HIPAA fines cost ten companies $28.7 million in 2018, which broke the previous 2016 record for HIPAA fines by 22%! That’s only 10 HIPAA cases resolved out of 25,912 complaints and 431 data breach investigations. You don’t want to have to worry about a HIPAA complaint against your company, and you don’t want to be one of those that get fined. This guide will tell you what you need to know about HIPAA compliance and help you protect and secure your HIPAA protected data.
- HIPAA Compliance
- HIPAA Breach Notification
- HIPAA Violations
- HIPAA Compliance Risk Assessment
- Standard HIPAA Transactions
- HIPAA Compliance Checklist
What is HIPAA Compliance?
HIPAA compliance is the process that business associates and covered entities follow to protect and secure Protected Health Information (PHI) as prescribed by the Health Insurance Portability and Accountability Act. What that legal jargon means is “keep people’s healthcare data private.”
Let’s get into the technical definitions of those terms.
What is Protected Health Information (PHI)?
Protected Health Information (PHI) is your/my/everyone’s healthcare data. PHI is the content that HIPAA tries to protect and keep private. The Safe Harbor Rule identifies what kind of data you must remove to de-classify PHI.
What is a Covered Entity?
A covered entity is an individual in a healthcare field that uses and has access to PHI. They are doctors, nurses, and insurance companies.
What is a Business Associate?
Business associates are individuals that work with a covered entity in a non-healthcare capacity and are just as responsible for maintaining HIPAA compliance as covered entities.
Business associates are the lawyers, accountants, administrators, and IT personnel that work in the healthcare industry and have access to PHI.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule, along with the HIPAA Security Rule (below), form the foundation of the HIPAA regulations. The Privacy Rule explains how and when healthcare professionals, lawyers, or anyone who accesses your PHI can or cannot use that data.
For example: If I want to allow my PHI to be available to someone else, the law requires a signed HIPAA PHI Release form in order for the Doctor’s office to share my information with them. Those are the kinds of scenarios covered in the Privacy Rule.
What Information Does the Privacy Rule Protect?
The HIPAA Privacy Rule defines PHI as individually “identifiable health information” stored or transmitted by a covered entity or their business associates, in any form or media (electronic, paper, or oral).
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
In simple terms: any and all data having to do with all doctor visits, ever, including (but not limited to):
- Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
- Contact information: telephone numbers, addresses, and more
- Social Security numbers
- Medical record numbers
- Finger and voice prints
- Any other unique identifying number or account number
Whom Does the HIPAA Privacy Rule Apply?
The HIPAA Privacy Rule protects individual PHI by governing the practices of the covered entities.
Covered entities are the people and organizations that hold and process PHI data for their customers – the ones required to report HIPAA violations and who are responsible for paying fines imposed by the Office of Civil Rights if and when a HIPAA violation occurs.
HIPAA defines these individuals and organizations as covered entities:
- Health Care Providers
- Nursing homes
- Health Plan
- Health insurance companies
- Company health plans
- Government provided health care plans
- Health Care Clearinghouse
- These entities process healthcare data from another entity into a standard form.
What is the HIPAA Omnibus Rule?
The HIPAA Omnibus Rule is the most significant change to the HIPAA regulations and clarifies and updates several of the previous definitions. It broadens the definition of Business Associates to include subcontractors, consultants, and storage companies, which effectively expands HIPAA to cover many more organizations and individuals. The changes to the regulation increased and tiered the civil penalties for HIPAA violations, updated the breach notification rules, and prohibits the use of genetic information for purposes of underwriting insurance policies. Lastly, companies can’t use PHI for marketing purposes.
What is the HIPAA Security Rule?
The HIPAA Security Rule sets the minimum standards required for covered entities to manage electronic PHI (ePHI). The HIPAA Security Rule says —“The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
How Does the HIPAA Security Rule Protect Your Data?
HIPAA rules require covered entities to adhere to certain administrative process controls to ensure and verify their compliance with the HIPAA Security Rule:
Security Management Process: CEs must establish policies and procedures to prevent, detect, contain, and correct security violations. Part of this process is to follow the procedures in the Risk Management Framework to assess overall risk in your current processes or when you implement new policies.
Assigned Security Responsibility: One designated security official must be responsible for the development and implementation of the HIPAA Security Rule.
Workforce Security: CEs must identify which employees require access to ePHI and make efforts to provide control over that access. To achieve this, implement a least privilege model and automatically enforce and manage permissions.
Information Access Management: Restrict access to ePHI via permissions after you have identified the who should have access in the step above.
