What is HIPAA Compliance?
Before addressing HIPAA compliance, it is first important to understand what HIPAA legislation is. HIPAA, or the Health Insurance Portability and Accountability Act, was signed into law in 1996 with the original objective of making it easier for employees to transfer health plans between employers. Alongside this development came the move towards the digitization of health data. Through the HITECH Act, HIPAA encouraged this transition, though at the time there was no adequate legislation to ensure the protection of the data. Thus, HIPAA was amended and adapted over a number of years to fill this governance gap.
HIPAA defines two major parties tasked with protecting protected health information (PHI). Covered entities (CEs) are defined as healthcare providers, health plans, healthcare clearinghouses and other related parties that create, store or transmit PHI. Employers are not usually considered to be CEs, though they do often keep copies of employee health records.
The second party specified by HIPAA is the “business associate” (BA). BAs are any party that is contracted to provide a service to the CE, such as legal advice, IT contractors, accountants etc.. To qualify as a BA, the work must directly or indirectly give the workers access to PHI. BAs and CEs must sign a Business Associate Agreement that establishes how and when PHI will be accessed, used and processed. To be HIPAA-compliant, BAs must have such an agreement in place.
What is PHI?
As stated above, PHI is any piece of information that could betray the identity of the owner. These “identifiers” thus pose a risk to the privacy of the patient. Examples of PHI-indetifiers are as follows:
- Phone number and other contact details
- Social Security numbers
- Medical records
- Bank account details
- IP address
- Device identifiers
- Fingerprints/retinal prints
- License plates
- Insurance numbers
- The main stipulation of HIPAA is that PHI must be protected using every feasible safeguard. Thus, to ensure full HIPAA compliance, healthcare employees must have a detailed knowledge of what counts as PHI, but also what counts as a breach of PHI integrity.
What are some common HIPAA violations?
Even if an organisation trains its employees to the fullest and enacts every possible safeguard, HIPAA violations can still occur. Often, they are the result of human error (accidental breaches), but as healthcare data gains increasing value on the black marker, a greater number of breaches are deliberate.
HIPAA violations may result from the following:
- Failure to sign a BAA
- Failure to conduct an organisation-wide risk assessment
- Deliberate sharing of PHI
- Failure to adequately protect PHI from cyberattacks
- Failure to report breaches of PHI in a timely manner
Negligence and thoughtlessness can have disastrous results. Leaving a document containing PHI on a desk in clear view of passer-bys, for example, could lead to someone stealing that information. The Office for Civil Rights – the government body responsible for enforcing HIPAA legislation – does not consider ignorance or thoughtlessness as adequate excuses for HIPAA non-compliance and will still levy hefty penalties against the negligent party.
Of course, there are exceptions to every rule. PHI breaches that are the result of cyberattacks are not generally considered to be the fault of the CE or BA, provided adequate safeguards were in place before the attack.
What are “addressable” requirements?
Much of the confusion surrounding HIPAA legislation comes from its relatively vague wording. One phrase in particular causes much frustration: “addressable requirements”. Every safeguard labelled as such is entirely necessary, but back when HIPAA was being written it was acknowledged that technology would fast render any specific legislation redundant.
Thus, rather than naming any one technology as mandatory, HIPAA instead terms them “addressable”. If a different technology can provide the same, or better, levels of protection it can be used. If a CE or BA can show this via a risk assessment or report, they can use the alternate safeguard. For example, passwords are described as an addressable requirement. HIPAA does not specify the use of passwords, but rather states that safeguards should be used that “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Other technologies, such as two-factor authentication, offer the same degree of protection as passwords.
In fact, many experts now claim that two-factor authentication is now safer than passwords. When a user tries to log onto a server, they will receive a message containing a one-time password or PIN code. This can only allow access to the server when it is used with the correct username.
What are HIPAA Rules?
Since HIPAA was created, a number of rules have been added to the legislation addressing different aspects of privacy and PHI security.
The Privacy Rule establishes standards for the disclosure of PHI. It guides healthcare professionals on how, when, and with whom PHI should be disclosed. It employs the “minimum necessary” rule, stipulating that whenever PHI is disclosed it should be done so that the minimum amount of information possible needed to accomplish a task is passed on. Additionally, under the Privacy Rule patients and their representatives can access their health records and amend them if necessary. To be HIPAA-compliant, CEs and BAs must respond to this request within 30 days. If PHI is going to be used, a Notice of Privacy Practices must be issued.
HIPAA Security Rule: The Security Rule stipulates the standards to safeguard ePHI. Anybody that can read, write, edit or transfer the ePHI or personal identifiers must follow these standards. The primary technical safeguard encryption to NIST standards once the data goes outside the company’s firewall. However, other appropriate measures include the introduction of audit controls for anyone who accesses the data and automatic logoff from a system.
