HIPAA stands for Health Insurance Portability and Accountability Act and comprehensively addresses questions related to the security and privacy of electronic Protected Health Information (ePHI). Any company or organization in any way dealing with private health records has to comply with HIPAA regulations. Failure to do so may result in significant fines or penalties, criminal charges, as well as a tarnished reputation. Ignorance of HIPAA requirements is not a valid excuse in case of charges, so knowing the key criteria of assessment and who has to comply.
The Tradeoffs of HIPAA
Although HIPAA is undoubtedly an important and powerful document, there are some concerns and drawbacks associated with it.
On the one hand, HIPAA allows you to protect patients’ information much better than ever possible with paper. Access to records takes seconds and is effortless for healthcare providers.
However, healthcare organizations rely heavily upon patient data to conduct research and hopefully make advancements in the quality of treatment. HIPAA hinders this process by limiting access to ePHI, which slows the pace of research. In addition, HIPAA has an impressive price tag – developing measures to tighten security, hiring and training staff, running audits and checks is costly.
Penalties are a separate issue. A healthcare organization can be charged up to $1.5 million for breaches of HIPAA. The associated paperwork, administrative overhead, investigation process, etc. add even more to this amount. It is likely to pay off over time, but the initial investments and cost of regular updates is significant for many organizations. That is why HIPAA invokes mixed feelings in those who have to comply with it.
Who needs to comply?
Covered Entities – everyone who is directly involved in treatment, payment, and operations in healthcare. This includes all healthcare organizations, medical staff, healthcare insurance providers, and healthcare clearinghouses.
Business Associates – everyone who has access to patient records and provides supporting services in treatment, payment, and operations. Note that subcontractors of business associates are also required to comply with HIPAA.
Other-initiated parties – some entities, such as trainers, researchers, fundraisers and marketers will ask patients for permission to use their health information for analysis or other purposes. However, they still have to meet all criteria just like the above two categories.
What is HIPAA Compliance?
HIPAA compliance (often misspelt as “HIPPA compliance”) is a set of requirements covering the areas of storage, access, sharing, and security of electronic protected health information.
There is no hierarchy among the compliance factors, meaning that all of them are equally important. Structurally, two categories include most of the criteria: Security Rules and Privacy Rules.
Although HIPAA factors can be marked as “required” or “addressable”, they are in effect all required unless the contrary is explicitly specified. Meeting all the criteria is strongly recommended, and solid justification for any omissions is expected by the Office of Civil Rights (OCR), a controlling body conducting regular checks for HIPAA compliance.
We are devoting the rest of the article to a more detailed description of specific factors included in the HIPAA compliance checklist. Please note that this is still an overview (although a detailed one), and official guidelines can be found on the website of the U.S. Department of Health and Human Services at https://www.hhs.gov.
Below we are looking at the criteria which specifically address various facets of Security and Privacy Rules.
The Security Rule explicitly outlines the technical and non-technical standards that the covered entities must comply with in order to guarantee the security of patients’ electronic protected health information. The HIPAA security compliance checklist items are listed below.
The technical safeguards specify the security requirements of using technology to access ePHI and protect it.
Encryption to NIST standards – this is the primary requirement, stipulating that in the case of any breach or data theft, the information obtained by unauthorized parties (criminals) must be unreadable and extremely hard to take advantage of.
Access control – this criterion determines the procedure of assigning unique access credentials for each authorized user, as well as the plan of action to follow in case of emergency when release or disclosure of ePHI may be necessary.
Authentication is required to be able to track whether any unauthorized actions led to modification or deletion of the ePHI records.
Encryption/decryption – this criterion outlines which encrypting algorithms must be in place on any devices used by the authorized users to be able to securely transfer ePHI within the firewalled internal network, as well as outside of it. This item is particularly important with the growing number of electronic devices capable of transferring and receiving information, some of which may be personal devices not equipped with reliable enough encryption tools by default.
Activity audit – this item specifies how any activity (attempt to access, modify, etc.) performed with regard to private health information has to be recorded.
Automatic logoff – this seemingly simple measure can actually be quite effective – it will ensure that the user is logged off after a pre-determined period of inactivity. As human beings are considered to be the weakest link in most systems, it is important to mitigate the risk of negligence (if the user left and forgot to log off) or was conned into leaving in a hurry without logging off.
The physical safeguards are concerned with security requirements of hardware used to store, transfer, and access the ePHI, as well as security standards for the location where such hardware is installed.
Facility access control – every person allowed permanent or temporary access to the premises where the ePHI is stored must be tracked and their activity (entry, exit) must be recorded. In addition, measures to prevent unauthorized access, damage and theft of equipment should be undertaken.
Workstation use policy – the use of workstations which access to ePHI has to be carefully restricted. Such a simple thing as making sure the workstation’s screen is not visible to anyone except the person working with it can help prevent the accidental release of confidential information.
Mobile devices use policy – if an authorized user is allowed to send and/or receive ePHI on their mobile device, it is crucial to ensure its complete deletion from the device before it can be used by another person.
Hardware inventory – it is critical to keep an inventory of any hardware that might carry traces of ePHI. Tracking the location and movements of such devices, as well as having a reliable backup creating solution prior to any such moves will give confidence that nothing will get lost or corrupted, and even if it does, it will be easier to follow the trail and determine the exact point at which something went wrong.