Security Awareness and Training: In order to enforce these rules and security policies, organizations need to train their users on what the rules are and how to abide by them.
Security Incident Procedures: This standard guides the organization how to create a policy to address data breaches: it’s good practice regardless – report breaches and security violations, and set up alerts and security analytics so that you can prevent breaches in the first place.
Contingency Plan: This is the “what happens next” standard. Create and follow a data backup plan, disaster recovery plan, and have an emergency mode operation plan in place, just in case things go sideways and you get breached. There’s also guidance in this standard for testing and revising these plans, as well as managing critical applications that store, maintain or transmit ePHI.
Evaluation: Establish a process to review and maintain the policies and procedures to stay up to date and current with the HIPAA Security Rule.
Business Associate Contracts and other Arrangements: While it’s ok to use other businesses to implement your overall HIPAA Security strategy, as with any 3rd party contractor, you must get assurances from them that they understand HIPAA and they won’t leak your ePHI.
This section of the HIPAA Security Rule sets standards for physical security: the “lock your doors” and “batten down the hatches” kind of guidance – along with what to do in case of natural disasters, naturally.
Facility Access Controls: Limit and audit physical access to the computers that store and process ePHI. Pro tip – put a lock on the server room door.
Workstation Use: Manage and secure computers (desktop, laptop, and tablets) that are used to access ePHI. Every computer with access to a CEs ePHI must adhere to this policy, including systems that are offsite (and offline).
Workstation Security: Implement physical safeguards for all computers that access ePHI: restrict access to computers that access ePHI, install remote wipe safeguards on laptops that grow legs.
Device and Media Controls: Once computers are covered, you still need safeguards on all the rest: devices and media like USB drives, tape backups, or removable storage. Establish a policy to inventory, allow the use of, and reuse or dispose of these devices as needed.
Technical safeguards are the technology and procedures that covered entities use to protect ePHI. The HIPAA Security Rule does not define what technology to use – but demands that CEs adhere to the standard and adequately protect ePHI from data breaches.
Access Control: Authenticate users as necessary to access ePHI, establish and maintain a least privilege model, and have appropriate procedures in place to audit access control lists (ACL) on a regular schedule.
Audit Controls: Audit your ePHI to record and analyze activity in case of a data breach. CE’s need to provide a complete audit trail of the data breach and what PHI be able to show the OCR exactly how a data breach occurred with a complete audit trail and reporting.
Integrity: To be HIPAA compliant, CEs needs to be able to prove that the ePHI they manage is protected from threats both inside and out, intentional or not. Whether the new intern deletes a record accidentally, or a nefarious hacker deletes it intentionally, you should be able to recover and restore that record.
Person or Entity Authentication: CEs must provide assurances that the person accessing ePHI is, in fact, who they say they are. These assurances can be a password, two-factor authentication, or retinal scan – whatever works as long as you have something implemented.
Transmission Security: When sending data to other business partners, you need to be able to prove that only authorized individuals accessed the ePHI. You can use an encrypted email with a private key, HTTPS file transfer, or a VPN – as long as only the people that are authorized to use the ePHI, HIPPA doesn’t care how you set it up.
What is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule explains how companies need to handle HIPAA violations – and the process isn’t just a slap on the wrist.
Individuals or companies report HIPAA violations to the Office for Civil Rights (OCR), and the OCR is responsible for investigating and reviewing those violations. If the OCR finds the violators negligent, the violators must fix what caused the breach in the first place and deal with the affected individual’s data to the satisfaction of the OCR. If the OCR does not find their response satisfactory or if they find the data breach egregious, the OCR will fine the violators based on the number of records involved.
What is the HIPAA Breach Notification?
The HIPAA Breach Notification Rule requires covered entities to notify an individual of improper access to their PHI within 60 days. It’s important to remember that even if ransomware encrypts ePHI, it’s considered a breach – and therefore falls under the HIPAA breach notification rule.
If there are more than 500 PHI records impacted, you must notify the Department of Health and Human Services (which in turn gets the OCR involved) – and you’re required to issue a press release about the breach.
If you are in the unfortunate situation of reporting a HIPAA violation, here is the information you must initially provide OCR:
- A list of the PHI made available, and an explanation of how the violation occurred.
- Who was the unauthorized person who saw or had access to the data?
- The unauthorized entities/individuals that viewed or accessed the PHI
- Confirmation that the unauthorized entities viewed the PHI, or if the PHI was available but un-accessed.
