Why was HIPAA created?
The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation in the United States healthcare industry. Enacted by Congress in 1996 and signed into law by President Bill Clinton, HIPAA was initially designed to address the issue of health insurance coverage for people who were between jobs. Without HIPAA, individuals who found themselves in these circumstances would be left without health insurance, and potentially unable to pay for critical healthcare.
HIPAA later became synonymous with the introduction of industry-wide standards of patient data protection in the United States healthcare industry. HIPAA introduced strict rules regarding the safeguarding of protected healthcare information (PHI). Hackers and others with criminal intent may attempt to access PHI to use it for nefarious purposes such as identity theft. Fraud can have long-lasting and devastating effects for its victims. One of HIPAA’s primary purposes is to require organisations to improve the level of security placed on sensitive data.
If the regulatory authority finds an organisation in violation of HIPAA’s rules, they are authorised to levy hefty financial penalties against the organisation. These penalties act as significant deterrents to organisations who may otherwise ignore HIPAA’s Rules.
HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Privacy Rule
The Privacy Rule of 2003 regulates the use and disclosure of protected healthcare information (PHI) held by “covered entities” (CEs) and their business associates (BAs). The term “covered entity” does not only cover healthcare organisations but other related facilities such as healthcare clearinghouses and providers of healthcare plans. The Privacy Rule was created with the goal of protecting the private information of healthcare patients from access by unauthorised individuals while simultaneously allowing for the efficient disclosure of PHI to parties with permission to use it.
The Privacy Rule aims to protect what is known as “Individually Identifiable Health Information”; information which can be used to reveal the identity of the patient. This covers a wide range of data; names, addresses, date of birth, Social Security numbers, credit card and billing information, vehicle registration plate numbers, examples of a patient’s handwriting, and videos and images of the patient’s injuries which may show an identifiable body part.
The Privacy Rule only allows healthcare organisations to disclose information to third parties after receiving the patient’s permission to do so. This Rule covers all cases, except when the disclosure to a third party is related to a healthcare operation, treatment, or payment for a service. Even when PHI is disclosed to another party, those offering the PHI must abide by the “Minimum Necessary Rule” and only disclose just the PHI necessary for the task at hand.
The Security Rule
The HIPAA Security Rule (2003) deals specifically with electronic PHI (ePHI). However, its rules still apply to physical PHI. It was created to establish national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a CE. The Security Rule mandates that appropriate safeguards should be used by CEs to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule does not introduce rigorous and strict guidelines that all CEs must adopt; it allows for each organisation to assess their situation and determine what safeguards are most appropriate for their practices and customers.
The Security Rule breaks down the types of safeguards which must be adopted into three categories:
- Administrative safeguards pertain to policies and procedures designed to show how the entity will remain HIPAA compliant clearly.
- Physical safeguards require the physical protection of data such that unauthorised individuals may not access it.
- Technical safeguards include controlling access to computer systems and the protection of communications containing PHI which is being transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
The Breach Notification Rule
The Breach Notification Rule of 2009 covers the requirement of HIPAA CEs to provide notification following a breach of PHI. HIPAA defines a breach as an unauthorised individual compromising the security of PHI. The Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate.
The Breach Notification Rule requires those affected by the breach to be notified that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred. If a significant number of individuals cannot be contacted, then the breach must be advertised on the company’s website for 90 days after its discovery. If the breach occurs at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. If the breach affects more than 500 individuals in a State or jurisdiction, then the media must be notified of the breach.
The Enforcement Rule
This rule was introduced in March 2006 to address the consequences of CEs failing to comply with the HIPAA Privacy and Security Rules. The Enforcement Rule gave the Department of Health and Human Services (HSS) the power to investigate complaints made against CEs for failing to comply with the Privacy Rule. If it was found that a security breach occurred due to the CE failing to implement the safeguards outlined in the Security Rule, the Enforcement Rule granted the HSS power to fine the CE in question for the violation.
The Rule grants the HSS’s Office for Civil Rights (OCR) the ability to bring criminal charges against CEs who repeatedly violated HIPAA, and failed to introduce corrective measures within 30 days of an offence being highlighted. The Enforcement Rule also gave more power to individuals; if their PHI was disclosed without their permission, resulting in “serious harm” done to them (for example, causing them to become a victim of identity fraud), the Enforcement Rule grants the individual the right to pursue civil legal action against the CE.
The Final Omnibus Rule
The Final Omnibus Rule of 2013 is the most recent addition to HIPAA. Unlike the other rules, it does not introduce any new legislation, was designed to remove any ambiguity in existing HIPAA and HITECH regulations. For example, the Final Omnibus Rule specified encryption standards. It also introduced new administrative standards to reflect the fact that technological advances have changed how PHI is transmitted and shared between healthcare professionals. Workplaces across all industries have changed since 1996, most notably with the introduction of new technologies. The Final Omnibus Rules was introduced to make the implementation of HIPAA more robust to these changes.
The rule included several definitions to improve the clarity of the language used in the Act. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.
The Basic Requirements for HIPAA Compliance
Organisations should perform regular and thorough risk assessments to assist them in achieving full compliance with HIPAA. These assessments will help them in identifying potential areas for improvement in an organisation, as well as highlighting areas that are particularly vulnerable to breaches; an organisation can create a more robust security framework. HIPAA’s documentation does not provide any specific guidance on what should be addressed in a risk assessment. However, HHS’s OCR has set a list of objectives that should be met in performing the risk assessment.
- Identify the PHI that is created, received, stored and transmitted – including PHI shared with consultants, vendors and Business Associates.
- Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
- Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
- Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
- Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
These may be adapted based on the size of an organisation, what types of data they deal with, and other such factors.
HIPAA and Encryption
In this data age, one of the most important safeguards that an organisation can place on data is encryption. This can prove vital to preventing unauthorised individuals from gaining access to sensitive data.
Encryption renders ePHI unreadable and undecipherable unless the user has a specific key or code to decrypt the data. If a portable device containing encrypted ePHi is stolen, and the code or key to decrypt the data is not also obtained, the data cannot be viewed. In general, HIPAA deliberately does not mention any specific technologies so that its legislation does not become defunct with any new scientific advances. However, the Security Rule does mention data encryption as an addressable specification. HIPAA- covered entities must consider using encryption, but it is not mandatory for ePHI to be encrypted at rest or in transit.
HIPAA-covered entities should conduct a risk analysis and determine which safeguards are the most appropriate given the level of risk and their workflow.
If the CE decides not to use encryption, and instead implement an alternative safeguard, they must prove that it is reasonable and appropriate and provides an equivalent level of protection. They must document the decision not to use encryption and the alternative safeguards that were used in its place.
If the decision is taken to encrypt data, HIPAA-covered entities should use an appropriate encryption standard. The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.