The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.
In this article you will learn:
- What is HIPAA
- The Purpose of HIPAA
- The Scope of HIPAA
- HIPAA Rules
- The Rights of Individuals
- HIPAA Violations
- How to Secure Your Data For HIPAA Compliance
- How Safetica Secures Your Data For HIPAA Compliance
- Customer Stories: How Safetica Helps in Healthcare
The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.
Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.
HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR).
The HIPAA was created in order to modernize the flow of healthcare information and to make sure that Personally Identifiable Information gathered in healthcare and insurance companies are protected against fraud and theft, and cannot be disclosed without consent.
Patients' healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage. HIPAA Journal ,a great source for HIPAA regulations and compliance info, has a comprehensive checklist for companies during their journey for compliance.
Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:
- Geographical identifiers
- Phone and fax numbers
- Email addresses
- Medical record numbers
- Account numbers
- Vehicle information
- Website URLs
- Fingerprints, retinal and voice prints
- Social security numbers
- Health insurance beneficiary numbers
- Certificate and license numbers
- Device information, IP addresses
- Full face photographs
When PHI is stored electronically, it’s called ePHI.
There are several entities that regularly work with Protected Health Information and therefore must follow The Health Insurance Portability and Accountability Act:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates
HIPAA consists of the following rules:
- Privacy Rule
- Security Rule
- Breach Notification Rule
- Rule for everyone
- Enforcement Rule
HIPAA Privacy Rule
The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.
HIPAA Security Rule
The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.
Breach Notification Rule
The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.
The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.
The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.
The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence, however if the violation happens due to willful neglect it can be much higher.
Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information.
Individuals have the right to:
- Access PHI
- Amend PHI
- Request restriction on who uses PHI and how it is disclosed
- Request confidential communications
- Request accounting of disclosures
- File a complaint
Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:
Excluded information is the following:
- Quality assessment or improvement records
- Safety activity records
- Business and management records
- Psychotherapy notes
- Information compiled for use in civil, criminal, or administrative action or proceedings
A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:
- Tier 1: Lack of Knowledge
The entity was not aware of the violation; therefore, it could not have been avoided. The penalty per such violation is $120—$30,113.
- Tier 2: Reasonable Cause
The entity should have been aware of the violation, however, could not have avoided it. The penalty per such violation is $1,205—$60,226.
- Tier 3: Willful Neglect
The entity willfully neglected HIPAA Rules, but tried to correct the violation. The penalty per such violation is $12,045—$60,226.
- Tier 4: Willful Neglect and not corrected
The entity willfully neglected HIPAA Rules and didn’t make any attempt to correct the violation. The penalty per such violation is $60,226—$1,806,757.
Keeping unsecured records
Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.
Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.
Hacking or phishing campaigns
Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.
Loss or Theft of Devices
Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.
Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data.
Lack of employee training
Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.
Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.
As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.
And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022).
- Adopt security policies and define authorized employees to access your PHI
- Use a DLP solution to protect your data against insider threats and to enforce security policies.
- Educate your employees on a regular basis
- Secure your workplace, adopt policies on how to work with sensitive documents
- Safetica encrypts your data and keeps it protected in case of device loss or theft.
- Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
- With Safetica it is easy to adopt security policies and define authorized employees that can work with PHI. You can set your security policies and monitor whether your company’s sensitive data is being misused, and only allow authorized individuals to access it.
- Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations, so they are more aware of data security.
- Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.
Gyncentrum Clinic protects their clients' sensitive data with Safetica. Read more here.
Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.
Says Paweł Czerwiński, Owner of Gyncentrum.