For those of you who are involved in the Healthcare Industry must be well aware of the Health Insurance Portability and Accountability Act (HIPAA) Compliance. The regulation is a standard framework and statement of best practices for healthcare industries to follow. Although the regulation may seem daunting, anyone connected to the healthcare industry must understand the Regulation. In this article, we have briefly explained the HIPAA Regulation and how it helps in protecting PHI data. So, moving ahead, let us first understand what is HIPAA Compliance?
By Narendra Sahoo, Founder and Director, VISTA InfoSec
Brief on HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) is landmark legislation established in 1996 in the United States for the Healthcare Industry. HIPAA was initially designed to address the issue of health insurance coverage for people. However, the Regulation is now more widely known for improving the data privacy and data security of sensitive PHI information in the healthcare industry. HIPAA Security and Privacy Rules were introduced to address the growing concerns of data breaches in the industry. Addressing the evolving security issues, critical changes concerning how organizations to store, handle and use sensitive patient information was eventually covered in the HIPAA regulation.
Today, the HIPAA Regulation requires covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates) to put in place technical, physical, and administrative measures to secure the Protected Health Information (PHI). This is to ensure not just securing the privacy but also the integrity and accessibility of the data.
What is PHI data?
PHI which stands for Protected Health Information is personally identifiable information in the medical record which is often used, or disclosed in the course of providing health care services. Defined under the HIPAA Regulation, PHI can be a type of patient information relating to their past, present or future physical or mental health. But, it does not just limit to the healthcare records and goes beyond, to include health insurance details or any information relating to payment for healthcare that results in identifying the individual concerned.
So, when it comes to determining the type of data as PHI or not simply comes down to any health-related data resulting in identifying the individual. It is the connection of the health data which is the key in determining the PHI data. However, it does not include information held in education or employment records. As per HIPAA, there are 18 identifiers that make health information PHI as in the below-given table
|1||Name||7||Medical record numbers||13||Device identifiers and serial numbers|
|2||Geographic data||8||Account numbers||14||Internet protocol addresses|
|3||Dates||9||Health plan beneficiary numbers||15||Full face photos and comparable images|
|4||Telephone numbers||10||Certificate/license numbers||16||Biometric identifiers (i.e. retinal scan, fingerprints)|
|5||Fax numbers||11||Vehicle identifiers and serial numbers including license plates||17||Social number|
|6||Email addresses||12||Web URLs||18||Any unique identifying number or code.|
What is e-PHI?
ePHI is Electronic Protected Health Information that includes individually identifiable health information created, maintained, or transmitted electronically. This includes PHI on desktop, web, mobile, wearable, and other technology such as email, text messages, or other similar applications.
How HIPAA Compliance help in protecting PHI data?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was developed to improve the efficiency and effectiveness of the healthcare system in the US. Eventually, several new rules were added to HIPAA focusing on securing sensitive patient information. For healthcare organizations, HIPAA provides a framework that secures access to Protected Health Information and restricting with whom the information can be shared. So, any organization dealing with PHI must have in place Administrative, Logical and Technical controls to be compliant. Today with HIPAA Regulations in place it has reformed how healthcare professionals operate. HIPAA’s Security and Privacy Rules were introduced as measures to improve efficiency in protecting PHI data. Especially in the transition of health information from paper records to electronic forms ensuring complete safety. Given below details explain how HIPAA Privacy and Security Rules help in protecting PHI information.
HIPAA Privacy and Security Rules
HIPAA Privacy Rule establishes standards for protecting the privacy of PHI information. The HIPAA Privacy Rule is a national standard set to protect individuals’ medical records and other personal health information. The rules outline the rights of patients over their health information, including the right to examine and obtain a copy of their health records, and the right to request corrections. The Rule requires covered entities to protect the privacy of personal health information, and set limits and conditions on the uses and disclosures of Protected Health Information, especially without patient authorization.
As a subset of the Privacy Rule, the Security Rule applies specifically to electronic PHI or ePHI. The HIPAA Security Rule is a standard that guides covered entities to protect individuals’ electronic personal health information and ensure the confidentiality, integrity, and security of this information. It requires protecting e-PHI by using administrative, physical, and technical security measures. Given below are three safeguards outlined by the HIPAA Regulation which is summarized for your understanding and implementation.
Administrative safeguards can be defined as administrative actions to be taken concerning the policy and procedural implementation for protection against a breach. This typically involves establishing documentation processes, roles, and responsibilities, training requirements, data maintenance policies to name a few. Administrative safeguards include ensuring that the physical and technical protections are implemented appropriately.