- Any mitigation steps you have taken
There is good news: if you don’t break that 500 record limit in a single event, you can report all of your smaller violations to HHS in a single batch once per year per the Breach Notification Rules.
What is a HIPAA Violation?
There are many ways to violate HIPAA’s requirements. Most commonly, violations come because negligence or incomplete compliance to the HIPAA Privacy and Security Rules leads to a data breach of PHI or unauthorized release or access by unauthorized employees to PHI. Is a stolen laptop containing PHI a HIPAA violation? Not necessarily! A stolen laptop with encrypted PHI is not a HIPAA violation.
The OCR reviews tens of thousands of HIPAA cases every year. In 2018 only 10 cases resulted in HIPAA violations and a civil penalty.
Common HIPAA Violations
Here are some of the most common causes of a data breach that can lead to a HIPAA violation:
- Theft of equipment that stores PHI
- Hacking/ malware/ ransomware
- Office break-in
- Sending PHI to the wrong person or business partner
- Discussing PHI in public
- Posting PHI to social media
Fine Levels for HIPAA Compliance Violations
The Enforcement Rule contains the guidance for fines for HIPAA violations. There are four levels of fines.
The first level is “Did Not Know,” and the fines range from $100–$50,000 per incident with a yearly maximum of $1,500,000. The next level is “Reasonable Cause,” and those fines range from $1,000–$50,000 per incident with the same yearly maximum. The next two levels are for the more egregious violations, where the companies are negligent. If the company took steps to correct their negligent compliance behaviors, the fine is $10,000 – $50,000 per incident. If the Compliance Auditor rules that the company did not take corrective action, they will fine the company $50,000 per incident.
There are several examples of HIPAA resolutions on the OCR website. When you see fines that total over $1.5 million – the yearly maximum in the Enforcement Rule – that means there were several different data breaches or violations that occurred over several years.
Elements of an Effective Compliance Program?
The Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) released a compliance training guide and established “The Seven Fundamental Elements of an Effective Compliance Program.” These are the seven guiding principles that you should use to drive your HIPAA compliance efforts, and an auditor uses these criteria during investigations:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Elements of a HIPAA Compliance Risk Assessment
The OCR provides guidance on how to perform a HIPAA compliance risk assessment. You should refer to the NIST publications around cybersecurity best understand how the federal government defines risk in modern connected infrastructure. Here are the key points from the OCR guidance on risk assessments.
- Scope of the Analysis: Where does all of your PHI live? Do you have control of all of those storage locations? How many data stores do you need to review?
- Data Collection: Find and classify all the PHI you store on your network or in paper files. Document everything.
- Identify and Document Potential Threats and Vulnerabilities: Think like an attacker, how would someone try to get access to your PHI?
- Assess Current Security Measures: What security measures do we have now?
- Determine the Likelihood of a Threat Occurrence: Yes, you will be attacked.
- Determine the Level of Risk: During an attack, how likely is it that the attackers will steal PHI?
- Finalize Documentation: Write all of that down, so the Auditor has a record that you tried.
- Periodic Review and Updates to the Risk Assessment: Update your risk profile every few months. The Security Rule specifies, “as needed.” Ideally, you should be updating your risk position daily.
HIPAA Standard Transactions
HIPAA adopted standards for different kinds of electronic exchanges of PHI. Any covered entity that exchanges information with another covered entity or business associate must use a communications protocol standard from either X12 or NCPDP.
Here are some examples of standard transactions.
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payment
How to Become HIPAA Compliant
Becoming HIPAA compliant isn’t all that different from any of your other basic 21st-century data security plans. In fact, setting up a solid data security plan will help maintain HIPAA compliance.
Here is a HIPAA Compliance Checklist to get you started:
- Map your data and discover where your HIPAA protected files live on your network (including cloud storage)
- Determine who has access to HIPAA data, who should have access to HIPAA data, and implement a least privilege model.
- Monitor all file access to your data.
- Set up alerts to notify you if someone accesses HIPAA data, or if someone creates new HIPAA data in a non-compliant repository. Use data security analytics to differentiate between normal behaviors and potential HIPAA violations.
- Protect the perimeter with firewalls, endpoint security, locks on server rooms, two-factor authentication, strong passwords, and session timeouts.
- Monitor activity on the perimeter and add threat models to your data security analytics.
HIPAA compliance isn’t just the law – it will protect your customer’s data and ensure that your business prospers in the age of digital medical records.
Varonis has been working with our customers on HIPAA compliance since before the HITECH Act in 2009. The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy.
Check out this webinar where a Varonis customer talks about their HIPAA compliance journey.