With an ever increasing level of connection between consumers and businesses, questions about privacy inevitably surface. This is especially apparent in the field of healthcare, where patients expect not only discretion by their providers, but also ease of access. 2016 data suggested younger generations would increasingly expect electronic (e.g., mobile devices) access to medical records. Likewise, a 2017 NRC Health report predicted consumers would expect transparency in the healthcare field. To balance patient privacy with these emerging trends, the Department of Health and Human Services (HHS) implemented the Health Insurance Portability and Accountability Act (HIPAA). To ensure your company is HIPAA compliant, check out our HIPAA guide and checklist below.
Mobile usage to access ePHI. Source:NRC Health 2016 Healthcare Trends
HIPAA for Dummies
What is HIPPA? HIPAA first went into effect in 1996, with the Office of Civil Rights (OCR) overseeing its implementation. Although HIPAA initially focused on medical coverage for patients transitioning between jobs and individuals with pre-existing conditions, it gradually evolved to include patient privacy standards. In 1998, the Security and Electronic Signature Standards Rule was proposed. This initiated access accountability for electronic file transfers. After the 2003 update, HIPAA laid out the guidelines for storing, transferring, and disposing of personal health information (PHI) under HIPAA privacy laws. This update, called the Privacy Rule, was a major expansion of HIPAA and served as the first major step to addressing privacy security concerns.
Quick HIPAA Timeline
In 2005, the HIPAA Enforcement Rule took effect, allowing the OCR to conduct investigations into complaints of negligence. In the event of a confirmed negligent act, the Department of Justice (DOJ) could issue penalties (fines/prison time) for non-compliance. However, as more and more health care practices became paperless, HIPAA again adjusted and now specifies safeguards for the privacy and security of electronic Personal Health Information (ePHI). Specifically, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act laid out basic guidelines for transitioning to paperless records. In 2011, the OCR acquired a more pro-active stance and began conducting audits to ensure compliance. 60% of the entities examined in the first audit were deemed in violation of HIPAA standards. With various kinds of infractions taking place, the OCR introduced the Omnibus Rule in 2013, with the goal of using tiered levels of penalties [listed below] based on the severity of the infraction.
Also Read: Top 5 Components of HIPAA Privacy Rule
Who Must Comply with HIPAA’s Privacy Rule?
According to HHS, health plans, health providers, and healthcare clearinghouses must abide by HIPAA regulations. However, life insurance or public agencies do not fall under such rules. Covered entities must guarantee any contracted businesses/associates comply with HIPAA standards (i.e., contracts specifying associates will comply with HIPAA). The HHS defines a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Health Information Organizations (HIOs), health consultants, and clearinghouses fall into the business associate category, while the health providers category encompasses hospitals, physician practices, pharmacies, etc.
HIPAA for the consumer
In the broadest sense, HIPAA grants patients a level of control over who or what entities has access to their medical information. Under HIPAAs Privacy Rule, patients can request access to their records and file complaints if data appears to be incorrect. Furthermore, consumers possess the right to see who or what entities have accessed their information. Following the Acts stipulations, individuals designate persons who may access records in the event of an emergency. Above all, HIPAA ensures individuals maintain a hand in controlling their personal data by setting limits on healthcare entities.
HIPAA for Businesses
As noted above, HIPAA regulations apply to health plans, health providers, and healthcare clearing houses (facilities processing/analyzing data). Preventing unauthorized access and updating software offer a start to HIPAA compliance, but as the American Medical Association (AMA) notes, medical practices cannot solely rely on verified electronic health records technology; medical practices must also avoid medical cyberattacks by maintaining physical and procedural security measures to safeguard facilities containing PHI and ePHI.
Newer HIPAA Updates:
The more recent updates to HIPAA center on the HITECH Act. As previously mentioned, ePHI increasingly takes precedent over hard copies. The updates recommend hiring a designated security officer to oversee physical and technical safeguards. While this may not be possible for smaller entities, it is important, at the very least, to consult with a security expert and strategize ways to better protect PHI and ePHI.
Furthermore, the definition for a data breach changed and now focuses on the level of probability that PHI or ePHI was compromised. Low probability may reduce liability and result in l OCR fines.
Encompasses technical, physical, and administrative sectors.
Technical security requires that data be encrypted to NIST standards, preventing any intercepted data from retaining value for threat actors. Mechanisms for decryption and authentication help ensure no data is illegally modified or deleted while in transfer. HIPAA also requires pins and passwords to access to data.
Physical security guidelines include where the data is stored the cloud, remote data center, internal servers. Additionally, experts strongly recommend access be restricted and closely monitored. All entries (even maintenance) must be recorded with the goal of preventing theft, tampering, or removal of data. Similarly, any devices (mobile or desktop) accessing, transferring, or modifying PHI or ePHI must be recorded.
Administrative security standards requirements focus on bringing physical and technical security measures together. HIPAA administrative tasks include implementing proper safeguards, monitoring access points, vetting employees and vendors, and staying informed on HIPAA requirement changes. A well-organized administrative security force will help OCR audits run smoothly.
Medical entities, under the Privacy Rule of 2003, are responsible for ensuring patient records remain confidential and only shared with authorized individuals or companies. This not only includes electronic copies, but also hard copies. While malware, phishing attacks, and ransomware remain high threats, medical personnel must not disregard insider threats that may leak or illegally modify patient data.
