The Health Insurance Portability and Accountability Act (HIPAA) affects thousands of companies around the U.S., including many that support health care providers instead of delivering care directly themselves.
Many organizations find HIPAA compliance challenging. The U.S. Department of Health and Human Services has found organizations non-compliant with HIPAA in 70 percent of its investigations, and large-scale breaches, such as at Anthem and Premera Blue Cross, have made headlines and clearly demonstrated the severity of the threat posed by hackers. The difference between the data handling practices of the compliant 30 percent and the non-compliant 70 percent frequently comes down to a single change or set of changes. In data collection, storage, and transmission, the details are important, and a small adjustment can be the difference between a hefty fine and a sterling reputation.
HealthITSecurity.com polled its readers about HIPAA compliance and audit challenges in 2016 and found that external data security threats are the top concern for 32 percent of healthcare IT professionals, slightly ahead of both employee training and evolving technology, each the top concern for 28 percent of respondents.
The Office of Civil Rights (OCR), which enforces HIPAA compliance for the Department of Health and Human Services, reviewed over 100 healthcare institutions in 2017 and found the vast majority struggling with information security risk planning, performing security risks analysis, providing patient’s access to their personal health information (PHI), as well as providing notifications of privacy practices and breach notifications. For small and medium-sized businesses, there are many potentially challenging requirements of HIPAA. Start with some of the most common issues, like those below, because one or more of them seem to apply to most HIPAA covered entities or business associates.
HIPAA Compliance and Cybersecurity
While hackers are behind some of the most damaging data breaches, internal actors are actually a greater threat to organizational cybersecurity, according to Verizon’s 2018 Data Breach Investigation Report, so a holistic view of data security is important.
There are a few key areas of HIPAA compliance relating to cybersecurity. The “minimum necessary requirement” of the Privacy Rule mandates both covered entities and their business associates to prevent access to and exposure of PHI to only those who need it as part of their jobs. HIPAA requires that data be stored and remain available while it is needed, and many states have rules about how long this is, but also that it be permanently destroyed or deleted when its storage is no longer necessary. In this case, “permanently” is the important word – moving sensitive records to a computer’s trash or recycle bin does not meet this requirement, and is, therefore, a HIPAA violation.
You have set and enforce the right policies, but a quality managed service provider has and can set up all of the cybersecurity tools you need.
More Breaches Through Email
Even a quick glance at the OCR’s “wall of shame” reveals a striking trend: there are more breaches through email than through network servers, electronic medical records, desktop and laptop computers, paper and film, or portable electronic devices. Out of 163 incidents between January 1, 2019, and late May, 67 involved email (41 percent).
Some of these incidents are surely related directly to hacks that can be prevented with adequate cybersecurity systems, but others are likely caused by carelessness or poor email policies.
HIPAA compliant email means that any email account used to communicate PHI has access controls and ID authentication implemented, audit and integrity controls in place, and data is encrypted both in transit and at rest. Email is not technically required by HIPAA to be encrypted, but the transmission security required by the Security Rule makes it a de facto necessity. NIST recommends advanced encryption standard (AES) 128, 192, or 256-bit encryption.
Information Security Risk Management Plan
A staggering 94 percent of businesses reviewed by the OCR were found to have “inadequate or worse” information security risk management plans.
The Security Rule defines risk analysis and risk management separately, with the latter referring to “the actual implementation of security to sufficiently reduce an organization’s risk of losing or compromising its e-PHI and to meet the general security standards,” as HHS says. The OCR and the Office of the National Coordinator for Health Information Technology (ONC) even offer a downloadable Security Risk Assessment (SRA) tool specifically for HIPAA.
Risk analysis is used as a basis for the risk management plan which addresses each point with a policy or technology. The risk management plan is the formalization of your security strategy, and as such demonstrates to HHS that the covered entity or business associate has actually addressed potential vulnerabilities.
Maintaining BAAs for HIPAA Compliance
Organizations handling health data are required to have business associate agreements (BAA) with any partner that stores or transmits data. That means if you provide hosting, messaging, or any other healthcare IT service, you need to have a BAA with each of your healthcare clients, and also with your own IT service partners.
Part of the challenge may be that the HIPAA Omnibus Rule changed the requirements for business associates when it was introduced in 2013. BAAs must define all uses of PHI by the business associate that are permitted or required and puts strict limits on data sharing.
The Department of Health & Human Services does provide a sample BAA, so while it may need to be adapted, putting BAAs in place is generally not too difficult. What is more challenging is remembering to do so for each new business partner, or whenever you switch to a new service provider.
Mobile Devices and BYOD
The first fine ever levied by the OCR against a BA was a $650,000 fine brought against a company in 2016 which was providing management and IT services for six Philadelphia-area nursing homes. The violation was the use of an unencrypted smartphone with no password protection that had access to PHI of 412 patients and was discovered after the smartphone was stolen. While there are no reports of the potential data exposure resulting in theft or fraud, the BA was found to not have the required policies in place for protecting mobile devices or responding as required to a security incident. It was further found to have no risk analysis or risk management plan; hence the hefty fine.
According to the HIPAA Security Rule’s technical safeguard standards, a mobile device with adequate encryption does not constitute a breach, even if it is lost or stolen, so if you provide mobile devices or allow employees to use their devices to access PHI, simply implement strong encryption on them.