Despite being firewall-protected, ultra-armed, carefully constructed, we humans instead of feeling safe and secure somehow happen to get trapped in the prison we have built with our own fears. Strange but true! Safety and security are pretty important factors not just in personal lives but professional lives as well.
All thanks to the dynamically changing era of the internet and technology – our personal lives are no more personal. I mean everywhere you knowingly or unknowingly happen to pass on your personal information. Of course, for the overall good to make your purchases more satisfactory and enjoyable. But at the same time, you must realize that you are showing your vulnerabilities as well. And this happens in every industry vertical, healthcare is no exception.
Hardly a day goes by without news that yet another business, healthcare organization or government agency has been compromised by a security breach. Fortunately, Despite its rigid attitude to change, healthcare is Rulestarting to take new forms. HIPAA Compliance is the best example to take into account. But before going any further this blog has followed some references related to HIPAA from TatvaSoft, HIPPA Gov and some others as well.
The Healthcare Industry Before HIPAA Compliance (Security Aspect) – HIPAA now and then!
HIPAA Compliance – The Health Insurance Portability and Accountability Act came into existence 2 decades back and till now it has evolved in becoming the face of patient privacy guidelines. Earlier healthcare professionals used to take a Hippocratic oath written in Greek. It says:-
What I may see or hear in the course of the treatment or even outside of the treatment regarding the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.
Centuries passed by, but providers were still grappling with safeguarding issues of a patient’s information and maintaining trust with them. However, the problem does not exist any longer. All thanks to evolving times and digitization of healthcare. HIPAA is something that hypocrites would never have imagined in their wildest nightmares. But the basic tenets of the oath and what providers take HIPAA to mean are similar. Now let us recall a Rulebit about what was life like before HIPAA or HIPAA Compliance came into being.
Several years ago, it didn’t matter much who logged in to the computer to access patients data. After all, if something they cared about was walking up to the nearest PC and retrieving all the required information in time. Accessibility reigned. It didnt mean that was the most prudent way to secure private healthcare data, it was just the path of least resistance. A stroll down hospital halls.
Fortunately, we have user authentication today and with HIPAA, securing sensitive data has become way more important than the few extra mouse clicks it took to complete a task. Prior to HIPAA, hospital users were able to dictate some of the fine details of a system rollout and maintenance. Unfortunately, companies have long known especially in regards to what must be done to protect a patient’s personal healthcare data. HIPAA till now seems to have dictated important changes to more than just end-users. Earlier, healthcare professionals were able to tolerate regulatory compliance especially when it meant users to jump through additional hoops to accomplish their jobs but as soon as the IT department had to change their modus operands, they discovered new laws were difficult to bear.
Why was HIPAA created in 1996 or Why the compliance came into existence?
HIPAA was created with an objective to improve the portability and accountability of health insurance coverage for employees between jobs. Other goals were to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions and simplifies the administration of health insurance.
Understanding the importance of the HIPAA & the Security Rule in the Health Industry
Before we proceed any further let us understand what is data security. In simple words any type of preventive measure that helps secure and protects data. The ultimate objective of data security used in healthcare operations is to come up with an effective and efficient plan to ensure their data and patient data are as secure as possible. Now the question is why would anybody want to steal healthcare data? I mean if there is a malicious hacker who wants to steal financial data (compromising financial data: card numbers, PINs, account information), it’s quite understandable but what’s with stealing healthcare data.
When it comes to protected health information (PHI), its long-term value makes healthcare data more enticing for malicious hackers to steal and is all the more reason why information security is so important in healthcare.
#1 The regulated healthcare industry – HIPAA
Despite HIPAA Compliance, privacy and breach notification requirements and various other state laws that require covered entities and business associate to protect PHI, there’s a serious lack of robust information security management programs. To provide quality patient care and meet HIPAA requirements, several business associates and entities are asked to heavily invest in the security of their people, processes and infrastructure as a whole.
#2 High-dependent on new technologies – HIPAA
With the advent of new disruptive technologies such as artificial intelligence, mobile apps, websites, the modern healthcare industry wouldn’t have reached such heights then it was earlier. Now when a new technology is being introduced to an environment what happens is that the attack surfaces increases and new risks must be accounted for. This goes beyond technologies used in hospitals or other healthcare facilities – medical manufacturers must also take into account the cyber risks associated with their products.
Chances are pretty much high of something as simple looking as an insulin pump like Medtronic can become vulnerable to a cyberattack and have detrimental effects on a patient’s well being.
#3 High-reliant on humans – HIPAA
Day in day out, there are reports of data breaches impacting hundreds of healthcare patients, and many of these attacks are the result of human error, such as falling for phishing attempts. Because the healthcare industry relies on humans to provide quality patient care, the risk of experiencing a data breach or security incident becomes much more likely, which is why creating and implementing a robust information security management program must be made a top priority.
As per national standards to protect patient’s medical records and other personal information. This rule applies to:
- Health Plans
- Health care clearinghouses
- Those healthcare providers that transmit protected health information (PHI) electronically
Right from names to date of birth, death dates, treatment dates, admission dates and discharge dates, telephone numbers, fax numbers, other relevant contact information, addresses, social security numbers, medical record numbers, photograph, comparable images, biometric identifiers, including finger, retinal, and voiceprints, etc.
