HIPAA Compliance: Learning from Others’ Mistakes

HIPAA Compliance: Learning from Others’ Mistakes

Review general information about HIPAA Compliance and see consequences of non-compliance. 

Intro

The Healthcare industry like any other sphere adopts technologies very fast and, therefore, is constantly exposed to many security risks. There were around 550 data security breaches with more than 22 million individuals affected in 2020. These cases are now investigated by the US Office for Civil Rights (OCR) and below are some examples of the resolved data breach cases. 

In April 2017, Lifespan Corporation reported a theft of an employee’s laptop that contained electronically protected health information (ePHI) of more than 20,431 individuals. To settle the unencrypted laptop breach, the company agreed to pay around $1,5 million to the OCR. 

In May 2015, Excellus Health Plan insurance company discovered that hackers had gained access to its computer systems, installed malware, and accessed the healthcare data of around 10 million individuals. The OCR corrective action plan demanded paying $5.1 million to settle the sensitive data breach. 

In March 2015, Premera Blue Cross informed that cyber-attackers used a phishing email to gain unauthorized access to the company’s information technology system. The unauthorized system penetration remained undetected for nearly nine months, resulting in the disclosure of more than 10.4 million individual records. The health insurer paid $6,85 million, which appeared to be the second-largest payment to resolve a healthcare data breach investigation in OCR’s history. 

In all these cases, different attack vectors were used as well as different amounts of people were affected. However, two things are common for all of them. First, the above data breaches revealed information about people seeking healing and care, particularly, their contact information, Social Security Numbers, financial account information, dates of birth, and other sensitive information. Second, the organizations in all three cases were found to be at fault and agreed to pay fines to settle the data breaches. In addition to this, the data disclosures damaged the covered entities’ reputation and violated their clients’ data privacy. So, what are the main standards, rules, and regulations to protect personal health information, and how to stay away from security incidents?

HIPAA for PHI Protection

Precise investigation of these and many other data breaches as well as regulations on how sensitive data must be transmitted and used occurs owing to The Health Insurance Portability and Accountability Act (HIPAA). It is the US federal law that was adopted in 1996 to protect health insurance coverage information, set standards for electronic healthcare transactions, set guidelines for pre-tax medical health accounts and group health plans as well as govern life insurance policies. At the same time, HIPAA inaugurated the breakthrough in the sphere of health information security and became the cornerstone for the creation and implementation of national rules to protect sensitive patient health information. Specifically, the law requires covered entities and business associates to assure the confidentiality, integrity, and availability of Protected Health Information (PHI) through administrative, technical, and physical safeguards. HIPAA consists of the Security Rule and the Privacy Rule and is supported by a number of other rules aimed to regulate and protect healthcare data.  All HIPAA rules are enforced by OCR which also investigates and addresses all complaints regarding HIPAA compliance. 

HIPAA Privacy Rule

The Privacy Rule is the main tool for implementing the HIPAA requirements because it established national standards for PHI. Being applied to covered entities and business associates, the Rule specified appropriate conditions that maintain data privacy and set limitations to personal health information transactions. Besides that, it gives patients rights over their health information, including rights to examine and obtain copies of their health records and to request corrections to them. In this way, the HIPAA Privacy Rule maintains equilibrium that protects the privacy of individuals who seek healing and care while allowing the secured flow of PHI. This balance is crucial for the successful protection and promotion of the public’s health and well-being. 

HIPAA Security Rule

While the HIPAA Privacy Rule identifies what data must be protected, the Security Rule defines how to ensure its confidentiality, integrity, and availability. In doing this, the Rule requires applying all necessary administrative, physical, and technical safeguards. It is important to note that the Security Rule is applied to PHI that is created, received, maintained, or transmitted electronically (e-PHI) while not covering its oral or written forms. To comply with the Security Rule, all covered entities and business associates must ensure the security of e-PHI; detect and safeguard against the information security threats; protect against impermissible PHI transactions; as well as to evaluate and maintain their compliance on an ongoing basis. Addressing these objectives also requires relying on professional ethics when considering requests for the permissive uses and disclosures of PHI. 

The Omnibus Final Rule

For the almost 18 years of HIPAA safeguarding individual’s health information, a variety of new threats arose. So, to strengthen the HIPAA and make it able to maintain the security landscape of the XXI century, The Omnibus Final Rule was adopted in 2013. The Rule has made important modifications to HIPAA Rules in four main directions:

  • First of all, the Final Rule strengthened the privacy and security protections of PHI. In particular, it directly requested business associates to maintain compliance with HIPAA; expanded individuals’ rights to receive electronic copies of their health information; changed the requirements to facilitate research and disclosure of child immunization proof to schools.
  • The increased civil money penalty structure for HIPAA violations was the second major change.
  • The Final Rule also replaced the breach notification rule’s ‘‘harm’’ threshold with a more objective standard and clearly defined what is, actually, “harm” in regards to PHI.
  • Finally, it modified the HIPAA Privacy Rule as pertains to the Genetic Information Nondiscrimination Act (GINA) of 2008. Applying GINA within the HIPAA privacy Rule prohibited most covered entities from using or disclosing genetic information that includes data about race and ethnicity.

