Perhaps more than any other industry, healthcare must be a leader in securing personal information. The amount of information that healthcare providers, payers, and adjacent entities collect on individuals is vast and includes not just medical information, but also financial and personally-identifying data.
Most of the rules governing the protection of personal health information (PHI) are dictated by the Health Insurance Portability and Accountability Act (HIPAA), specifically Title II, which details regulations related to privacy, security, and enforcement. An additional law, the Health Information Technology for Economic and Clinical Health (HITECH) Act specifies rules related to electronic health records (EHR).
The proper management of PHI is not just a concern for hospitals and insurers, but also the technology vendors that they work with. So whether you’re a hospital IT manager, or a SaaS provider to a hospital, here’s what you need to know about data compliance with HIPAA.
HIPAA Title II
Let’s start with discussing who exactly is under the jurisdiction of HIPAA. Most HIPAA rules apply directly to “covered entities” (health plans, health clearinghouses, or healthcare providers) and indirectly (in most circumstances) to “business associates.” A business associate is a third-party that performs services for a covered entity using PHI. Business associates can range from a medical transcription service to a cloud storage provider.
Because most covered entities cannot perform all tasks related to patient information independently, they rely on business associates to assist in their operations. HIPAA requires covered entities to have written contracts with all of their business associates detailing appropriate uses of PHI and how it should be protected.
Regardless of classification, organizations that have access to sensitive health data are subject to the following rules under Title II of HIPAA:
The HIPAA Privacy Rule sets standards for how an individual’s private health information is used and disclosed. A goal of the rule is to maintain patient privacy while also minimizing barriers to the data so that treatment and care can be delivered as efficiently as possible.
Notable provisions within the Privacy Rule include the following:
- A covered entity may disclose an individual’s PHI without their explicit permission to facilitate healthcare treatment.
- A covered entity must notify an individual on uses of their PHI.
- Individuals have the right to request their PHI from a covered entity and receive it within 30 days.
- Individuals have the right to dispute inaccuracies they find in their PHI from a covered entity.
The HIPAA Security Rule applies specifically to electronic protected health information (e-PHI). The Security Rule breaks down compliance into three categories of safeguards: administrative, physical, and technical. We’ll discuss them in more detail in the “Compliance Checklist” section below, but here are brief descriptions of each:
- Administrative safeguards – Organizational policies and procedures that demonstrate how an entity can and will comply with privacy security standards.
- Physical safeguards – Policies that limit the access to locations and devices where PHI is stored.
- Technical safeguards – Limits to access of computer systems and networks that transmit PHI.
The HITECH Act was passed in 2009 partially to encourage the widespread adoption of electronic health records (EHR). Subtitle D of the law addresses privacy and provides more specificity in areas that were vague under HIPAA. It establishes guidelines for covered entities and business associates for the accounting of shared PHI, data breach notification, and imposes fines for health-related data breaches.
A Quick Case Study on HIPAA Data Compliance
In 2018, the US Department of Health and Human Services (HHS) collected over $28 million in fines related to HIPAA privacy and security violations. While the biggest settlement was paid by insurer Anthem, one of the most notable violations involved a small not-for-profit hospital system in Southern California.
Cottage Health, based in Santa Barbara, California.
- Data breach 1: The security configuration on the organization’s server (managed by a contractor) did not require a username or password to view patient data, making e-PHI accessible to anyone with access to the Cottage Health server.
- Data breach 2: A misconfigured server exposed patient information including social security numbers over the internet.
Why did it happen?
The HHS investigation revealed the following violations:
- Cottage Health failed to conduct a thorough risk assessment about potential vulnerabilities.
- The hospital system did not implement or maintain security protocols.
- The hospital system never obtained a written agreement with the business associate that managed its e-PHI.
Cottage Health agreed to pay a $3 million fine and develop an action plan to stay in compliance with HIPAA.
The Cottage Health case is a cautionary tale for any covered entity that is not clear about what it needs from its business associates.
A HIPAA Data Compliance Checklist
With the exception of EHR providers, there is no umbrella certification system for HIPAA compliance. This means that covered entities and business associates need to do their due diligence in understanding and following HIPAA and HITECH provisions.
We’ve created a compliance checklist based on the safeguards outlined in the HIPAA Security Rule. While this list is not exhaustive, it should provide a good start for covered entities vetting business associates and for business associates working to become trusted and reliable partners.
- Risk assessment – Before taking any other actions, an organization needs to assess its current security protocols and identify any risks. Based on this information, it should develop a plan for data protection.
- Security manager – HIPAA requires covered entities to have a designated official in charge of developing and managing all security procedures.
- Access rules – Organizations should develop clearly defined rules about which roles/titles can have access to e-PHI.
- Employee training program – All employees, regardless of role need to be trained on the laws governing PHI.
- Evaluation schedule – HIPAA compliance is an ongoing process. Covered entities need to regularly evaluate their policies to ensure that they are in compliance with the Security Rule.
- Facility access procedures – A covered entity must put rules in place limiting access to physical locations where sensitive data is stored.
- Device and workstation security procedures – There should be guidelines about appropriate usage and disposal of devices that access e-PHI.
- Systems and networks access protocols – Unauthorized individuals should be blocked from accessing internal systems or data being transmitted over a network.
- Audit system – Covered entities need to have a systematic way of monitoring activity of hardware and software that has access to e-PHI.
- Data integrity procedure – Organizations should prevent health data from being tampered or altered.
Only when these safeguards are in place can healthcare organizations, technology vendors and other organizations who handle PHI rest easy that they are safe from exposure.
The good news is, this isn’t a cause for alarm as much as it’s a call to arms. HIPAA compliance is complex, but it doesn’t have to be limiting. Companies with highly regulated data can still leverage third-party tools to do deep analytics; they just have to take care not to outsource the data. They need a data platform (like yours truly!) that can be deployed on a private cloud. The best way to maintain compliance is to keep the data in an environment you can control.
Interested in learning more about how MetaRouter can keep your data HIPAA-compliant? Drop us a line anytime.