The HIPAA Security Rule, also known as Security Standards for the Protection of Electronic Protected Health Information, covers the standards of ePHI protection. This Rule requires entities covered by the HIPAA Compliance law to have appropriate administrative, physical, and technical safeguards in place to ensure confidentiality, integrity, and security of electronically transmitted PHI. The recommendations and requirements related to security management processes, including methods to prevent, detect, and correct security issues.
Enters HIPAA Compliance – A Rule Worth Following!
With the term HIPAA, a great deal of misunderstanding seems to have persisted about the current federal health privacy law. Now many of you believe that HIPAA “privacy rule” is really a “disclosure rule”, HIPAA took away privacy rights that are based on the constitution and common law. This is an absolute myth.
Down below I would like to mention some interesting facts about HIPAA:
- Earlier there was no national health privacy law or rule, and there were no federal limits on how health care providers, employers or insurers collected and shared information within and outside the healthcare system.
- The common law privacy protections or rule for health information was quite limited. For instance, the disclosure of protected health has always been permitted for a range of purposes, including insurance companies as well as for national security, public health monitoring and law enforcement.
- Requires health care providers to give individuals notice of their rights and to inform them regarding how their health information can be used.
- Broadens the scope of protection for health information used by privately-funded researchers.
HIPAA Compliance – The Healthcare Portability and Accountability Act is a series of regulatory standards that outline the lawful use and disclosure of protected health information(PHI). The policy was designed to address technological changes and problems with standards for sensitive patient data protection. HIPAA Compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
HIPAA compliance is mainly regulated by HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule.
#1 HIPAA Privacy Compliance/Rule
The HIPAA Privacy Rule sets national standards for patients rights to PHI and ePHI. Since its enforcement in 2003, the privacy rule applied to all healthcare organizations, providers of health plans (including employers). The Privacy Rules stresses the importance of PHI/ePHI safeguards such as:
- Patients’ right to access PHI/ePHI – Right to obtain a copy of their health records, right to examine their health records, right to request corrections when necessary.
- Use and disclosure of PHI/ePHI with patient authorization
- Healthcare providers right to deny access to PHI
- Use and disclose of PHI-ePHI without patient authorization
- Content of use and disclosure forms
- Privacy practices
#2 HIPAA Security Compliance/Rule
As the name implies, this one excels by setting national standards for the security maintenance, transmission and handling of PHI and ePHI to covered entities and business associates. The Security Rule outlines standards for the integrity and safety of PHI and ePHI that must be in place in any healthcare organization including physical, administrative, and technical safeguards. Some technical safeguards or rule to take into account include:
- Implementing means of access control
- Introducing a mechanism to authenticate ePHI
- Implementing tools for encryption and decryption
- Introducing activity audit controls
- Facilitating automatic log-off
#3 HIPAA Omnibus Compliance/Rule
This one, in particular, is an addendum to HIPAA regulation which amended definitions, clarified procedures and policies and expanded the HIPAA compliance checklist to cover business associates and their subcontractors. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant and outlines the rules surrounding Business Associate Agreements (BAAs).
Any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a covered entity is a Business Associate. Business Associates include but are not limited to: contractors, consultants, data storage companies, health information organizations and any subcontractors.
#4 HIPAA Breach Notification Compliance/Rule
In case, if there is a data breach comprising of PHI and ePHI the HIPAA Breach Notification rule is a set of standards that covered entities and business associates must follow. The rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.
The path to HIPAA compliance – Even the Medical Space requires Compliance & Protection
To be HIPAA compliant is not easy especially if you don’t know all the required mandates. Further below I would like to mention few mandates one should be aware of:
- The unique identifiers rule gives practices a specific numerical code to additionally improve efficiency. This is also known as the National Provider Identifier (NPI).
- The Privacy Rule pertains to PHI and taking all necessary measures to keep this information protected, as well as describing instances in which sharing this information might be acceptable. Individuals must be notified of how their PHI is being used.
- According to the Omnibus Rule, all business associates must be compliant as well
- Transaction and Code Set Rules layout the standardized guidelines for how electronic transactions should take place.
- The Enforcement Rule lays out the aforementioned civil and criminal penalties for non-compliance
- The remaining three titles (III, IV, V) lay out the guidelines and enforcements for tax-related health provisions, for group health insurance plans, for employer health insurance plans, and for information relating to ex-patriates.
Recent updates to the HIPAA law
Of course, this is neither the very first time HIPAA rule is being updated and nor the last time we will see. These are just some of the changes that it may be seeing soon:
#1 Penalties for HIPAA Violations
HHS announced April 30th, 2019 that fines and penalties were updated, with the caps for total annual penalties for the first three tiers reduced from $1.5 million with annual caps set at $25,000 for Tier, $100,000 for Tier 2, and $250,000 for Tier 3.
#2 Increased Auditing and Enforcement of HIPAA Violations
HHS has been increasing its enforcement efforts, which has led to massive increases in the fines levied for violations beginning in 2016, with 2018 seeing total penalties at $28 million.
#3 HIPAA Waiving Penalties During Covid-19 Crisis
Recently on March 17th, HHS announced that it will suspend enforcement activities and waive penalties regarding particular security rule provisions during the Covid-19 public health emergency. Specifically, the OCR is waiving penalties for using everyday communications technologies to provide healthcare services.
Conclusion – Compliance is here to stay!
On and all, HIPAA Compliance can seem large and bewildering at times but it is a necessary concept to be adhered to. So that’s all for now! In case, if you have any doubt or query regarding the topic, feel free to mention that in the comment section below.