HIPAA: It’s not as black and white as you first thought
2016 was a record-breaking year for healthcare data breaches affecting 500 individuals or more, with the Office for Civil Rights (OCR) reporting a 22% increase year-on-year. Compared with five years ago, this increase is more significant still at 66%. It’s too early to tell whether 2017 will be better or worse for data breaches, but it remains a fact that HIPAA compliance issues will always be high on healthcare organizations’ agendas — regardless of size or stature.
With OCR’s phase 2 audits currently in full swing, there’s no better time for healthcare professionals to reassess their organization’s HIPAA policies in accordance with its privacy and security rules. Maintaining a HIPAA compliant organization is a challenge at the best of times — particularly with the rapid growth of mobile and BYOD in recent years — but as the following points demonstrate, there’s more to HIPAA than meets the eye.
1. HIPAA goes beyond healthcare industry
The definition of a covered entity as defined by HIPAA is somewhat ambiguous and therefore open to misinterpretation. It’s often assumed the rules only apply to businesses that directly provide health services — such as hospitals, physician practices, clearinghouses etc. — when in reality, many other industries are affected too.
Complications are likely to arise if an organization believes it doesn’t need to concern itself with HIPAA compliance, as illustrated in the 2015 Verizon Protected Health Information Data Breach Report. It linked around 20 different industries to a protected health information (PHI) data breach, including manufacturing, retail and education.
2. Business Associates and conduit exception rule
Any organization or individual that creates, receives, maintains or transmits PHI on behalf of its service delivery to a covered entity is classed as a Business Associate (BA). Covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA uses subcontractors for their services, a BAA should be executed with them, too.
Complications emerge when a BA claims to be a “conduit for information”, citing the conduit exception rule, to get out of signing a BAA. It’s vital covered entities understand the conduit exception rule only applies to a few organizations, such as the United States Postal Service, internet service providers (ISPS) and couriers. If any organization that creates, receives, maintains or stores PHI won’t sign a BAA, questions should be asked about their commitments to HIPAA compliance.
3. When PHI isn’t PHI
In a process known as de-identification, health information that has particular identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer classed as PHI and can therefore be made publicly available. The National Center of Health Statistics is one such example of a data source that publishes de-identified health information.
Complete de-identification of PHI is a mammoth task to carry out. Any organization that wishes to make health information publicly available should appoint an expert to manage the process for them, as getting it wrong would likely have grave consequences. Even if managed properly, there is an overarching risk the data in question could be found to link back to the individual it relates to.
4. Addressable isn’t the same as optional
To help ensure the confidentiality of patient information and prevent a data breach, HIPAA outlines physical, administrative and technical safeguards. The technical safeguards are broken down into six standards focused on the technology that protects and controls access to PHI. Under these six standards, there are nine key areas organizations are required to implement.
However, the classification of these standards are split into two categories “required” and “addressable”. Any covered entity or BA that doesn’t pay attention to the addressable standards is opening itself up to fines for noncompliance and an increased risk for breaches. To confirm, addressable doesn’t mean optional.
5. HIPAA penalties
Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are monetary, varying from $100 to $1.5 million, and enforced by OCR. Criminal penalties can result in imprisonment for 10 years or more, as enforced by the U.S. Department of Justice.
With laws differing from state to state, there’s often confusion around the criminal charges, fines and prison sentences an individual might be up against for noncompliance. These discrepancies are heightened by the fact some, but not all state and federal laws, allow individuals to sue in court for privacy violations, which can lead to additional fines or damages awards.
For covered entities and their BAs, particularly those who operate across multiple states, understanding the rules of HIPAA is just the tip of the iceberg. The consequences of noncompliance that lie below this surface can be crippling.
6. Digital and electronic signatures
An electronic signature is the action of signing electronically during a digital transaction, while a digital signature is the underlying technology that helps verify the authenticity of the transaction.
Used correctly, the security benefits of these technologies can help organizations to maintain compliance of the Security Rule through:
- protecting the integrity of messages throughout their entire lifecycle, through digital encryption
- providing user authentication, helping to ensure sensitive information doesn’t end up in the wrong hands, and
- ensuring non-repudiation (assurances that a person who signs something cannot later deny that they furnished the signature) by providing digital audit trails.
However, OCR offers very little guidance on the topic of digital and electronic signatures and their use certainly doesn’t ensure HIPAA compliance. Organizations should assess every situation with caution, and use digital signatures as an additional security measure where appropriate.
By Gene Fry
Originally Published May 23, 2017
Healthcare Business & Technology
HIPAA: It’s not as black and white as you first thought