Staying HIPAA Compliant with Delta Risk
The Health Insurance Portability and Accountability Act (HIPAA) compliance standards are constantly evolving, making the task of keeping up with reporting and notification requirements all the more challenging. Organizations that don’t comply are subject to fines and other penalties.
Delta Risk offers a comprehensive suite of cyber security services to help you stay HIPAA compliant:
- ActiveInsight – Advisory services offer the opportunity to assess your current program and identify potential security and HIPAA compliance gaps. In accordance with HIPAA administrative safeguard requirements, we can also test your defenses and train your workforce.
- ActiveEye – Reliably safeguarding PHI means having full visibility into the different attack surfaces that present security vulnerabilities (on or off the network). Our ActiveEye solution not only provides this deeper, continuous level of monitoring, but we also combine people and processes to remediate incidents as they arise.
HIPAA and HITECH Overview
The primary goals of HIPAA, passed in 1996, is to allow employees to more easily retain their insurance coverage when they change jobs (Portability) and to hold healthcare entities accountable for the security of the sensitive information contained in health records (Accountability). HIPAA requires covered entities to implement a comprehensive cyber security program consisting of administrative, technical, and physical safeguards.
In 2009, as part of the American Recovery and Reinvestment Act, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) act. This legislation supplemented the original HIPAA. HITECH requires organizations to self-report breaches to affected individuals and to media outlets under certain circumstances. It also laid out a strict schedule of fines for those entities that are breached. The last big change was that HITECH expanded the requirements of HIPAA to apply directly to business associates.
Who Must Comply with HIPAA?
HIPAA identifies three categories of covered entities that must comply with the technical security requirements if they electronically transmit PHI:
- Health Plans – organizations that provide or pay for medical care. Some health plans are excluded if they meet certain criteria, such as self-administered programs with fewer than 50 members or certain government-funded programs.
- Healthcare Clearinghouses – organizations that process health information for another entity.
- Healthcare Provider – a person or organization that provides healthcare as part of their normal business.
Examples of covered entities include: doctors, health insurance companies, company health plans, and pharmacies.
Because HITECH made the requirements of HIPAA directly applicable to business associates, those people or organizations that handle health information on behalf of a covered entity must also be HIPAA compliant. Examples of business associates include laboratories, attorneys, certified public accountants, and billing services.
What Must You Protect?
Covered entities or business associates must safeguard PHI. This includes information in any medium that could reasonably identify a person and also relates to that person’s past, present, or future physical or mental health care or condition. Personally identifiable information can include common identifiers like your name, address, birth date, and Social Security number.
HIPAA describes the requirements to protect PHI as two distinct rules. The Privacy Rule applies to PHI in all forms; oral, written, and electronic. The Security Rule only applies to PHI stored or transmitted in electronic form, also called ePHI. The purpose of each of these rules is slightly different.
HIPAA Privacy Rule
The Privacy Rule defines the baseline of privacy protection for PHI in all forms. It describes the appropriate level of safeguards organizations must use to protect PHI, the conditions under which organizations can disclose PHI, and also the rights of the individual who is the subject of the information.
HIPAA Security Rule
The Security Rule describes nation-wide security standards for organizations that create, receive, maintain, or transmit PHI in electronic formats. The goal of the rule is to ensure healthcare entities protect the confidentiality, integrity, and availability of ePHI. Its requirements are broken down into three categories; administrative, technical, and physical security safeguards. Some of the safeguards are required, while others are only addressable. Addressable means you must determine if it is reasonable or appropriate for your organization to implement that standard.
Each of the Security Rule categories addresses a specific aspect of a comprehensive security program. The physical safeguards refer to the physical access to facilities and workstations that use ePHI. Examples would include plans for preventing unauthorized physical access to facilities, access controls to facilities or workstations, and logs or records of those accessing ePHI systems.
The administrative safeguards relate to security programs, policies, plans, and their effectiveness. Examples of administrative safeguards can include conducting a risk analysis, assigning responsibility for security and privacy roles, and training employees on security issues.
Finally, the technical safeguards describe the technical security requirements healthcare entities must (or may – if addressable) implement as part of their HIPAA security program. The standards cover five distinct areas including access control, audit controls, integrity, authentication, and transmission security. Some examples of technical safeguards may include encryption technology, login credentials and monitoring, and authentication procedures.
Breach Notification Rule
The HIPAA Breach Notification Rule requires healthcare entities to notify affected individuals when their PHI has been compromised. In addition to the affected individuals, the breached organization must report the breach to the Secretary of the Department of Health and Human Services (HHS), and it must also notify media outlets if the breach affected more than 500 individuals.
A breach is an unauthorized access, use, or disclosure of PHI that poses a significant financial, reputational, or other risk to the affected individual. The rule also sets out time frames for reporting these security incidents.
What’s at Stake? Complaints, Enforcement, and Audits
Individuals can file complaints about a healthcare organization’s compliance with HIPAA with the Office of Civil Rights (OCR), an organization within HHS in charge of enforcing HIPAA. If OCR finds an organization is not in compliance, it will seek voluntary compliance, mandate corrective action, or may impose a variety of substantial civil or criminal fines or penalties.
Some examples of fines OCR has imposed for HIPAA violations include:
- Joseph Health – October 2016 – $2.14 million fine for PHI files being publicly accessible on the open Internet between 2011 and 2012.
- Advocate Health Care – August 2016 – $5.55 million fine for three data breaches that were detected in 2013. The breaches compromised the PHI of 4 million individuals.
- Oregon Health & Science University – July 2016 – $2.7 million fine for widespread and diverse HIPAA violations (unencrypted laptops, stolen unencrypted thumb drive, network vulnerabilities).
- New York Presbyterian Hospital – April 2016 – $2.2 million fine for allowing television crews to film two patients without their authorization.
OCR is also in charge of managing the HIPAA audit program. These audits seek to ensure compliance with the Privacy, Security, and Breach Notification Rules. OCR started with a pilot program of audits in 2011 and 2012 to gauge compliance of 115 entities in the industry.
In 2016, OCR initiated phase two of the audit program which will encompass covered entities and business associates. All entities and businesses are now subject to random HIPAA audits.