HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that was enacted in 1996 to create protection standards for the medical and health information of patients. The rule pertains to all protected medical and health information, including paper and electronic, and covers all medical organizations and entities including hospitals, doctor’s offices, health insurers, and providers.
The electronic forms of medical and health information which pertain to HIPAA are known as ePHI (electronic personal health information), and all medical and healthcare entities must abide by HIPAA’s Security Rule and guidelines when handling ePHI. Whether the ePHI is being stored, created, or transmitted, it is the responsibility of the handler to ensure the confidentiality, integrity, and availability of all ePHI.
Despite the fact that HIPAA was legislated in 1996, its notion to protect all ePHI remains highly relevant today as the adverse effects of data breaches have devastated medical and healthcare organizations over the last decade.
In 2019, 15% of all data breaches involved healthcare entities, and the ePHI acquired in many of these breaches proved to cost these organizations an average of $429 per record in costs. These costs do not include the legal and social implications of a breach of ePHI, which can be devastating in and of themselves due to the sensitive nature of such information.
The American Medical Collection Agency (AMCA) was hacked for 8 months between August of 2018 and March of 2019, resulting in a breach that has affected over 25 million medical patients with the number rising as the investigation continues. Considering the high costs associated with a data breach involving ePHI, it is no surprise that the AMCA has filed for bankruptcy.
Since entities such as hospitals, doctor’s offices, and healthcare providers can be diverse and unique, the Security Rule of HIPAA has been designed to be flexible so that these different entities can implement policies and security measures that are appropriate to their size, capabilities, and level of risk. This means that a company as large as the AMCA will be held to different standards than that of a smaller operation such as a family doctor’s office.
To assist in the planning and implementation of security measures to reach compliance, the HIPAA Security Rule specifies a series of administrative, physical and technical security safeguards for covered entities to implement in order to assure and maintain the confidentiality, integrity, and availability of all ePHI.
This safeguard focuses on the policies, procedures, and maintenance of administrative and internal security measures that protect the ePHI. Examples of administrative safeguards are:
Policies and Procedures:
These safeguards typically focus on how employees can access and handle ePHI and should cover the nuances within the organization that could leave ePHI vulnerable to disgruntled or incompetent employees.
An example of this would be an internal process that ensures that fired employees will have no further access to ePHI upon their release from the company.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Training Programs
Training employees to become HIPAA compliant is essential to securing ePHI laterally across the organization. All employees responsible for handling ePHI should be educated on the risks and consequences of a data breach that involves ePHI.
One way to train employees to prevent an attack would be to teach them about the ways that these data breaches are executed. One of the most common ways that data breaches are executed remains to be through email phishing scams that prey on untrained employees to expose confidential information of the company such as passwords and login information.
Auditing and Monitoring
Continuing to audit and monitor the policies and procedures put in place is important to ensure that the risk potential is minimalized, and any new or unidentified risks will be discovered in order to further secure the operation.
One of the most important things to audit and monitor is the network on which ePHI is stored and transmitted. Keeping network software up-to-date will be fundamental to preventing attacks from cybercriminals that specialize in exploiting vulnerable networks.
HIPAA defines the physical safeguards of the Security Rule as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Essentially, physical safeguards protect the leakage of ePHI by securing physical properties that contain medical and healthcare information of patients.
There are 4 standards included in the physical safeguard section of the Security Rule.
The HIPAA Security Rule states that technical safeguards include “the technology and the policy and procedures for its use that protect ePHI and control access to it.” Technical safeguards define the standards of which how the technology used and the systems implemented should perform in order to secure ePHI.
Since the Security Rule recognizes the diversity of covered entities, a family doctor’s office may not need the same system of malware detection software as that of a larger healthcare corporation such as the AMCA. The complexity of the operation will always be considered when analyzing the security measures implemented.
With the prominence of data breaches that involve ePHI making headlines practically every other week, and considering the costs associated with these attacks, it is no surprise that healthcare entities are strengthening their security measures to prevent themselves from being the next victim.
Whether it’s a small family doctor’s office or a large company such as the American Medical Collection Agency, all organizations that handle ePHI are responsible under HIPAA to protect the electronic medical and health information of their patients from exploitation.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |