Listen to: "Understanding the HIPAA Security Rule and Its Compliance"
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) changed the way the healthcare industry looked at patient security. The goal was to establish standards applied nationwide and throughout many sectors in the medical community.
Electronic health records provide a way to share clinical data between various healthcare disciplines to ensure everyone had the same information about a patient. A primary care doctor will see the same test results as a specialist, for example. A specialist will see a list of current medication issued by the local pharmacy.
The ability to coordinate information increases the quality of healthcare but it also opens up some IT security issues. The HIPAA Security Rule is a critical part of managing those risks.
What is the HIPAA Security Rule?
The HIPPA Security Rule mandates safeguards designed for personal health data and applies to covered entities and, via the Omnibus Rule, business associates. The rule is to protect patient electronic data like health records from threats such as hackers.
HIPPA defines covered entities as:
- Health plans
- Health care clearinghouses
- Health care providers
Business associates are anyone who deals with personal health information at any level. That would include creating it, receiving it, maintaining it or transmitting it. For example, a billing firm would be a business associate. They don’t provide care, but they are in a position to handle patient information. Other examples of business associates include:
- Data analysis and processing
- Utilization review
- Quality assurance
- Benefit management companies
Any sector that uses personal health information on behalf of a covered entity is a business associate.
What are the Mandated Safeguards?
HIPPA’s Security Rule designates safeguards in three different areas: technical, physical and administrative. Each section has seperate mandates.
Technical safeguards refer to IT management:
- Control access to reading, writing, modifying and communicating data. User access must have unique identifiers, automatic logoffs, data encryption and emergency access procedures
- Audit controls
- Integrity policies to protect data for unauthorized users
- Authentication to verify each user attempting to access the data
Physical safeguards protect the hardware:
- Assess controlled facility
- Workstation security and protocols to protect against unauthorized access such as keeping them in a secure room
- Procedures and policies for device control and the use of media. This should include management of media, records of media movement, disposal and backup of media
Administrative is the overall management of security:
- The implementation of security management procedures and policies to detect breaches, contain them, correct problems and create prevention tactics including risk analysis and management.
- Designating a security official responsible for the development of the policies and procedures and ensuring implementation.
- Policies and procedures in place for employee access to patient data. Policies should cover authorization, supervision, clearance and what to do after termination.
- The restriction of unnecessary access to data.
- Security training that covers identifying incidents and reporting them.
- Contingency plans for data backup and emergency recovery.
- Evaluation of security plans and HIPPA compliance.
- Establishing written agreements with business associates to ensure their compliance.
Required vs Addressable
The security rule breaks down these safeguards further into two groupings: required and addressable. Put simply, a required standard applies to everyone and addressable is if appropriate. If an addressable standard is not appropriate, there must do documentation explaining why.
Compliance: How to Get and Stay There
Since the situation for each covered entity and business associate is different in terms of how they handle data and the resources they have, the security rule does not define the methodology for compliance. It is intentionally flexible and technologically neutral. This allows for some freedom when it comes to compliance as long as the established safeguards are met.
It starts with a comprehensive assessment of risks that would feature:
- Identifying current risk factors for electronic personal health information
- Creating a list of objectives necessary to eliminate the risks and close security loopholes
- Listing gaps that exist between the current situation and the objectives.
The gap analysis pinpoints what needs to change.
Next, a Service Organization Control (SOC) 2 examination brings in an independent auditing firm to look at control objectives and test them to ensure they meet standards efficiently and effectively. A proper audit will look at:
- Automated and manual procedures
The exam will include an analysis of company protocols to stay in compliance.
Finally, schedule reviews of protocols and reassessment should hardware or software change.
The Consequences of Non-Compliance
Noncriminal violations of the HIPPA Security Rule is managed by The Department of Health and Human Services Office of Civil Rights (OCR). On average, fines for violations run from 100 to 50,000 dollars based on the tier level:
- Tier 1 indicates the organization was unaware or could not have avoided the violation.
- Tier 2 states the organization was likely aware but could not have avoided the violation
- Tier 3 is for violations that occur due to willful neglect but an attempt is made to correct the problem
- Tier 4 refers to violations due to willful neglect where no attempt is made to correct the problem
Companies that violate the rules of HIPPA may also be held criminally liable if they disclose personal information or obtain it under false pretenses for commercial or criminal purposes.
Although developing the means to remain compliant can seem extravagant, the cost is much less than a breach.
In 2014, New York-Presbyterian Hospital and Columbia University had a breach that cost them 4.8 million dollars in HIPAA fines alone. That same year, Stanford Hospital and Clinics suffered a breach that left 20,000 patient records posted online They paid out a four million dollar settlement.
On average, data breaches cost around 5.9 million dollars beyond the HIPPA fines. Organizations typically face civil lawsuits from patients whose privacy has been violated, as well. When you consider the epic results from a data breach, the cost of things like a SOC 2 assessment make sense.
Call us at 215-675-1400. We invite you to experience “Audits without Anxiety!”™ by filling out our online form to request a quote for a compliance check today. I.S. Partners is there to help companies stay HIPAA compliant as efficiently and securely as possible. We take the anxiety out of an audit.