What is HIPAA Compliance?
HIPAA Compliance Definition
Established in 1996, Health Insurance Portability And Accountability Act (HIPAA) aims to protect the privacy and security of sensitive health information.
More than in any other industry, compliance is vital for healthcare organizations. The collecting and processing of protected health information (PHI), including personal and medical data, is necessary to provide patients with optimized healthcare options. However, the consequences of a breach of PHI can be devastating. Not only can it lead to reputational damage, financial loss, and legal liability, but breaches have resulted in harm to patients.
HIPPA Compliance Security Rule
The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule. Essentially, it focuses on what organizations need to do to protect electronic protected health information (e-PHI).
The Security Rule doesn’t dictate which security measures are used, if they are effective. However, they do require three standards of implementation also known as safeguards:
Administrative: A risk analysis is required to determine what security measures are needed for your organization. This should be an ongoing process.
Physical: This refers to the security of the offices where e-PHI may be stored. The security measures must include facility access and control measures and workstation and device security.
- Technical: Measures, like firewalls, encryption, and data backup, are used to keep e-PHI secure and the safeguards must consist of access controls, audit controls, integrity controls, and transmission security.
Recent healthcare data breaches
According a 2022 SonicWall Cyber Threat Report, healthcare continued a large spike in malware in 2021, at 121%. While the largest jump in IoT malware attacks belonged to healthcare, which saw a 71% year-over-year increase.
To shed light on the significance malware can carry, it’s important to look at some breaches in the last few years that could’ve been circumvented by abiding by the HIPAA rules and safeguards.
Rehoboth McKinley Christian Health Care Services (RMCHCS)
In May 2021, more than 205,000 patients of RMCHCS were notified of attempted data extortion that forced the hospital into electronic health record (HER) downtime. RMCHCS fell victim to an attack launched by Conti, a ransomware hacking group that actively targeted the healthcare industry throughout 2020.
It was later determined that Conti actors exfiltrated data, including social security numbers, passports, and patients’ protected health information (PHI), from the system for approximately two weeks from January 21 to February 5. RMCHCS reported they notified law enforcement immediately, but they didn’t start sending out notices until the end of April, which is cause for concern.
Since this was a ransomware attack, there is a clear lack of technical safeguards and regular risk assessments. While RMCHCS did notify patients of the breach, the lack of timeliness further compromises personal security and the integrity of the e-PHI. Patients should have been notified in a timely manner so they could close or alter their charts, update online portal or banking information, or request a new passport.
One Touchpoint
This Hartland, Wisconsin mailing and printing vendor fell victim to a ransomware attack on April 28, 2022. Over 2.6 million individuals over at least 34 organizations were impacted by the breach.
It was discovered that OneTouchPoint’s servers were compromised just a single day earlier, leaving sensitive data at risk. Over six weeks later, OneTouchPoint disclosed that the files contained customer data alongside sensitive information of current and former employees. This included names and addresses of customers and employees, subscriber, and healthcare member IDs, as well as diagnoses and medications of clients. This has led many of OneTouchPoint’s customers to offer credit monitoring and identity theft protection services to their members at their own cost.
At least one class action lawsuit has been filed against OneTouchPoint over the data breach.
How to Stay HIPAA Compliant
As part of a greater effort to help aid HIPAA compliance within the cybersecurity space, the OCR aligned HIPAA with the National Institute of Standards and Technology Framework (NIST). As one of the biggest standards in the industry to be recognized, if you are already NIST compliant, it is subsequently easier to be HIPAA compliant.
To ensure that high standards and awareness are maintained, many businesses provide HIPAA compliance training and credentials. There are many consultancies that provide training, including the OCR, which offers different training modules to accommodate the wide range of entities that must comply with HIPAA.
HIPPA Compliance – Best Practices
The following best practices can help you achieve compliance:
Understand the HIPAA Rules
The HIPAA Privacy Rule dictates how PHI can be used and disclosed in the healthcare sector. An overview of the rule gives you insight into patients' rights, including the right to access their medical records and to request corrections.
The HIPAA Security Rule provides you with the technical, physical, and administrative safeguards needed to protect customer PHI.
The HIPAA Breach Notification Rule requires that patients, the media, and the US Department of Health and Human Services (HHS) be notified if a data breach occurs.
Conduct a Risk Assessment
This involves identifying all the PHI your organization collects, processes, and stores. Your risk assessment should also identify your organization’s vulnerabilities that could put PHI at risk. This includes known internal or external cyber threats, theft or loss of physical devices, and your organization’s likelihood of an attack based on your Cyber Risk Index.
Implement Policies and Procedures
Based on your risk assessment results, develop and implement policies and procedures that address each risk identified. This includes areas such as access control, data backup and recovery, incident response, and security awareness training for employees. Review and update these policies and procedures regularly to ensure they remain relevant.
Train Employees
Ensure your employees are updated on your organization's policies and procedures. All employees who handle PHI must be aware of how to safeguard PHI and recognize the consequences of non-compliance. Regular security awareness training is necessary to ensure employees stay current with the latest threats and are familiar with best practices for protecting PHI.
Monitor and Audit
Frequently review your organization's security measures, undergo penetration testing, and fulfil vulnerability assessments. This will keep you and your teams up to speed on emerging risks or threats to PHI and how to properly handle a breach. Regular auditing is key to staying compliant and prepared.