In our previous blog on this collection of data protection laws, we covered California’s take on data privacy laws, explaining why it is crucial to comply with it if you’re an enterprise that deals in the U.S.
Now, it is time to go specific. Today we’ll focus on the health and healthcare industry. One that, according to IBM’s study together with the Ponemon Institute, has the highest cost per data record breached.
Who Ensures Data Security in Health?: HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is the legislation in charge of protecting healthcare information. Created in 1996, this federal law provides guidelines on how healthcare providers, clearinghouses, and insurers must deal with consumer data.
Under HIPAA, the patient’s health information (PHI) must be protected as it is stored or transmitted. It doesn’t matter the media: electronic, paper, or oral. Tough right?
What’s more, the U.S. healthcare industry has been pushing high-security standards, with electronic health care transactions and code sets, unique health identifiers, among other things. And yet, according to this recent HIPAA Journal article, “Largest Healthcare Data Breaches of 2018,” this last year was rife with data breaches:
“As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.”Hipaa Journal – 2018
Most of the times, the complexity of the law and can confuse organizations and cause weak executions For that, it’s crucial to lay down HIPAA’s main requirements as clearly as possible. Especially being that the law includes both financial and criminal penalties for those who violate or fail to comply.
Certainly, When it comes to penalties, HIPAA is serious business. Violation fines range from $100 to $50,000 per violation (up to $1.5M a year per violation
The Privacy Rule: What Information is Protected
HIPAA’s core rule is the Privacy Rule. This part of the legislation specifies that all identifiable health information is to be protected. This includes:
- All of a patient’s health record history, physical, or mental.
- All health care or financial health care information related to the patient.
- All personal details that could help identify the patient,
likeits name or address.
However, there is no restriction when it comes to the use of de-identified information or anonymized data. Meaning, if a string of information is cannot be traced back to a patient, it is not covered by HIPAA. See this summary to better understand the rules behind data disclosure and each specific case which allows it/restricts it
Patient-Rights Given by the Privacy Rule
The Privacy Rule gives people certain rights over their personal health information and limits who can access and review that information. It gives patients the following rights:
If you want to better instruct patients on how to handle these rights, use this terrific HIPAA infographic that describes an individual’s rights to their PHI.
Security Requirements for Health Entities
Let’s move to the second portion of the legislation: the Security Rule. This details the administrative, technical, and physical security requirements that your entity must meet when protecting e-PHI (electronic protected health information).
The United States Department of Health and Human Services quick obligations summary gives a snappy look into an entity’s obligations:
Contextual Risk Analysis
Unfortunately, the amount of requirements specified by HIPAA is not a quick summary, at all. Do not fret! One of HIPAA’s strengths -and weaknesses- is that it’s contextual and flexible.
HIPAA adapts itself to an entity’s context, that’s why it requires an implemented and continuous risk analysis process. This will help you as an entity determine the likelihood of potential risks to e-PHI, and select proper countermeasures according to the HHS’s suggestions. There are required safeguards (mandatory) and addressable ones (subject to an entity’s context).
This means the HHS has your entity’s size, resources, and capabilities in consideration. Still, it is the responsibility of the entity to document their risk analysis process, taking note of the risks identified, and the reasons behind the selection of the chosen implementations.
Administrative Safeguard Requirements
These include internal procedures that involve management of both administrative and human resources in favor of the PHI’s security. We’ve prepared an overview table to give a better look of all Required and
Use this table to evaluate those requirements that are not met by your entity, and utilize HHS’s detailed breakdown of each one of these as a guideline for implementing the right solution to the required standard.
|Standards||Implementations (R) = Required, (A) = Adressable|
|Security Management Process||• Risk Analysis (R)|
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)
|Workforce Security||• Assigned Security Responsible (R)|
• Authorization/Supervision (A)
• Workforce Clearance Procedures (A)
• Termination Procedures (A)
|Information Access Management||• Isolating Health Care Clearinghouse functions (R)|
• Access Authorization (A)
|Security Awareness and Training||• Security Reminders (A)|
• Protection From Malicious Software (A)
• Log-in Monitoring (A)
• Password Management ()A
|Security Incident Procedures||• Response and Reporting (R)|
|Contingency Plan||• Data Backup Plan (R)|
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)
|Evaluation||• Constant Security Reassessments (R)|
|Business Associate Contracts and Other Arrangements||Contract or Arrangements (R)|
Physical Safeguard Requirements
These requirements cover measures taken to secure and protect physical accesses to e-PHI from environmental hazards, unwanted intrusions, and other threats. This extend from the office and, if the information is available there, can extend to the workforce’s home or other locations where e-PHI is accessible.
Once again, the table displays physical security standards, and their Required or Addressable implementations. To understand these implementations and how to execute them for HIPAA, read the HHS’s summary on Physical Safeguards.
Implementations (R) = Required, (A) = Addressable
|Facility Access Controls||• Contingency Operations (A)|
• Facility Security Plan (A)
• Access Control and Validation Procedures (A)
• Maintenance Records (A)
|Workstation Use||• Workstation Usage Policies and Procedures (R)|
|Workstation Security||• Workstation Access Security Measures (R)|
|Device and Media Control||• Disposal (R)|
• Media Re-use (R)
• Accountability (A)
• Data Backup and Storage (A)
Technical Safeguards Requirements
The following suggested implementations tackle technical security measures that need to be taken to protect e-PHI and control its access points.
Use the following table to verify the measures your entity has already taken, and, if necessary, visit the HHS’s summary on technical safeguards for further detail about each implementation mentioned.
|Standards||Implementations (R) = Required, (A) = Addressable|
|Access Control||• Unique User Identification (R)|
• Emergency Access Procedure (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)
|Audit Controls||• Implement software/hardware/procedural systems that examine activity in information systems with PIH (R)|
|Integrity||• Mechanism to Authenticate Electronic Protected Health Information (A)|
|Person or Entity|
|• System to verify identity of user who requests access (R)|
|• Integrity Controls (A)|
• Encryption (A)
Organization and Policies Requirements
There is a group of requirements associated with the documentation and contractual binds behind HIPAA compliance that must also be addressed.
These can be found in the following summary, detailing how your entity must relate with other entities that handle PIH, and how the compliance choices must be documented.
|Standards||Implementations (R) = Required, (A) = Addressable|
contracts or other
|• Business Associate Contracts (R)|
• Other Arrangements (R)
|Requirements for Group Health Plans||• Implementation Specifications (R)|
|Policies and Procedures||• Written Security Policies and Procedures (R)|
|Documentation||• Time Limit (R)|
• Availability (R)
• Updates (R)
First of all, HIPAA, contrary to the European General Data Protection Regulation (which we also covered in our data laws series!), is tailored for the health care industry of the United States.
Furthermore, due to the sensibility of the data it protects, it is, by far, one of the most complete industry data protection and privacy legislation out there in the
We advise you review your case with former legal advice, management, AND experienced IT associates to help audit the entity’s current state, and implement proper policies that adjust with HIPAA’s needs.
Remember to visit the HIPAA for professionals portal of the HHS for guidance on other topics, such as breach reporting, data de-identification methods, and further details on both enforcement and penalties by the HHS.
This article does not comprise as legal advice and it focuses mainly on security and privacy requirements made by HIPAA.