HIPAA Compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is an important legislative Act affecting the US healthcare industry. When it was first introduced in 1996, signed into law by President Bill Clinton, HIPAA’s primary function was to address the issue of healthcare coverage for individuals between jobs. Without HIPAA legislation, individuals in this situation could find themselves without healthcare coverage, and therefore potentially unable to access important medical treatment.

HIPAA is now better know for revolutionising data protection legislation in the US. The legislation has had wide-reaching consequences on how the healthcare industry, and related business, handle patient information. Before HIPAA, healthcare professionals themselves were left to determine the best methods of safeguarding private healthcare information of individuals. While state laws offered some direction, there was no general consensus in the healthcare industry on best practices for data security.

Any organisation that handles the protected health information (PHI) of individuals is required to comply with HIPAA’s Rules. These organisations are known as “Covered Entities”. If any of their business associates (BAs) handle PHI, they too must follow HIPAA’s stipulations on how that data is to be protected.

HIPAA Rules

HIPAA is formed of a number of rules, which have been added to the original Act over time as a means of updating the legislation. The Rules contain a number of different stipulations on how data should be used, protected, and shared, in addition to providing requirements for how organisations should handle data breaches. Some of the Rules are summarised below.

The Privacy Rule of 2000

The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information. The Rule stipulates when, with whom, and under what circumstances health information could be shared. Only authorised individuals may access PHI; access by an unauthorised individual, whether by accident or through a deliberate hacking attempt, may incur financial penalties if the organisation did not have adequate safeguards in place. The patient also has the ability to authorise who can see their medical information.

The HIPAA Privacy Rule also gives patients access to their health data on request. An individual’s data must be delivered to them in a secure manner within 30 days of the request being submitted.

The Security Rule of 2003

The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is protected by the requisite administrative, technical, and physical safeguards. Covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. An auditable trail of PHI activity must be maintained, with access to any PHI carefully recorded and controlled. Furthermore, covered entities must ensure that they protect against “reasonably anticipated threats” to the security of PHI.

The safeguards fall in to two categories; “addressable” and “required”. Required safeguards are self-explanatory; they must be implemented to ensure HIPAA compliance. Addressable safeguards should be implemented unless it is unreasonable to do so, in which case an organisation may implement an appropriate alternative, or not implement the safeguard at all.

The safeguards outlined by the Security Rule are summarised as thus:

Technical Safeguards:

Required:

  • Implement a means of access control
  • Introduced activity logs and audit controls

Addressable:

  • Introduce a mechanism to authenticate ePHI
  • Implement tools for encryption and decryption
  • Facilitate automatic log-off of PCs and devices

Physical Safeguards:

Required:

  • Policies for the use/positioning of workstations
  • Policies and procedures for mobile devices

Addressable:

  • Facility access controls must be implemented
  • Inventory of hardware

Administrative Safeguards:

Required:

  • Conducting risk assessments
  • Introducing a risk management policy
  • Developing a contingency plan
  • Restricting third-party access

Addressable:

  • Training employees to be secure
  • Testing of contingency plan
  • Reporting security incidents

The Breach Notification Rule of 2009

The Breach Notification Rule of 2009 covers the requirement of HIPAA CEs to provide notification following a breach of PHI. A breach may be defined as an unauthorised individual compromising the security of PHI. Following a breach, the Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate.

The Breach Notification Rule requires those affected by the breach to be notified that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred. If a significant number of individuals cannot be contacted, then the breach must be advertised on the company’s website for 90 days after its discovery. If the breach occurs at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. If the breach affects more than 500 individuals in a State or jurisdiction, then the media must be notified of the breach.

The Enforcement Rule of 2006

The Enforcement Rule was introduced in March 2006 in an attempt to address the consequences of CEs failing to comply with the HIPAA Privacy and Security Rules. The Enforcement Rule gave the Department of Health and Human Services (HSS) the power to investigate complaints made against CEs for failing to comply with the Privacy Rule. If it was found that a security breach occurred due to the CE failing to implement the safeguards outlined in the Security Rule, the Enforcement Rule granted the HSS power to fine the CE in question for the violation.

The HSS’s Office for Civil Rights (OCR) was also granted the ability to bring criminal charges against CEs who repeatedly violated HIPAA, and failed to introduce corrective measures within 30 days of an offence being highlighted. The Enforcement Rule also gave more power to individuals; if their PHI was disclosed without their permission, resulting in “serious harm” done to them (for example, causing them to become a victim of identity fraud), the Enforcement Rule grants the individual the right to pursue civil legal action against the CE.

The Final Omnibus Rule of 2013

The Final Omnibus Rule of 2013 is the most recent addition to HIPAA. Unlike the other rules, it does not introduce any new legislation, was designed to remove any ambiguity in existing HIPAA and HITECH regulations. Important examples of this include the specification of encryption standards, and the introduction of new administrative standards to reflect the fact that technological advances have changed how PHI is transmitted and shared between healthcare professionals. Workplaces across all industries have changed since 1996, most notably with the introduction of new technologies. The Final Omnibus Rules was introduced to make the implementation of HIPAA more robust to these changes.

The rule included several definitions to improve the clarity of the language used in the Act. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.

The Privacy and Security Rules were also amended to allow patient’s health information to be held indefinitely, up from fifty years as had previously been stated. The Breach Notification Rule saw new procedures introduced. New penalties were also applied – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule.

Are Skype, WhatsApp, Microsoft OneDrive, and other digital services HIPAA-compliant?

