Healthcare organizations are no strangers to HIPAA or the Health Insurance Portability and Accountability Act of 1996. Covered entities, or those responsible for maintaining HIPAA compliance, include Health Plans, Health Care Providers, and Health Care Clearinghouses. For context, the federal government passed HIPAA as a mechanism to lower the cost of healthcare and improve efficacy by encouraging healthcare providers to conduct business via secure electronic transactions. The objective was to increase public trust in healthcare institutions and insurance adoption among US citizens. Thus, HIPAA required national standards to protect patient information from being disclosed without consent or knowledge.
Who’s Responsible for HIPAA Compliance?
Everyone employed by a covered entity or associated business who has access to PHI or ePHI is responsible for maintaining proper HIPAA compliance. However, the security and governance of an organization’s HIPAA compliance fall on the shoulders of executive staff, specifically, the CIO, CISO, Chief Privacy Officer, and Compliance Officer.
As the Compliancy Group carefully points out, HIPAA rules don’t explicitly state what constitutes as a ‘safeguard’ when it comes to The Security Rule. More accurately, CISOs, CIOs, and Compliance teams are tasked with determining what is ‘reasonably appropriate’ for the organization, customizing security and compliance safeguards to align with HIPAA and the business needs.
HIPAA governs Protected Health Information (PHI), meaning any identifiable health information AND at least one individual identifier held or transmitted by a covered entity is subject to HIPAA rules. When PHI is processed, transmitted or stored electronically, it becomes ePHI.
We’ve all been to the doctors at some point; you filled out an intake form by providing personally identifiable information (PII) and Identifiable Health Information (HI), i.e, your name, DOB, family & personal medical history, etc. The information from the intake form and your appointment are protected by HIPAA, making the covered entity or in this case, your doctor and their practice liable for the privacy, security, and confidentiality of your information.
All PHI is covered by the HIPAA Rules.
3 Key HIPAA Rules:
- The Privacy Rule—Grants rights to individuals or patients over their PHI, encouraging them to give or deny consent to share PHI. The rule also specifies permitted uses for PHI, requiring uses and disclosure to be limited to the minimum necessary and informs covered entities of the penalties for violations.
- The Security Rule—All covered entities must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit. This includes identifying and protecting against anticipated threats, i.e., cyber attacks, insider threats, accidental PHI misuse, and ensuring workforce compliance.
- The Breach Notification Rule—Covered entities that identify a breach or the compromised security or privacy of PHI must disclose the breach to patients within 60 days of the breach identification, inform the media if more than 500 individuals are impacted, and inform the Secretary of Health and Human Services.
The Security Rule & Cloud
The U.S. Department of Health & Human Services (HHS) considers Cloud Service Providers (CSPs) to be a business associate under HIPAA, as they process and/or store ePHI. Using a public or private cloud requires healthcare organizations or covered entities to enter into a HIPAA-compliant business associate agreement (BAA). The BAA holds both the covered entity and the CSP liable for compliance with the HIPAA Rules. All parties involved are responsible for maintaining the confidentiality, integrity and availability of ePHI.
The Security Rule safeguards can be implemented through administrative, technical, and physical safeguards, but as stated above, those safeguards are subjective to each organization. At a minimum, covered entities are required to:
- Implement security and risk management processes
- Designate a security official responsible for implementing the Security Rule policies and procedures (CISOs, that’s most likely You)
- Create processes and access control measures to limit ePHI access to only authorized employees
- Train employees on HIPAA and security policies
- Implement firewalls, encryption, and data backups
- Create policies and procedures for security incidents, including audit controls, data usage monitoring
- Implement transmission prevention controls to stop unauthorized ePHI access from being transmitted over the network
An exhaustive Security Rule checklist is available from the HIPAA Journal.
The lines for safeguarding ePHI in the cloud are blurry. Best practices for cloud implementations require factoring a shared responsibility model between the CSP and the covered entity. Shared responsibility delineates which party is responsible for the configuration and management (updating and patching) for all services, networks, and hardware associated with the public/private cloud.
For example, “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.” (AWS Shared Responsibility Model) In the case of EC2 instances, covered entities are responsible for all necessary security configuration and management tasks. Any guest operating systems or third-party applications deployed in AWS is also the covered entity’s responsibility.
Common Cloud-based HIPAA Violations
- Using PII to attain HI → results in creating PHI
Data tables containing an individual identifier and health information are not dangerous when seen separately. But when joined together, they form PHI, which is a privacy violation.
Example: Which diseases has Joe Smith been diagnosed with? - Using HI to attain PII → results in creating PHI
Query health information that contains PII.
Example: Who’s recently been diagnosed with COVID-19? - ePHI in a decrypted data store → A violation of The Security Rule
- Creating, deleting, or editing ePHI
The Business Impact of HIPAA Compliance Violations
HIPAA violations, accident or not, lead to time-consuming investigations, costly penalties and can tarnish your organization’s reputation with customers. Violations are investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and then published to the public Breach Portal. Fines range from $100 to $50,000 per violation, with the largest HIPAA fine to date being $16M. Employees who are involved in HIPAA violations could be subject to termination, sanctions from professional boards, and the risk of criminal charges.
Penalties:
- $100 - $50,000 per violation
- $1,500,000 calendar year cap
- Up to $50,000 and 1-year imprisonment for a person who knowingly violates the Privacy Rule
- Up to $100,000 and 5 years imprisonment if the wrongful conduct involves false pretenses
- Up to $250,000 and 10 years imprisonment if the wrongful conduct involves intent to sell or transfer
From individual liability to organization penalties, HIPAA violations have major impacts.
Tips to Staying HIPAA Compliant
Automate:
- New data store discovery
- Data store misconfiguration detection
- ePHI detection in new data sets
Monitor:
- De-identified data sets for individual identifiers
- Limited data sets
- Creation of ePHI
- Permissions to ePHI
- All ePHI usage
- All modifications/deletions of ePHI
Orchestrate:
- Create workflows to notify the Data Owner, Security and Compliance teams of HIPAA violations
- Enforce global policies across data storage
Assume you’ve already been breached:
- Work with an unbiased and trusted security vendor to perform DFIR
- Regularly test your infrastructure for vulnerabilities
For more granular details on HIPAA and advice on staying compliant, download The 10 Secrets to Staying HIPAA Compliant.
Dasera Use Cases: Data-level HIPAA Violation Detection
RISK |
SOLUTION |
Data sprawl: ePHI is in a widely accessible data store and not correctly classified |
|
Editing/removing ePHI: Certain teams can edit or remove ePHI. OR PII & HI are added to the same data table |
|
Data store misconfigurations: Lack of data encryption or back-ups can lead to violations. |
|
De-identified data edited: If de-identified data is accidentally edited and not re-validated by a qualified statistician, a violation can occur. |
|
Request a demo to see how the platform detects and enables HIPAA violation prevention.