Physical safeguards may relate to how workstations are set up (e.g. computer screens cannot be seen from a public area) or maintaining a thorough inventory of hardware. Administrative safeguards unite the Privacy Rule and the Security Rule. It requires a Security Officer and Privacy Officer to oversee procedures and conduct regular risk assessments. These assessments aim to identify any ways in which HIPAA-compliance could be breached and build a risk management policy off the back of this.
Breach Notification Rule: If the integrity of the PHI has been breached, the CEs must notify the patients and the Department of Health and Human Services. This must be within 60 days of the discovery of the breach. The media must also be informed if more than 500 patients are affected. If there are fewer patients affected, a report on the OCR website is published.
Omnibus Rule: A later addition, the Omnibus Rule addresses areas that were previously omitted in HIPAA legislation. It tiered civil penalties as per the Health Information Technology for Economic and Clinical Health (HITECH) Act, changed the harm threshold and banned the use of ePHI for marketing, amongst other things.
The charges of business associates were also amended by the Omnibus Rule. Business associates must now update their Associate Agreements, change privacy policies to be HIPAA-compliant and train staff in privacy protocol.
Enforcement Rule: Should a breach of PHI occur, the Enforcement Rule lays out how any subsequent investigations into the breach will be conducted. Fines are then levied based on the level of negligence. For example, if it is determined that HIPAA was violated due to ignorance, a fine of up to $50,000 can still be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 may be charged. Victims may also file civil lawsuits.
What are some threats to HIPAA compliance?
The major threat to HIPAA compliance across all parts of the healthcare sector is human error. No matter how comprehensive a company’s privacy practice is, employees are still liable to make mistakes. This is particularly true with the rise in “Bring Your Own Device” policies, where organisations no longer provide work devices to their employees, but instead ask them to supply their own. It is estimated that over 80% of healthcare employees use personal devices in their day-to-day workflow. Worryingly, the Health Information Trust Alliance estimated that 40% of HIPAA violations were due to the theft of such devices.
Even though they form a relatively minor threat, hackers and cybercriminals should not be taken any less seriously. This is in part due to the scale of the crimes they commit: whilst a lost laptop may contain the medical files of a few dozen patients, a company server will have the records of thousands of patients. To help minimise this risk, healthcare professionals should be wary of emails from unknown senders. A common trick is to encourage recipients to download software that is actually ransomware or surveillance malware. Providing the adequate safeguards were in place, hacks and cyberattacks do not qualify as HIPAA non-compliance, though they are still reportable breaches. The OCR estimates that each year just over half of PHI breaches are due to cyberattacks.
To protect against some of these external threats, many CEs and BAs, will elect to use a secure messaging service. These apps are designed so that they can be downloaded and used on any personal device, regardless of its operating system. They allow the user access to messages, patient data, scans, test results and billing information. Any message sent using these apps is encrypted, so that even if they are hacked they cannot be read by the hacker.
Additionally, most secure messaging services will have in-built mechanisms that prevent PHI being transferred outside of the CE’s private network. This means that if an employee wants to sell PHI in a bit to make a profit, it cannot go past the company’s firewall. Other safeguards afforded by these apps include a lifespan for each message and the ability to remotely delete data if an appliance is lost.
HIPAA compliance: training is key
The best way to ensure that employees comply with HIPAA regulations is to ensure that they receive comprehensive training. This training should be tailored to the level of responsibility of the employee, focussing on key aspects of their work. For example, nurses do not need to receive extensive training on how HIPAA relates to billing. Conversely, accountants don’t need to learn about the minimum necessary rule.
To help guide CE’s and their business associates on training best practice, we have compiled a list of helpful training tips that can be used when designing courses.
Top Training Tips
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do design training sessions so that each session will be short and focussed. Not only will this help employees fit training into their schedules, but it will help attendees concentrate and retain more information. This will help prevent further breaches. Remember: ignorance is not considered an excuse for PHI breaches.
Do ensure employees are trained regularly and training plans are kept up-to-date. Each session should focus on a different aspect of training, remind employees of the most important aspects of the regulation. These sessions should, at minimum, be conducted annually.
Do notify employees of the consequences of HIPAA non-compliance, be they consequences for the company of the patient whose data was lost. Consequences include fines and legal action against the CE, or a loss of privacy for the patient affected. Emphasising these consequences can incentivise employee compliance.
Do offer training for all levels of staff, right up to higher management. Every member of staff is liable to make mistakes, so just because someone is high up in the organisation does not mean they should be immune from training days. Regardless, a lack of training provided to higher levels reflects poorly on the CE in an audit.
Do maintain comprehensive records of when the training occurred, who was involved and what information was presented to staff. If the OCR carries out an audit, or a breach occurs and an investigation is needed, this information will be critical.
Don’t just read out long passages from HIPAA. Explaining legal jargon and summarising important pieces of information will help employees understand what HIPAA is and why it’s important. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go over the history of HIPAA, how it came to be or why it was introduced – it is not essential information. Rather, starting with such information is likely to cause participants to lose focus before you even begin.