Data is the new oil in a global economy that has witnessed digital transformation on a massive scale. With the help of technologies like Artificial Intelligence, data can help governments and organizations extract actionable insights and spot patterns to predict outcomes and take corrective measures where possible.
In healthcare, big data can allow for strategic planning using insights into people’s behavior and motivations. For example, healthcare facilities can analyze their records to study different demographics and the factors that may discourage them from seeking treatment.
This makes data security an important concern for organizations in healthcare due to the sensitive nature of the personal information patients share. Keeping that in mind, it may surprise you how common data breaches are in the healthcare industry.
The month of May 2022 saw 70 data breaches of 500 or more medical records, according to the HIPAA Journal. This is well above the monthly average of 56.75 data breaches for the previous 12 months. In fact, this is the highest number of data integrity violations since June 2021.
This is where HIPAA comes in. HIPAA stands for Health Insurance Portability and Accountability Act. It is a US federal statute signed into law by President Bill Clinton on August 21, 1996. HIPAA governs the flow of healthcare information, provides safeguards against theft and fraud, and addresses limitations on healthcare insurance coverage.
If your organization is subject to HIPAA, we suggest you review our compliance checklist to make sure your data privacy and security policies are compliant with the law.
Before we take a deep dive into HIPAA compliance, it’s important to understand some of the terms you’re likely to come across.
Protected Health Information (PHI): Protected Health Information or PHI is any data in a person’s medical record that’s created, utilized, or revealed during their treatment that can lead to identifying them personally. PHI is sometimes also referred to as HIPAA Data.
Covered Entity (CE): Any organization that provides healthcare services, such as health plans and clearinghouse services, is considered a Covered Entity (CE). Examples of covered entities are:
- Health insurance providers
- Doctor’s offices
- Dental offices
- Nursing homes
Business Associate (BA): A Business Associate is an entity that has access to PHI. Typically, these are intermediaries that store or process this data on behalf of Covered Entities or their vendors. Cloud platforms, SaaS companies, data centers, or printing facilities are good examples of BAs.
Does HIPAA Apply to My Organization?
HIPAA does not apply to all types of health information, nor does it cover every individual who interacts with such data. Your organization is only subject to HIPAA rules if it is a Covered Entity (CE) or a Business Associate (BA).
Furthermore, HIPAA also applies to organizations that work as subcontractors or hybrid entities for CEs and BAs. Subcontractors, such as a cloud storage company, may store or process Personal Health Information on behalf of a Business Associate. A grocery store with a pharmacy is an example of a hybrid entity.
HIPAA Compliance Checklist
For an organization to be HIPAA compliant, it must adhere to all the regulations outlined by the following HIPAA rules:
- Security Rule
- Privacy Rule
- Breach Notification Rule
- Omnibus Rule
- Enforcement Rule
It’s crucial to understand that each HIPAA rule is important in its place and needs to be complied with for an organization to ensure adequate protection for all the Personal Health Information it controls. No single HIPAA rule is more important than another.
Keeping this in mind, follow our HIPAA compliance checklist below to ensure your organization steers clear of any violations and fines.
- Identify the annual HIPAA audits and assessments applicable to your organization.
- Undertake the necessary audits and assessments, review the outcomes, and take note of any potential areas of improvement.
- Prepare your plan of action to address improvement areas, execute the plan, analyze the results annually, and take corrective measures as needed.
- Designate a qualified HIPAA Compliance, Privacy, and/or Security officer for your organization.
- Make sure the appointed HIPAA Compliance Officer establishes an annual HIPAA training program for everyone in the organization.
- Document the HIPAA training and staff member attestation of HIPAA regulations.
- Conduct research, due diligence, and annual reviews of Business Associates to ensure HIPAA compliance.
- Conduct regular reviews of the breach reporting processes in place for employees, as well as the procedures to notify the Human Health Services Office for Civil Rights (HHS OCR).
For a better understanding of our HIPAA compliance checklist, it’s important to know the main rules outlined in the Act.
HIPAA’s Security Rule contains guidelines to ensure the protection of confidential patient data created, accessed, processed, or stored electronically when at rest or on the move. These standards apply to individuals and systems that can access Protected Health Information (PHI) which is called ePHI in this case.
The word “access” is defined as having the means to read, write, edit, or transfer ePHI or any other patient information that may disclose the identity of a patient.
There are three main aspects of the HIPAA Security Rule. Let’s look at each one of them briefly.
The technical safeguards refer to the use of technology for data protection and access. The main requirement here is for the data to be encrypted in compliance with NIST standards once it leaves an organization’s servers. Modern encryption methods make the data nearly impossible to read in case of a breach.
The purpose of Physical Safeguards is to address matters concerning physical access to ePHI regardless of its location. This includes data stored on remote servers, in the cloud, or located on-site. In addition, Physical Safeguards also provide guidelines on securing mobile devices against security threats.