Compromised data will undermine patient confidence in a company and expose medical practices or vendors to scrutiny by the OCR. Penalties for failing to protect user data in accordance to the Privacy Rule may lead to either civil or criminal consequences, with the most severe criminal penalty of a $250,000 fine and up to 10 years in prison.
HIPAA laws require that medical entities keep detailed records of who accessed data, as well as when and where the data was accessed. Well-kept records will ease the complexity of an OCR audit, which periodically reviews medical entities to ensure they are following HIPAA guidelines. Additionally, making sure employees understand no shortcuts can be taken will help guarantee HIPAA compliance and serve as defense evidence in the unfortunate event of a future data breach.
The Consequences of Non-Compliance
A 2017 study revealed 83% of US physicians were targets of cyberattacks, yet most physicians and medical practices worry implementing HIPAA guidelines will decrease efficiency and result in disgruntled patients. Acknowledging threats but disregarding HIPAA safeguards endangers both patient data and a companys financial standing. More importantly, it puts a company at risk of legal repercussions.
If the OCR deems an entity is in non-compliance with HIPAA laws, two courses of action (COA) may be taken: civil or criminal. HHS deals with civil cases and determines the extent to which an entity should be penalized. This often encompasses fines, an allotted correction time, and restitution (if PHI was stolen or used to defraud patients). If the OCR believes criminal infringement occurred, the DOJ assumes control of the case. The COA taken ultimately depends on the category an entitys infringement falls into:
- Unknown entity was not aware of any violation and made clear attempts to comply with all HIPAA rules
- Reasonable cause entity had a reasonable cause and did not purposefully disregard regulations
- Willful neglect with correction violation occurred due to willful neglect but was corrected within the allotted time period (usually 30days, although larger companies can apply for an extension)
- Willful neglect without correction – violation occurred due to willful neglect and was not corrected within allotted time
HIPAA Violation Penalties Source:HIPAA Journal
It is important to understand that the category an entity falls into often hinges on the word knowingly and the extent to which the entity knowingly failed to comply with HIPAA. To avoid any ambiguity, the American Medical Association suggests entities use the the DOJ definition of knowingly – requiring only knowledge of the actions that constitute an offense. This means even those who have a general inkling of non-compliance may be held responsible; detailed knowledge is not the sole characteristic of a knowingly committed offense.
Understand HIPAA compliance starts by making sure all employees understand the gravity of security. Holding employee training sessions and fostering an environment friendly to questions will help ensure guidelines are followed properly. If any questions remain unresolved, companies should seek outside advice in a timely manner.
Assess next, companies must analyze whether their current practices hold up under scrutiny to HIPAA standards. Are files stored in secure facilities? Are file transfers encrypted? Are files disposed of properly from all repositories (or shredded in the case of hard copies)? Again, it is important to help employees understand that shortcuts cannot be taken.
Implement After assessing your current standing, improve security standards where possible and fix improper practices. Redundancy is a key factor that is sometimes overlooked due to its implementation expense. However, investing in redundancy reduces the likelihood of a complete shutdown in the event of a ransomware or other attack. Likewise limiting access to only those with need to know status will limit threat surfaces. For small companies, hiring an outside firm to assist in analyzing weaknesses will help lessen the burden of becoming HIPAA compliant.
Monitor implementing HIPAA standards is only half the battle against threats. Systems must be maintained and monitored to ensure data is accessed by only authorized individuals. This includes both internal systems and external (i.e., make sure to vet any outside contracting groups prior to transferring data). Again, it is crucial to keep detailed records of data entries, changes, transfers, or deletions.
Anticipate In the cybersecurity world, its widely agreed that it is a question of when not if a data/system breach will occur. New technology means new threat vectors. Realizing this, it is important to constantly anticipate and brainstorm where weaknesses in technical and administrative systems may occur thus allowing a breach. On the simplest scale, updating systems to the latest software and staying informed of current breaches serve as basic proactive measures.
Preparing for a HIPAA Audit
Although there is no set time period between audits, it is important to be prepared. If the proper ground work is completed, an audit should be relatively stress free. Self-assessment serves as one of the best tactics for audit preparation. The first place to start is with risk what are the most vulnerable threat vectors? Next, compare countermeasures to threats. Are sufficient resources in place to combat threat actors? Make sure to closely examine medical equipment and administrative devices. Finally, analyze the measures in place to alert customers of breaches. Are customers able to access information regarding breaches? Are timely alerts sent out to notify customers of any breaches?
After scrutinizing internal administrative safeguards, focus on aggregating and examining all business associates. HIPAA audits require a comprehensive list of business associates. Are proper procedures in place to vet associates? Are legal contracts completed (prior to data transfers) specifying HIPAA compliance must be maintained by the outside party?
Its understandable to find HIPAA a bit overwhelming, but taking the time to ensure HIPAA compliance will be worth it for both customer peace of mind and company credibility. New technology engenders new security risks, so make sure to stay ahead of threats by reaching out for HIPAA advice today. Whether a small medical practice, large health provider, or medical clearinghouse RSI Security can help with HIPAA compliance.