The Health Insurance Portability And Accountability Act (HIPAA) a legislation which provides security provisions and data privacy, in order to keep patients’ medical information safe. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers. It’s good to know that HIPAA compliance has a close relationship with PCI DSS.
So, companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance. HIPAA violations can be very costly for a health care organization. First of all, the Breach Notification Rule, set in the omnibus, requires that the entities which are covered as well as any of their business associates notify patients that they are following a data breach.
Organizations are able to lower the risk of regulatory action by taking practice in training programs for HIPAA compliance. The OCR offers six programs in total which aim to educate employees about the security and privacy rules. Many other training groups and consultancies offer programs, too.
There is no official certification program for HIPAA compliance. The HHS Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016 clarifying that cloud service providers and other business associates of healthcare organizations are covered by the HIPAA privacy, security and breach notification rules. HIPAA violations can prove quite costly for healthcare organizations.
Administrative Simplification Rules
HIPAA is divided into 5 titles, of which title II “Administrative Simplification Rules” is the one related to IT and information security. It title contains the following topics:
- National Provider Identifier Standard
- Transactions and Code Sets Standard
- Privacy Rule
- Security Rule
- HIPAA Enforcement Rule
National Provider Identifier Standard
Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
Transactions and Code Sets Standard
This orders organizations to follow a standard mechanisms for EDI (electronic data interchange), when processing or submitting insurance claims.
HIPAA Privacy Rule
This rule requires covered entities and business associates to protect the privacy of any kind of patient health information that can identify an individual, whether it is electronic or not, and gives standards related to Protected Health Information (PHI) uses and disclosures and whether they need patient consent/authorization or not. The privacy rule covers administrative requirements that are applicable to most of the covered entities:
- Nominating a privacy officer
- Training the employees
- Planning policies and procedures to safeguard PHI according to the characteristics of the organization
- Setting adequate and sufficient safeguards to protect PHI
- Setting a process of complaints registration
- Applying sanctions on employees committing breaches
- Known harm management
- Keeping required documentation for at least six years
HIPAA Security Rule
This rule is specifically related to electronic protected health information (ePHI) and how covered entities (and their business associates) should safeguard their CIA triad. The security rule requires covered entities to use three types of safeguards:
- Security Management Process
- Security Personnel
- Information Access Management
- Workforce Training and Management
- Facility Access and Control
- Workstation and Device Security
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
HIPAA Enforcement Rule
This rule establishes the guidelines for investigating violations of HIPAA. In fact, this rule sets civil (monetary penalties) and criminal penalties (imprisonment) that may apply in case of non-compliance or violations.
HIPAA & IT Security
HIPAA privacy and HIPAA security rules are the most important to train for in IT security.
HIPAA privacy rule: basic training
- What PHI is, how to identify it and who can access it
- When, how and by whom it could be disclosed
- What CIA is
- Patients’ rights
- Business associate obligations
- Consequences of violation of the rule
HIPAA security rule: mandatory training
- Potential threats to information security related to the use of internal information systems (password shared to other people), social media, websites, emails, and devices
- How to protect from those threats (encryption, e-signatures, etc.)
- Actions to take when something goes wrong or is not normal
- Any other information security policy, guideline or procedure
- Security updates (i.e. new internal policy)
- AuditsConsequences of not following the security rule
We have written a series posts about HIPAA. This series of posts is called the HIPAA Series. You can read this series by click on following links:
- Security 101 for Covered Entities
- Security Standards: Administrative Safeguards
- Security Standards: Physical Safeguards
- Security Standards: technical Safeguards
- Security Standards- Organizational, Policies and Procedures and Documentation Requirements
- Basics of Risk Analysis and Risk Management
- Implementation for the Small Provider