The digital revolution has taken the healthcare industry to a new height through advanced clinical support systems, EHRs and EMRs, mHealth apps and medical wearables, telehealth platforms, and much more. But as healthcare is becoming more and more digitized, data leaks and breaches are now a common phenomenon, resulting in an average cost of 7.1 million dollars for a healthcare data breach.
To protect sensitive medical data, different standards are in place that vary from country to country. In today’s interview, we are taking a dive into one of the most well-known and well-established standards called HIPAA. There are a lot of official resources covering the standard in detail, so we are going to focus on the most important questions regarding HIPAA to dot all the i’s.
What is HIPAA?
On August 21, 1996 Bill Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA) with the purpose to guarantee the security and confidentiality of patients’ medical records and data. Under this law, HHS provided rules for implementing requirements regarding the confidentiality, security, and electronic exchange of medical information.
The central principle of this law is to ensure that healthcare providers and their partners take every necessary step to protect patients’ confidential medical data, labeled as protected health information (PHI).
So, what exactly falls under the umbrella term of PHI?
Since the entire law hinges on this concept, it’s vital to fully grasp its meaning. According to HIPAA, PHI includes health information that can be used to identify a person. When talking about PHI, people usually think of such health information as demographic data, medical history, lab results, etc.
In reality, PHI covers a broader spectrum of data, also including insurance and payment information. For example, if a bill contains specific procedural diagnostic codes that can be tied to a particular patient, it falls under protected medical information. Thus, disclosing this information without the proper consent is a punishable violation under HIPAA. Here’s another illustration: even a photograph of a patient in a healthcare facility’s waiting room is considered protected information because it links the patient to the activities of that facility.
What are the main rules of HIPAA?
HIPAA is composed of five major rules:
- Privacy Rule sets the boundaries on how PHI can be used and disclosed.
- Security Rule prescribes technical, physical and administrative safeguards that must be implemented to protect PHI.
- Transactions and Code Sets Rule is designed to standardize electronic data exchange transactions.
- Unique Identifiers Rule prescribes the use of standardized codes for the identification of healthcare institutions, staff, and patients.
- Enforcement Rule outlines actions that must be taken if a data breach occurs.
As a provider of custom healthcare solutions, we are mostly concerned with HIPAA Security Rule and what it means for software development. The most critical thing to grasp about HIPAA Security Rule is that it is designed to protect personal health information, whether it’s in electronic, written, or spoken form. Another key goal of this rule is to uncover and prevent situations where an organization could misuse or reveal an individual’s data.
That said, organizations must follow the minimum necessary principle. This means they should put forth every effort to use, share, or disclose only the least amount of medical information required for a specific purpose. In some situations, organizations are not permitted to reveal, transmit, or request full medical history.
It’s also worth noting that HIPAA Security Rule overrides state laws only if the state’s regulations don’t offer a higher level of protection for sensitive medical data. Otherwise, the state law still applies.
Who must comply with HIPAA?
Well, first and foremost, HIPAA applies to covered entities — healthcare service providers, hospitals, healthcare institutions, and insurance companies directly involved with patient data.
Another category comprises business associates, which are service providers responsible for managing electronic PHI on a covered entity’s behalf. Furthermore, subcontractors working with business associates, who also handle ePHI, are obliged to comply with these regulations.
The last category is workforce and it encompasses all personnel and volunteers affiliated with a covered entity or business associate. It encompasses individuals under the organization’s direct control, regardless of whether they are paid or not.
In essence, any and all players in the healthcare system dealing with medical data are expected to adhere to these regulations.
The next logical question is, how does HIPAA affect the providers of IT services?
Since IT service providers essentially function as subcontractors for their healthcare industry clients, they are typically considered business associates, hence HIPAA regulations extend to them as well. Moreover, HIPAA mandates that covered organizations collaborate exclusively with business associates who are able to ensure the confidentiality and security of health data.
To formalize these assurances, a Business Associate Agreement (BAA) is signed specifying the responsibilities of both parties for ensuring the security of medical information during its transmission. Such an agreement describes what PHI a business associate will have access to and the security measures that need to be put in place to protect PHI. BAA should also define employee training requirements and outline procedures should a data breach occur, as well as conditions for terminating the agreement.
It’s important to note that IT service providers must also sign similar partnership agreements before using any external software or products. Let’s say, if a third-party server is used to transmit or store PHI, that server must also adhere to HIPAA requirements. In addition, HIPAA stipulates that any server aiming to be HIPAA-compliant must go beyond merely securing electronic medical data. It should also offer features like generating comprehensive risk assessment reports, enabling user activity tracking, encrypting data in transit, preventing unauthorized file changes or deletions, and outlining procedures for emergency access.
HIPAA is also known for its hefty violation fines. How serious are they?
Indeed, HIPAA breaches can result in significant penalties and the U.S. Office for Civil Rights is responsible for ensuring HIPAA compliance. Penalties vary: individual violations can incur fines in the range between $100 and $50,000, and there is an upper limit of $1.5 million per calendar year for violations.
According to the official HIPAA journal, the most common violations stem from:
- failing to carry out a comprehensive risk analysis;
- incorrectly disclosing protected medical information;
- failing to provide prompt notifications in cases of data leaks;
- neglecting to encrypt patients’ medical information;
- not securing a business associate agreement compliant with HIPAA.
These penalties come in four tiers, depending on the seriousness of actions.
Tier 1: This tier deals with breaches that happened when a covered entity had no prior knowledge of the breach and couldn’t have reasonably avoided it.
Tier 2: This tier is about breaches that a covered entity should have known about, but even with a reasonable degree of caution, they could not have prevented them.
Tier 3: At this level, a violation occurs due to a deliberate disregard of HIPAA rules but is promptly rectified within 30 days of its discovery.
Tier 4: This level encompasses breaches arising from willful neglect, without any attempts to address them within the 30-day timeframe.
So far, we have been talking about a company’s liability but HIPAA legislation also prescribes civil liability and in some cases, individuals who breach HIPAA rules could be criminally charged. The most severe criminal penalty can result in up to 10 years in prison if the person knowingly intended to commit the violation.
Wrapping up
In today’s digital age, the importance of reliable health information protection can’t be overestimated, and HIPAA aims to protect patients’ sensitive health data by setting stringent standards and rules. And although HIPAA does not dictate any specific means of protection, it outlines the extent and conditions under which this data should be stored, transmitted, and processed. The choice of security and confidentiality measures is ultimately left to the discretion of the contractor or the company handling medical data.
With dozens of successful healthcare projects under their belt, Elinext’s engineers have hands-on experience in delivering highly secure, HIPAA-compliant solutions. From end-to-end encryption to role-based access control to data anonymization and pseudonymization, our engineers leverage cutting-edge technology and best practices to ensure robust protection of health data.