The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 with the original purpose of improving the efficiency and effectiveness of the U.S. healthcare system. Over time, several rules were added to HIPAA focusing on the protection of sensitive patient information.
Covered entities under HIPAA include health plans, healthcare clearinghouses, and any healthcare provider that electronically transmits information such as health claims, coordination of benefits, and referral authorizations. Covered entities comprise individuals, organizations and institutions, including research institutions and government agencies.
In 2013, the Omnibus Rule, based on the Health Information Technology for Economic and Clinical Health (HITECH) Act, extended HIPAA to business associates, which can include attorneys, IT contractors, accountants, and even cloud services.
HIPAA requires covered entities including business associates to put in place technical, physical, and administrative safeguards for protected health information (PHI). These safeguards are intended to protect not only privacy but also the integrity and accessibility of the data.
The Department of Health and Human Services Office of Civil Rights (OCR) enforces noncriminal violations of HIPAA. Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per calendar year.
Many OCR HIPAA settlements have resulted in fines over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.
In addition to civil penalties, individuals and organizations can be held criminally liable when obtaining or disclosing PHI knowingly, under false pretenses, or with the intention to use for commercial gain or malicious purpose. Criminal offenses under HIPAA fall under the jurisdiction of the U.S. Department of Justice and can result in imprisonment for up to 10 years, in addition to fines.
The HIPAA Privacy Rule establishes standards for protecting patients’ medical records and other PHI. It specifies what patients rights have over their information and requires covered entities to protect that information. The Privacy Rule, essentially, addresses how PHI can be used and disclosed. As a subset of the Privacy Rule, the Security Rule applies specifically to electronic PHI, or ePHI.
The Security Rule mandates the following safeguards:
Defined as the technology and the policies and procedures for the technology’s use that collectively protect ePHI as well as control access to it.
Technical safeguard standards include:
Defined as physical measures, policies, and procedures for protecting electronic information systems and related equipment and buildings from natural/environmental hazards and unauthorized intrusion.
Physical safeguard standards include:
Defined as administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI and manage employee conduct related to ePHI protection.
More than half of HIPAA’s Security Rule is focused on administrative safeguards. Standards include:
HIPAA was designed to be flexible and scalable for each covered entity and as technology evolves over time, rather than being prescriptive. Each organization has to determine what are reasonable and appropriate security measures based on its own environment.
Although some solutions may be costly, the Department of Health and Human Services (HHS) cautions that cost should not be the sole deciding factor. HHS places an emphasis on performing risk assessments and implementing plans to mitigate and manage the risks.
While the Security Rule is technology-neutral — meaning it doesn’t require a specific type of security technology — encryption is one of the best practices recommended. A large number of HIPAA data breaches reported to OCR result from the theft and loss of unencrypted devices.
In the last two or three years, more and more incidents are also resulting from cyber attacks. Encrypting protected data renders it unusable to unauthorized parties, whether the breach is due to device loss or theft, or a cyberattack. As a side note, encrypted data that is lost or stolen is not considered a data breach and does not require reporting under HIPAA.
As organizations transition to the cloud, they must also consider how using cloud services impacts their HIPAA Security Rule compliance, and explore 3rd party cloud security solutions such as a CASB. A cloud service that handles ePHI is a business associate under HIPAA and thus must sign a business agreement specifying compliance. However, due diligence — and ultimate responsibility — lies with the covered entity, even if a third party causes the data breach.
OCR not only investigates reported breaches but has also implemented an audit program. In the last few years, both the number of HIPAA settlements and the fines have been growing. Violations that resulted in fines range from malware infections and lack of firewalls to failure to conduct risk assessments and execute proper business associate agreements.
According to the HIPAA Journal, the average HIPAA data breach costs an organization $5.9 million, excluding any fine levied by OCR. While the OCR fines themselves can add up to millions of dollars, noncompliance may result in various other consequences, such as loss of business, breach notification costs, and lawsuits from affected individuals — as well as less tangible costs such as damage to the organization’s reputation.