- Security Management Process – The Administrative Safeguards require covered entities to conduct a Risk Analysis as part of their Security Management Processes. This is to identify and analyze potential risks to e-PHI and implement security measures to reduce risks to a reasonable level.
- Appoint Security Personnel – A covered entity must as a part of the HIPAA Security requirement appoint a security official who will be responsible for developing and implementing relevant security policies and procedures.
- Access Management – Aligning with the Privacy Rule covered entities must limit the access and disclosures of PHI to a bare minimum or maybe on a need basis. The Security Rule calls for covered entities to implement policies and procedures for authorizing access to e-PHI only when such access is necessary and is role-based access.
- Workforce Training – A covered entity must train all its employees and members dealing with e-PHI regarding the implemented security policies and procedures. They must have in place measures to ensure its enforcement with appropriate sanction policies in place for members violating the policies and procedures.
- Evaluating security measures – A covered entity is required to perform a periodic assessment of the security policies and procedures established to meet the security requirements as stated in the Security Rule.
Physical safeguards involve ensuring physical protection of the stored PHI data. This would include having in place Security Systems, CCTV Cameras, door locks, and similar security measures. It would even include security safeguards for workstations and electronic devices and gadgets storing PHI data.
- Facility Access and Control – A covered entity must limit physical access to the facility storing PHI data. They must ensure only authorized access to such facilities which should be role-based.
- Security measures for Workstation and Devices – A covered entity must implement policies and procedures to implement and enforce necessary security measures at workstations and electronic devices contain PHI data. The policies and procedures also include measures concerning the transfer, removal, disposal, and re-use of e-PHI to ensure the protection of the data.
Technical safeguards are measures related to policies that protect data from unauthorized access. The covered entity needs to determine and implement relevant security measures for protecting ePHI. The covered entities are expected to proactively identify potential risks and measures to secure the e-PHI.
- Access Control – A covered entity is expected to have in place appropriate access controls by implementing policies and procedures that limit access to only authorized personnel.
- Audit Controls – A covered entity must deploy hardware, software, and/or procedural mechanisms to record and examine access and other activity in systems that contain or use e-PHI.
- Integrity Controls – A covered entity must have policies and procedures established to ensure that e-PHI is not altered or destroyed unknowingly. Necessary measures need to be in place to ensure the same.
- Transmission Security – A covered entity must have technical security measures to guard against unauthorized access and transmission of e-PHI over an electronic network.
Enforcement of Security safeguards with Non-Compliance Penalties
The HIPAA Privacy and Security Rule are established to secure the confidentiality, integrity, and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these rules and has the authority to conduct investigations and compliance reviews. While the OCR prefers to resolve HIPAA violations using non-punitive measures, like voluntary technical guidance or issuing warnings to help covered entities address non-compliance, serious violations persisting for a long time, or multiple areas of noncompliance, will result in financial penalties. However, the financial penalties are levied based on the penalty structure set by the enforcement bodies as given below –
|Tier of penalties||Violation explained||Penalty structure|
|Tier 1||A violation that a covered entity was unaware of and could not have realistically avoided and had taken reasonable measures to abide by HIPAA Rules||Minimum fine of $100 per violation up to $50,000.|
|Tier 2||A Violation that a covered entity should have been aware of but could not have avoided even with a reasonable amount of measures taken. (not wilful negligence of HIPAA Rules)||Minimum fine of $1,000 per violation up to $50,000|
|Tier 3||A Violation due to willful negligence of HIPAA Rules but where an attempt has been made to correct the violation.||Minimum fine of $10,000 per violation up to $50,000|
|Tier 4||A Violation of HIPAA Rules constituting wilful negligence and, wherein no attempt was made to correct the violation.||Minimum fine of $50,000 per violation|
Keeping the Health Information secure is a critical ongoing process for covered entities of the Healthcare Industries. HIPAA Regulation was established to ensure covered entities abide by the rules and ensure compliance. It provides a framework that works as a guide for the covered entities to protect their PHI data.
The regulation was designed to be flexible and scalable for covered entities, keeping in mind evolving technology and threat landscape. So, Covered entities can determine reasonable and appropriate security measures based on their environment and accordingly implement necessary measures. By following the standard framework with diligence will not just help covered entities secure their data, but also prevent incidents of breaches and further ensure compliance to HIPAA Regulation.
WRITE FOR CISO MAG
Do you want to write for CISO MAG? Please read our guidelines here.
About the Author
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the U.S., Singapore, and India. Sahoo has more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, and Compliance services.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.