As such, the Omnibus Final Rule contributed to HIPAA modernization and strengthened it with the provisions to address the most acute data security risks. 

The HIPAA Enforcement Rule

The HIPAA Enforcement Rule contains provisions to investigate the HIPAA violation cases as well as governs the process and grounds for establishing fines. It also identifies and governs the procedures for hearings and appeals where the covered entity challenges a violation determination. The fine implementation procedure is coordinated by the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009. Thus, HITECH adoption strengthened HIPAA by implementing steeper fines for non-compliance and stricter Breach Notification requirements.

Fines for the HIPAA violation are applied by the OCR depending on the level of negligence, the number of records potentially exposed, and the risk posed by the unauthorized disclosure. According to the HITECH penalty scheme, the amount of fines varies as follows:

  • violations in which the covered entity did not know and would not have known that the covered entity violated a provision result in a fine between $100 – $50,000; 
  • $1,000 – $50,000 must pay those who not willfully allow a violation to happen due to reasonable cause and not to willful neglect; 
  • the violation happened due to willful neglect and was not timely corrected will attract a fine of no less than $50,000 for each violation; 
  • Finally, a violation that occurred due to willful neglect and is not corrected within thirty days will attract the maximum fine of $50,000.

Thus, the HIPAA enforcement policy makes covered entities and business associates think twice before neglecting the compliance requirements. 

Exceptions to HIPAA Rules 

To support the efficient administration of COVID-19 vaccines, OCR was induced to make some exceptions from the HIPAA rules. It announced that penalties for violations of the HIPAA Rules will not be imposed in cases of the use of online applications for scheduling individual appointments regarding COVID-19 vaccinations. However, it also noted that although OCR is exercising enforcement discretion, it still encourages using reasonable safeguards to protect the privacy and security of PHI such as using encryption technology and enabling all available privacy settings.

US Healthcare Industry Compliance with HIPAA

In 2016 and 2017, the OCR and the Department of HHS conducted audits on the health care industry’s compliance with HIPAA. The audit report, issued at the end of 2020, reviewed 166 covered entities and 41 business associates for compliance with certain provisions of the HIPAA Rules based on five main criteria. The audit’s findings showed that only 2% of covered entities fully met the HIPAA requirements, while 65% failed or made minimal efforts to comply. OCR concluded that most covered entities only maintain the timeliness requirements for providing breach notification and post their notice of privacy practices online. The report also reveals that most covered entities failed to provide the required content while posting their policies; failed to implement the individual’s right of access information; and unable to address the HIPAA Security Rule requirements for risk analysis and management. 

To assist covered entities and business associates in achieving HIPAA compliance, HHS offers many tools including the HHS Security Risk Assessment Tool and OCR’s Guidance on Risk Analysis Requirements. Planet 9 also provides support on the way to HIPAA compliance. For more details, please, see our assessment application. 

Cases Currently Under Investigation

According to the UA Department of Health and Human Services, there are more than 550 active investigation cases as of 2020 – 2021. The most frequent type of data breach is hacking and IT incidents (68,5% or 380 cases out of 550). The main locations where data breaches occurred were servers and emails (36,6 % and 39% respectively). The main covered entity type was healthcare provider and  212 cases occurred with the involvement of Business Associates. 

 

In 2018, one of the largest data breaches in US history occurred –  Anthem Inc. was exposed to a series of cyberattacks between December 2014 and January 2015. The data breach affected 79 million people and resulted in a $16 million settlement. According to OCR Director: “the largest health data breach in U.S. history fully merits the largest HIPAA settlement in history”.  The incident happened because Anthem Inc. did not conduct appropriate risk analysis, had insufficient procedures to review the activity of its information system, was unable to identify and respond to security incidents, and did not have adequate access controls to prevent cyberattacks. Such a serious data breach did not work in the company’s favor; however, it provided a good lesson to the entire industry regarding the importance of all HIPAA compliance. Now Anthem Inc. is expected to conduct the corrective actions and make every endeavor to let such an incident happen never again.   

To avoid such painful reputation and financial damages, all covered entities and business associates must comply with HIPAA regulatory rules. HIPAA compliance must be seen not only as a necessary operating requirement but also as a corporate culture that healthcare organizations must maintain and spread to protect the privacy and security of PHI. 

 

To help organizations comply with HIPAA, Planet 9 developed HIPAA Vitals, a free HIPAA compliance assessment application. 

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

 

Leave a Reply