The HIPAA Security Rule

HIPAA Historical Background

HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law in 1996. The original intent of HIPAA was to create some checks and balances surrounding healthcare insurance coverage. With technological advances came the boom in electronic healthcare record (EHR) keeping and the expansion of cloud storage. This served as the platform for the monumental wave toward establishing patient privacy and safeguards. [1]

Consequently, Congress moved to streamline the anticipated cost escalations by creating measures within HIPAA to help prevent these healthcare-related expenditures from being passed on to healthcare members. As electronic record transmissions increased, a set of measures were further introduced to tackle fraud, waste, and abuse within the healthcare system, in addition to adding protections against patient privacy violations. These protection measures are now encapsulated within the HIPAA Security Rule that became enforceable on April 21, 2005. [1]

Understanding the Tenants of The HIPAA Security Rule

The HIPAA Security Rule affects covered entities such as hospitals, insurance companies, healthcare providers and clearinghouses, except for employment records. It details three levels of ePHI (electronic patient health information) security safeguards that became enforceable by the (OCR) Office of Civil Rights as of July 27, 2009: [1]

Administrative Safeguards

• Risk Assessment
• Workforce Clearance
• Security Training
• Access Controls
• Contingency Planning

Physical Safeguards

• Monitoring physical access to devices maintaining ePHI
• Strengthening remote device security by using two-factor authentication
• Securing data back-up
• Locks on laptops and other accessible devices
• Security cameras
• Secure disposal of data and devices

Technical Safeguards

• Password Management
• Automatic Logoffs
• Data Encryption
• Cloud Management
• Audit Controls
• Secure Data Transmissions
• Firewall Management
• Audit Trails
• Entity Authentication

HITECH Expands on the Security Rule

In 2009, improvements to the HIPAA Security Rule were initiated by the HITECH (Health Information Technology for Economic and Clinical Health) ACT. They expanded security measures to include secure methods of handling patient genetic information. [1,3]

HITECH initiated financial rewards to encourage covered entities to adopt secure electronic healthcare management systems as at the time of initiation, only 10% of hospitals were actively using EHR systems. To help build compliance, the initiative also came with stiffer penalties for violations and security breaches. [1]

Violations and Security Breaches: What to Expect in Terms of Fines

As of 2022, the HIPAA violation fines are determined by the level of culpability.

When receiving a violation, it is typically targeted at correcting improper handling of patient health records. However, a cyber-attack type breach usually involves malware or a sophisticated system hack whereby patient information is leaked, extorted, or shared illegally.[1]

More amendments to the HITECH ACT were implemented to determine the actionable steps following a security breach known as the BREACH NOTIFICATION RULE, which mandates the following:

• Breaches totaling 500 or more compromised patient records are to be reported to the HHS within 60 days of the discovery in addition to a press release to media outlets in the affected areas. [1]
• Breaches totaling less than 500 compromised records are to be reported by the end of the same calendar year. [1]
• Individual notices must be sent to the affected patients indicating the level of risk and the potential for compromise. [1]

*In 2022, there were 11 reported healthcare data breaches where more than one million patient records were impacted. [1]

The Three Largest Healthcare Data Breeches in 2022 [1]

The main vehicle for most external security breaches is malware or encrypted files that infiltrate the company’s main systems and gives them access to not only patient records, but also financial information, home addresses, and much more. It presents a conundrum for most business entities because as external hacking attempts become more sophisticated, the level of security must be amplified to meet ever-increasing threats. [2,3]

This translates to seeking high-level talent or outsourcing to digital security outfits, which can cost stakeholders millions of dollars. Other considerations for protecting data fall under the umbrella of internal controls, such as reducing human error through training and other mitigation procedures. However, HIPAA does offer strategic tools specifically for risk assessment and remediation: [1,2]

• The Updated 2023 HIPAA Risk Assessment serves to identify gaps in compliance and provides a template for how to respond to any incidences. [1]
• The HIPAA Audit Checklist for organizations to be conducted internally to help measure compliance. [1]
• The HIPAA Social Media Checklist helps to guard against the misuse of common social platforms.

Internal HIPAA Remediation Tips That May Assist Compliance Efforts

• Predetermine secure areas where patient information can be privately discussed for in-person and telephone conversations. [1,2]
• Discourage by any means necessary the sharing of login credentials among employees. [1,2]
• Train on proper disposal of PHI records. [1,2]
• Discourage leaving files, devices, or any other tool for accessing patient data unattended or in plain view. [1,2]
• Have a HIPAA certification document procedure in place for third-party vendors. [2]
• Make sure all computer screens are operating with automatic locking screen systems. [1,2]
• Conduct a preliminary audit based on the checklist provided by HIPAA. [1,2]
• Utilize encrypted technology throughout all communication channels. [1,2]
• Social media posting of patients or contacting patients on social platforms is a common form of violation and requires diligent reinforcement. [1,2]
• Engage in documented compliance training at routine intervals for all staff members. [1,2]
• Train and enforce protocols for gaining proper consent from patients for the sharing of information. [1,2]

Summary

It is not a small task to guard against cyber-attacks, and for those immersed in the industry, the challenges can be daunting. HIPAA and cybersecurity experts agree that healthcare organizations and covered entities stand to benefit from placing a person or team solely in charge of HIPAA compliance enforcement. [1,2]

Healthcare entities are contributing daily to big data interfaces, which bear a heavy burden. Safeguarding ePHI is a high-level task that must either be outsourced or maintained by an internal cybersecurity team. Reflecting on the lessons from the many ePHI breaches in 2022, the violations and landscape of potential lawsuits can cripple an organization’s reputation and financial holdings. [1,2,4]

We can expect continued upgraded modifications to the HIPAA Security Rule, given the explosion of digital telehealth engagement within the last few years. As a result, it is safe to assume that the attacks on our virtual health platforms will become more sophisticated. Electronic and technological advances are unfolding rapidly, and exceptional talent in these areas will be needed. Organizations might consider offering continued paid training to keep their existing employees well-prepared to perform HIPAA-related remediation tasks well into the future and under a diverse set of circumstances.

References

1. The HIPAA Journal. n.d. “Home.” Accessed April 3, 2023.
2. Kruse, Clemens Scott, Brenna Smith, Hannah Vanderlinden, and Alexandra Nealand. 2017. “Security Techniques for the Electronic Health Records.” Journal of Medical Systems 41(8):127.
3. Evans, Barbara J., and Gail P. Jarvik. 2018. “Impact of HIPAA’s minimum necessary standard on genomic data sharing.” Genetics in Medicine 20(5):531-5.
4. Kayaalp, Mehmet. 2018. “Patient Privacy in the Era of Big Data.” The Balkan Medical Journal 35(1):8-17.