Technology has revolutionised the healthcare industry. Instant messaging platforms, such as WhatsApp, are used to rapidly transmit data between healthcare professionals. Cloud- based data storage solutions have proven powerful alternative for organisations wishing to store data but wanting to avoid implementing costly hardware set-ups. However, users of such technology in the healthcare industry must be wary; special measures must be taken to ensure that the use of such services is compliant with HIPAA’s strict rules on data security. While the software itself is HIPAA compliant, the users may still violate HIPAA rules if they do not use these services in an appropriate manner.

Each service must be carefully considered before use in a healthcare industry setting. Google Drive, a cloud-based file storage service, is used below as an illustrative example of the actions that must be taken before PHI is uploaded onto the platform. CEs must:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

If you have any other queries regarding your organisation’s use of Google Drive, or other cloud-based platforms, you are advised to seek legal counsel to ensure that your organisation remains HIPAA compliant.

The Basic Requirements for HIPAA Compliance

One of the most crucial aspects of ensuring HIPAA compliance is performing regular and thorough risk assessments. By identifying potential areas for improvement in an organisation, as well as highlighting areas that are particularly vulnerable to breaches, an organisation is able to create a more robust security framework. Although HIPAA itself fails to provide any guidance on what should be addressed in a risk assessment, HHS’s OCR has set a list of objectives that should be met in performing the risk assessment. These include:

  • Identify the PHI that is created, received, stored and transmitted – including PHI shared with consultants, vendors and Business Associates.
  • Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
  • Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
  • Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
  • Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
  • The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
  • These may be adapted based on the size of an organisation, what types of data they deal with, and other such factors.

Although HIPAA does not explicitly state that data encryption is necessary for the protection of PHI, it is certainly one of the best ways of ensuring that authorised individuals do not gain access to sensitive information. With the increase of cyberattacks and phishing incidents, data encryption provides organisations a level of safety, for even if the data is stolen, it is rendered unreadable unless the criminal also manages to gain access to the key. It is a security measure that should be seriously considered by organisations, as it goes a long way to ensure that they are HIPAA- compliant. If an organisation decides not to use encryption to protect data, they must record the decision, provide an explanation as to why encryption was not used, and implement an appropriate alternative.

An organisation can be made HIPAA compliant implementing methods such that the requirements of the various HIPAA Rules are adhered to, performing regular risk assessments, and checking to ensure any digital services used are either HIPAA compliant or can be configured to be so.

Penalties for HIPAA Non-Compliance and Violations

Those who violate HIPAA face substantial financial penalties. The Omnibus Rule in March 2013 introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). According to the Omnibus Rule, new penalties for HIPAA violations are applied to healthcare providers, health plans, healthcare clearinghouses and all other CEs. This includes Business Associates (BAs) of CEs who are also guilty of violating HIPAA Rules.

The penalty structure is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Categories of HIPAA Violation

The tiered structure for penalties can be described as follows:

  • Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of wilful neglect of HIPAA Rules)
  • Category 3: A violation suffered as a direct result of “wilful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Category 4: A violation of HIPAA Rules constituting wilful neglect, where no attempt has been made to correct the violation

If the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation”, it may seem unreasonable for a CE to be issued with a fine. In these circumstances, the OCR has the power to waive a fee such that the organisation is not punished unfairly.

HIPAA Violation Penalty Structure

There is a distinct HIPAA penalty for each category of violation. It is the OCR’s to determine a financial penalty within the appropriate range following their investigation of the incident. The OCR considers a wide range of factors when determining the appropriate penalty to be levied. This includes the length of time over which violation occurred, the number of people affected, and the nature of the data exposed, the financial means of the organisation, and how much damage had been done by the breach. An organisation’s willingness to assist with an OCR investigation is also taken into account, and prior history of HIPAA violations (if there is one). The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.

The tiers are as follows:

  • Category 1: Minimum fine of $100 per violation up to $50,000
  • Category 2: Minimum fine of $1,000 per violation up to $50,000
  • Category 3: Minimum fine of $10,000 per violation up to $50,000
  • Category 4: Minimum fine of $50,000 per violation

A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, regardless of how minor the incident was or how insignificant the data involved is.

Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead by the number of patients affected (as above). For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the CE has been in violation of the law. Therefore, in this case, the penalty would be multiplied by 365.

Criminal Penalties for HIPAA Violations

A HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI if the case is particularly severe. These are brought against the CE in conjunction to financial penalties. Criminal penalties for HIPAA violations

are divided into their own tier system. A judge considers the facts of each individual case, and determines the term and an appropriate fine according to the tier to which the penalty belongs. As with the OCR, a number of general factors are considered which will affect the penalty. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to payment of a fine.

Penalties for HIPAA Non-Compliance

Even if a data breach hasn’t occurred, covered entities and their business associates are liable to be fined for the violation of HIPAA protocol. If an audit is performed by the OCR and the CE or BA is found not to have complied with the HIPAA regulations, the OCR has the authority to issue penalties for HIPAA noncompliance. It is therefore critical that an organisation is fully aware of its responsibilities under HIPAA and remains compliant with its regulations at all times. Ignorance is not an acceptable excuse, and laziness is punishable by severe financial penalties.

In order to assess how well healthcare organisations were following HIPAA regulations, the OCR commenced a series of compliance audits in 2012. OCR usually only became aware of HIPAA violations in the aftermath of a breach; the compliance audits were used as an incentive for organisations to remain comply with HIPAA at all times. The results of the pilot program revealed that many organisations were failing to implement even the most basic requirements of HIPAA’s Rules. OCR issued an action plan to help those audited organisations achieve compliance, and announced that a second round of audits take place. It is widely expected that it will not be as lenient as the first.

Conclusions

HIPAA is a complex piece of legislation, and ensuring that every piece of it is followed is a costly and technically difficult task. If there is any doubt that a certain practice within an organisation is HIPAA-compliant, it is advised that legal counsel be sought. There are many organisations that provide HIPAA compliance checklists, or HIPAA compliance software.