The administrative safeguards are the provisions tying together the Privacy Rule and the Security rule. One important requirement on the administrative side of things is the appointment of a Security Officer and a Privacy Officer to oversee the implementation of a respective set of measures.
Risk assessments – regular audits conducted by the Office of Civil Rights early in the HIPAA history revealed that the most frequent reason for non-compliance is an improper or poor risk assessment. One of the key tasks of the Security Officer is to put together a risk assessment procedure covering all areas where ePHI is used, and how issues in each of these areas must be addressed.
Risk management policy – risk assessment is not a one-off event; they have to be scheduled regularly in order to attempt to fix…and ensure, ensuring an appropriate safety level. The risk management policy must also include a sanctions policy which would be applied to employees who failed to comply with the HIPAA regulations.
Employees training in security – regular training sessions must be scheduled for employees to make them aware of the latest changes in HIPAA requirements, the areas in the organization that need improvement, any new threats to watch out for, or new techniques to identify these threats.
Contingency plan – with sensitive data such as ePHI the least you can do is to have a Plan B in place (sometimes Plans C and D may be necessary to ensure the desired security level). All the procedures and processes to follow in case of emergency have to be clearly laid out and documented. Regular testing of the operability of the contingency plan is required to make sure it works as well in practice as it does on paper.
Third-party access policy – any authorized third party must sign a Business Associate Agreement to have access to ePHI, even if the third party has a long-standing relationship with the company in question, or even if it is a parent/child company. Remember, HIPAA compliance is necessary for any entity getting in contact with ePHI to any extent.
Security incidents reporting – this measure is critical because after the incident has taken place, there is still time to prevent a breach. Therefore, all authorized users have to be instructed and trained to report the incidents in a timely manner.
The Privacy Rule sets forth the standards for how the electronic protected health information is used and preserved. In particular, it defines to what extent and how frequently the patient’s information can be used or disclosed without their permission. The Privacy Rule also gives patients the right to get a copy of their health records or to have a look at them. All patients’ requests to access their ePHI must be satisfied within a 30-day period.
Employee training – it is strongly recommended that all covered organizations conduct training on a regular basis to update employees on which types of information can be shared outside of their organization, and which ones cannot.
ePHI integrity – it is important to ensure that ePHI and personal patient identifiers are stored and managed in a consistent manner.
Patient written permission – organizations taking hold of patients’ ePHI must ask for permission to share these records with any research, fundraising, or marketing organizations.
Now that we have discussed HIPAA security compliance and HIPAA privacy compliance, we want to briefly highlight several other important components of HIPAA that complement the aforementioned rules.
In the unfortunate case of a breach, the Breach Notification Rule obligates covered organizations to inform patients whose ePHI was affected by the breach. This rule also requires organizations to inform the Department of Health and Human Services of any such breaches. If the breach affected more than five hundred people, this event has to be covered in the media. A report of all smaller breaches (those affecting fewer than five hundred patients) has to be submitted to the Office of Human Rights on an annual basis, specifying the ePHI involved, the violator who made use of the ePHI (if known), actions the violator performed with the information obtained (if known), and to what extent the risk of damage was mitigated.
It should take the covered organization no more than sixty days to inform the patient about the breach of their ePHI. The organization must also advise the patient on what measures to take to minimize harm, as well as informing them about the actions they are taking to resolve the issue.
The Omnibus rule introduces a number of amendments and additions covering the aspects omitted in the earlier versions of HIPAA, including:
updated definitions and procedures
clarification of Business Associates entity
updates to comply with the Health Information Technology and Clinical Health (HITECH) Act
modifications required in the view of Genetic Information Nondiscrimination Act (GINA)
restrictions on the use of ePHI for marketing purposes
With many of the above changes being critical, the covered organizations are required to take the following steps:
update agreements with Business Associates (to include the Omnibus rule and other changes)
issue new agreements with Business Associates (to be signed by Business Associates before providing any further service to covered entities)
update privacy policies and notices of privacy policies (to incorporate changes brought about by the Omnibus Rule)
conduct staff training (to get them synced on the latest changes initiated by the Omnibus Rule)
The Enforcement Rule deals with
investigation of any breaches of ePHI
determination of penalties to be charged from covered organizations for any avoidable breaches (force-majeure excluded)
organization of hearings related to the breaches
The penalties range from $100 to $50,000 depending on the violation category and the number of records affected by the breach. In the case of willful neglect, criminal charges can also follow. People who suffered from the breach also have a right to file a civil lawsuit against covered entities.
Criticality of Data Encryption
In the era of increasing mobility, the importance of reliable data encryption cannot be overestimated. The analysis shows that most ePHI breaches happen because of the loss or theft of the mobile device on which the data is stored, or because of the unencrypted transfer of private records via open networks.
It is fairly easy to avoid such incidents by having proper encryption functionality enabled on the device. Encryption converts the data into an unreadable format that cannot be converted back without a secret key. Therefore, even if a criminal gets hold of encrypted ePHI, they will not be able to benefit from it.
HIPAA compliance is a serious undertaking for any healthcare organization – it entails a lot of upfront effort and investment, a certain amount of trial and error, and high-quality management. Carefully following the checklist presented in this article and referring to the original documents where necessary can help you to take this journey with minimal loss.