Healthcare organizations are no strangers to HIPAA or the Health Insurance Portability and Accountability Act of 1996. Covered entities, or those responsible for maintaining HIPAA compliance, include Health Plans, Health Care Providers, and Health Care Clearinghouses. For context, the federal government passed HIPAA as a mechanism to lower the cost of healthcare and improve efficacy by encouraging healthcare providers to conduct business via secure electronic transactions. The objective was to increase public trust in healthcare institutions and insurance adoption among US citizens. Thus, HIPAA required national standards to protect patient information from being disclosed without consent or knowledge.
Everyone employed by a covered entity or associated business who has access to PHI or ePHI is responsible for maintaining proper HIPAA compliance. However, the security and governance of an organization’s HIPAA compliance fall on the shoulders of executive staff, specifically, the CIO, CISO, Chief Privacy Officer, and Compliance Officer.
As the Compliancy Group carefully points out, HIPAA rules don’t explicitly state what constitutes as a ‘safeguard’ when it comes to The Security Rule. More accurately, CISOs, CIOs, and Compliance teams are tasked with determining what is ‘reasonably appropriate’ for the organization, customizing security and compliance safeguards to align with HIPAA and the business needs.
HIPAA governs Protected Health Information (PHI), meaning any identifiable health information AND at least one individual identifier held or transmitted by a covered entity is subject to HIPAA rules. When PHI is processed, transmitted or stored electronically, it becomes ePHI.
We’ve all been to the doctors at some point; you filled out an intake form by providing personally identifiable information (PII) and Identifiable Health Information (HI), i.e, your name, DOB, family & personal medical history, etc. The information from the intake form and your appointment are protected by HIPAA, making the covered entity or in this case, your doctor and their practice liable for the privacy, security, and confidentiality of your information.
All PHI is covered by the HIPAA Rules.
3 Key HIPAA Rules:
The U.S. Department of Health & Human Services (HHS) considers Cloud Service Providers (CSPs) to be a business associate under HIPAA, as they process and/or store ePHI. Using a public or private cloud requires healthcare organizations or covered entities to enter into a HIPAA-compliant business associate agreement (BAA). The BAA holds both the covered entity and the CSP liable for compliance with the HIPAA Rules. All parties involved are responsible for maintaining the confidentiality, integrity and availability of ePHI.
The Security Rule safeguards can be implemented through administrative, technical, and physical safeguards, but as stated above, those safeguards are subjective to each organization. At a minimum, covered entities are required to:
An exhaustive Security Rule checklist is available from the HIPAA Journal.
The lines for safeguarding ePHI in the cloud are blurry. Best practices for cloud implementations require factoring a shared responsibility model between the CSP and the covered entity. Shared responsibility delineates which party is responsible for the configuration and management (updating and patching) for all services, networks, and hardware associated with the public/private cloud.
For example, “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.” (AWS Shared Responsibility Model) In the case of EC2 instances, covered entities are responsible for all necessary security configuration and management tasks. Any guest operating systems or third-party applications deployed in AWS is also the covered entity’s responsibility.
HIPAA violations, accident or not, lead to time-consuming investigations, costly penalties and can tarnish your organization’s reputation with customers. Violations are investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and then published to the public Breach Portal. Fines range from $100 to $50,000 per violation, with the largest HIPAA fine to date being $16M. Employees who are involved in HIPAA violations could be subject to termination, sanctions from professional boards, and the risk of criminal charges.
Penalties:
From individual liability to organization penalties, HIPAA violations have major impacts.
Automate:
Monitor:
Orchestrate:
Assume you’ve already been breached:
For more granular details on HIPAA and advice on staying compliant, download The 10 Secrets to Staying HIPAA Compliant.
RISK |
SOLUTION |
Data sprawl: ePHI is in a widely accessible data store and not correctly classified |
|
Editing/removing ePHI: Certain teams can edit or remove ePHI. OR PII & HI are added to the same data table |
|
Data store misconfigurations: Lack of data encryption or back-ups can lead to violations. |
|
De-identified data edited: If de-identified data is accidentally edited and not re-validated by a qualified statistician, a violation can occur. |
|
Request a demo to see how the platform detects and enables HIPAA violation prevention.