HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that was enacted in 1996 to create protection standards for the medical and health information of patients. The rule pertains to all protected medical and health information, including paper and electronic, and covers all medical organizations and entities including hospitals, doctor’s offices, health insurers, and providers.
The electronic forms of medical and health information which pertain to HIPAA are known as ePHI (electronic personal health information), and all medical and healthcare entities must abide by HIPAA’s Security Rule and guidelines when handling ePHI. Whether the ePHI is being stored, created, or transmitted, it is the responsibility of the handler to ensure the confidentiality, integrity, and availability of all ePHI.
Despite the fact that HIPAA was legislated in 1996, its notion to protect all ePHI remains highly relevant today as the adverse effects of data breaches have devastated medical and healthcare organizations over the last decade.
In 2019, 15% of all data breaches involved healthcare entities, and the ePHI acquired in many of these breaches proved to cost these organizations an average of $429 per record in costs. These costs do not include the legal and social implications of a breach of ePHI, which can be devastating in and of themselves due to the sensitive nature of such information.
The American Medical Collection Agency (AMCA) was hacked for 8 months between August of 2018 and March of 2019, resulting in a breach that has affected over 25 million medical patients with the number rising as the investigation continues. Considering the high costs associated with a data breach involving ePHI, it is no surprise that the AMCA has filed for bankruptcy.
Since entities such as hospitals, doctor’s offices, and healthcare providers can be diverse and unique, the Security Rule of HIPAA has been designed to be flexible so that these different entities can implement policies and security measures that are appropriate to their size, capabilities, and level of risk. This means that a company as large as the AMCA will be held to different standards than that of a smaller operation such as a family doctor’s office.
To assist in the planning and implementation of security measures to reach compliance, the HIPAA Security Rule specifies a series of administrative, physical and technical security safeguards for covered entities to implement in order to assure and maintain the confidentiality, integrity, and availability of all ePHI.
This safeguard focuses on the policies, procedures, and maintenance of administrative and internal security measures that protect the ePHI. Examples of administrative safeguards are:
Policies and Procedures:
These safeguards typically focus on how employees can access and handle ePHI and should cover the nuances within the organization that could leave ePHI vulnerable to disgruntled or incompetent employees.
An example of this would be an internal process that ensures that fired employees will have no further access to ePHI upon their release from the company.
Training employees to become HIPAA compliant is essential to securing ePHI laterally across the organization. All employees responsible for handling ePHI should be educated on the risks and consequences of a data breach that involves ePHI.
One way to train employees to prevent an attack would be to teach them about the ways that these data breaches are executed. One of the most common ways that data breaches are executed remains to be through email phishing scams that prey on untrained employees to expose confidential information of the company such as passwords and login information.
Auditing and Monitoring
Continuing to audit and monitor the policies and procedures put in place is important to ensure that the risk potential is minimalized, and any new or unidentified risks will be discovered in order to further secure the operation.
One of the most important things to audit and monitor is the network on which ePHI is stored and transmitted. Keeping network software up-to-date will be fundamental to preventing attacks from cybercriminals that specialize in exploiting vulnerable networks.
HIPAA defines the physical safeguards of the Security Rule as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Essentially, physical safeguards protect the leakage of ePHI by securing physical properties that contain medical and healthcare information of patients.
There are 4 standards included in the physical safeguard section of the Security Rule.
The HIPAA Security Rule states that technical safeguards include “the technology and the policy and procedures for its use that protect ePHI and control access to it.” Technical safeguards define the standards of which how the technology used and the systems implemented should perform in order to secure ePHI.
Since the Security Rule recognizes the diversity of covered entities, a family doctor’s office may not need the same system of malware detection software as that of a larger healthcare corporation such as the AMCA. The complexity of the operation will always be considered when analyzing the security measures implemented.
With the prominence of data breaches that involve ePHI making headlines practically every other week, and considering the costs associated with these attacks, it is no surprise that healthcare entities are strengthening their security measures to prevent themselves from being the next victim.
Whether it’s a small family doctor’s office or a large company such as the American Medical Collection Agency, all organizations that handle ePHI are responsible under HIPAA to protect the electronic medical and health information of their patients from exploitation.