA Privacy Rule
This rule controls how ePHI can be used and disclosed and sets limitations. It demands the appropriate protection measures to safeguard the privacy of personal health information. It provides patients with the primary rights to their information (as does the GDPR). Patients can also decide how their information is used and shared.
- HIPAA Security Rule
This rule comprises the standards to secure ePHI at rest and in transit. It guides how to safeguard data and applies to any person or system with access to the data. It aims to prevent breaches when processing (sharing, creating, storing and disposing of) health information.
The Security Rule encompasses the following required safeguards:
Technical safeguards, which involve technologies used to secure information.
Physical safeguards, which involve physical access to information (no matter its location).
Administrative safeguards like policies and procedures for employees to follow (these align the Privacy and Security rule).
All of these require different standards and some safeguard mechanisms are explicit whereas others are negotiable with regards to the procedures used and allow the organization some flexibility and choice. In this case, the specification must be addressed but does not need to be done in a specific manner.
Checklist: Technical safeguards
- Assign a centrally controlled unique username and PIN code per user.
- Establish procedures to manage access to data during an emergency so that data can be accessed at such times.
- Have automatic logoff capabilities where ePHI is processed or stored, including devices and PCs used by employees to access and communicate this data.
- Encryption is required to protect all ePHI.
- A mechanism to authenticate ePHI is required so that only those authorized to access the data can access it. This helps to manage the integrity of the data. So, the organization can demonstrate that the data has not been changed or destroyed without authorization.
Encryption and decryption
- Encryption is a requirement and the organization must have a system in place to encrypt communication in transit and storage. When communications move beyond the organization’s internal firewall server, they must be encrypted and only accessible by the recipient with authorized access through decryption.
- ePHI must never be readable to anyone without authorization, and by implementing an effective encryption mechanism if a breach were to occur, the data is unusable.
- A primary component of data security is the ability to monitor attempted access to data, when data is accessed, and how it is used. Thus, a system that logs access is essential.
- Monitoring, logging, reporting is all necessary to properly manage data security and to demonstrate compliance.
Checklist: Physical safeguards
Facility access controls
- Establish procedures to control and manage access to the physical environment (include everyone that has access).
- Establish procedures to control and manage access to the physical data store.
- Have an in-depth facility security plan with safeguards that govern access to equipment and data stores of ePHI to prevent unauthorized access and loss of data.
- Monitor, log and report access.
- Document any changes made to the physical environment.
Management of workstations
- Establish policies for how workstations must be used.
- Restrict the use of workstations that have access to ePHI.
- Put safeguards in place to ensure workstation security and govern the use of equipment.
- Maintain a hardware inventory, hardware location must be known, and changes in location logged.
- Before moving any hardware, a retrievable copy of ePHI found on the hardware must be made.
- Disposal of equipment holding ePHI must be managed.
- If mobile devices are used for accessing ePHI, policies must be in place to manage how ePHI is accessed, used and removed.
- A system must be implemented to ensure the ePHI is safeguarded even if the device is lost, disposed of, the employee leaves, or it is used by someone else. This ensures that only authorized data access is maintained no matter the circumstances.
- Procedures for and data backups are required.
Checklist: Administrative safeguards
Measures need to be implemented to protect personal health information and at the same time, govern the workforce. Administrative safeguards aim to address this.
Risk assessments and risk management
- Risk assessments are a primary area and are required.
- A risk assessment must be done to identify where ePHI is used and establish the variety of ways ePHI could potentially be breached.
- Risk assessments are not a one-off process but should be done periodically.
- Measures should be updated and introduced, as necessary, to reduce the level of risk to appropriate levels.
- Risk management policy must be introduced.
- Workforce behaviors and system activities must be governed and monitored. So that employees continuously work by following the security policies and procedures, and if noncompliance is discovered, appropriate actions should be taken to avoid reoccurrence.
- Risk assessments will be checked as part of a HIPAA audit, so they must be done comprehensively and regularly.
Employee security training and awareness
- Educate employees on policies and procedures about the security of health information (ePHI).
- Follow regular training schedules to maintain high levels of security awareness.
- Educate employees on malware, malicious attack types, and how to identify malicious behaviors.
- Keep employees updated on current malware types.
- Document all training.
Develop a contingency plan and test it
- A contingency plan to follow in the aftermath of an emergency to ensure the continuation of critical business processes is essential and required.
- Contingency plans must be tested, practiced and revised to ensure that they are absolute and effective.
- A plan must exist and must allow critical business processes to continue. At the same time, ePHI must be protected and accessible by employees authorized to access it in emergency operation mode.
- Data backup plan is essential, backups must be current and restorable so that ePHI can be restored if need be.
- Implement a disaster recovery plan in case of a breach.
Information access management
- Information should not be accessed by unauthorized third-party organizations (subcontractors or parent organizations).
- Third-party access to ePHI must be appropriately managed, and access should be isolated and limited.
- Employee access to ePHI should be limited and controlled to protect the data and its integrity and limit the risk.
- Contracts and agreements must be signed with partners and business associates with access to ePHI.
- Business associates must agree to comply with the organizations ePHI security measures.
- Monitoring is vital to detect any unauthorized or attempted unauthorized access to ePHI.
Incident procedures and reporting
- Have a documented response and reporting procedure in place for breaches and security incidences
- The consequences of an incident or breach must be documented and reported
Penalties go beyond fines
HIPAA compliance is a legal requirement as health information is very sensitive, valuable and sort after. Lost or stolen data as a result of an attack or accidental error can result in far-reaching consequences. Although financial penalties for noncompliance are high, a penalty can range from a minimum of $100 per violation to a maximum of $50,000 per violation depending on the type of violation. With an annual maximum penalty of $1.5 million for repeat violations. So, this is a valid concern but is not the only ramification if a breach were to occur.
Reputational damage and further legal issues are significant too. HIPAA compliance does not guarantee complete security from every eventuality or threat. However, it provides a robust foundation for securing the information and processes in the industry. This is why, in the health-care sector, it is obligatory as a minimum on which the industry can further build.
The HIPAA Enforcement Rule is a way that HIPAA compliance can be monitored by the regulator, and fines can be issued for noncompliance.
Audits will confirm if requirements to protect ePHI are addressed for areas like risk management, privacy practices, access management, training, transmission security, and device security, to name a few.
Generally, HIPAA compliance is being prioritized by business associates with particular attention to the Privacy and Security Rules. It could be that the enforcement of the GDPR in 2018 has had some influence on this as the two regulations have similarities and share some requirements.
Featured image: Shutterstock