The role of Administrative Safeguards is to define the policies and procedures that bring the Security and Privacy rules together into an organizational framework. These standards require Covered Entities to assign a Security Officer and a Privacy Officer to ensure the safety of ePHI.
The HIPAA Privacy rule deals with how ePHI can be utilized, shared, or disclosed. The rule applies to all Covered Entities and their Business Associates. It also sets the parameters for the use and disclosure of ePHI without the patient’s permission.
The Privacy Rule gives patients certain rights over their health information:
- The right to acquire a copy of their health records
- The right to examine the health records
- The right to get corrections made as required
The Privacy Rule requires all Covered Entities to respond to any patient access requests within 30 days. To further educate patients and plan members on the conditions that require the usage or sharing of their data, Notices of Privacy Practices should be shared by CEs.
Furthermore, all CEs should consider:
- Providing training to employees to make sure they’re aware of the rules and regulations that govern data sharing with external entities.
- Taking all the necessary steps to maintain the security of PHI and any other personal identifiers of patients.
- Implementing procedures to ensure patients provide their written consent before their information is used for marketing or research.
More details on the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.
Breach Notification Rule
The Breach Notification Rule requires Covered Entities to alert patients to any instances of data privacy violations. Under this rule, CEs are also required to report data breaches to the Department of Health and Human Services as well as the media if the incident impacts more than 500 individuals.
For data breaches affecting fewer than 500 patients, CEs are required to file reports via the Office for Civil Rights (OCR) web portal on an annual basis. Such reports for smaller breaches should be made once an initial investigation has been conducted.
When reporting data breaches, CEs should include the following:
- The types of Private Health Information and any personal identifiers exposed
- Information on who accessed, acquired, or exploited the PHI, if this information is available
- Information on the degree to which the risk has been minimized
All breach notifications should be made within 60 days after the detection of the breach. In addition to notifying a patient of a data breach, CEs should also inform them of the precautionary measures they should take to protect themselves. Furthermore, the CE should educate the patient on the measures it’s taking to investigate the breach and to prevent such incidents in the future.
The Omnibus Rule was added to HIPAA to make important updates to the definitions in the law, clarify several procedures and policies, and expand on the HIPAA Compliance Checklist to include Business Associates and their subcontractors.
The rule amends HIPAA regulations in five key areas:
- Final amendments to HIPAA as necessary under the HITECH Act
- Addition of the heavier, tiered civil money penalty structure required by HITECH
- Brought changes to the harm threshold and added the last rule on Breach Notification for Unsecured ePHI under the HITECH Act
- Updates to HIPAA to add the provisions made by the Genetic Information Nondiscrimination Act (GINA) to forbid CEs from sharing genetic information for underwriting
- Prohibition of the exploitation of Protected Health Information and personal identifiers for marketing
- Changes to the definition of the term Business Associate
- Updates to the term Workforce were made to include employees, volunteers, and trainees
- Updates made to the nature of personally identifiable information that is classified as PHI
The Enforcement Rule pertains to the procedures and investigations that follow a data breach, and the fines and penalties Covered Entities may potentially face as a result of an avoidable PHI breach.
In case of such a data breach, Covered Entities may be subject to the following penalties:
- A HIPAA violation due to ignorance can be penalized with a fine of $100 to $50,000
- A violation that takes place despite reasonable protective measures can be penalized with a fine of $1,000 to $50,000
- A violation that’s determined to have taken place due to willful neglect and is addressed within 30 days may attract a penalty of $10,000 to $50,000
- A violation that results from willful neglect not addressed within 30 days would result in the maximum fine of $50,000
Penalties and fines are imposed based on the nature of the violation as well as the amount of data exposed in a breach. Another factor that’s taken into consideration is the seriousness of the risk posed by the data leak. Finally, the level of negligence involved is also taken into account.
It isn’t uncommon for penalties to go as far up as $1,500,000 per year per violation. It’s also worth noting that willful neglect may lead to criminal charges. CEs should also expect victims of data breaches to organize and proceed with class-action lawsuits.
The Covered Entities found to be most vulnerable to HIPAA violations are:
- Solo doctors
- Group practices
- Insurance groups
HIPAA IT Compliance
On top of the rules and regulations we discussed as part of our HIPAA Compliance Checklist, IT departments can put various measures into place to improve the security of ePHI.
At the top of our list is personal messaging software. The risk of security lapses can be mitigated substantially with the use of a secure messaging solution. This would allow authorized personnel to send and receive messages and attachments containing ePHI data in an encrypted format. Such an arrangement would also satisfy the physical, technical, and administrative safeguards defined by HIPAA.
The second important IT compliance issue to address is email. To prevent security lapses related to email messaging, it’s important to employ proper encryption methods, particularly for communication beyond an internal firewalled server.
The same principle applies when it comes to storing and archiving emails containing ePHI. Such emails are a part of a patient’s medical record and, therefore, should be archived in an encrypted format for at least six years.
Finally, the usage of high-quality anti-virus and botnet protection software is an absolute necessity when modern spamming and phishing techniques are constantly evolving.