Health Insurance Portability (HIPAA) Compliance
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. It has gained notoriety for establishing regulatory standards around patient data security and privacy. Just recently, however, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) significantly has ramped its HIPAA audit program, with an increased focus on risk assessments.
43%
of all breaches involved medical/health care records in 2013 (Identity Theft Resource Center)
90%
of health care organizations experienced a data breach in the past two years (Ponemon Institute)
29 MILLION
number of people affected by health care breaches since 2009 (U.S. H.H.S.)
Overview:
Any organization maintaining or transmitting electronic protected health information, known commonly as ePHI, must comply with HIPAA. This includes business associates, which are contractors and subcontractors that perform services on behalf of a health insurance provider. ePHI is defined as "identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual."
HIPAA features three components related to data protection: the Security Rule, the Privacy Rule and the Breach Notification Rule. Each one is encompassed by the overarching Omnibus Rule, which took effect in 2013 and ushers in enforcement of business associates for the first time. The requirements of the Omnibus Rule were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 as part of the economic stimulus bill.
While the move from paper records to electronic records within medical and health care organizations vastly improves the patient experience, the risk to security and privacy increases. Breaches - whether they are caused by theft, unauthorized access, human error or external attacks - are rising year over year within the medical and health care industries, according to the Identity Theft Resource Center, which tracks reports of data-loss incidents.
Security Rule
This rule dictates the administrative, physical, technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Among the requirements: Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.
Privacy Rule
This rule institutes safeguards for the control of personal health information, no matter its format: oral, written or electronic. Broadly, it sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.
Breach Notification Rule
This rule orders HIPAA-covered entities and their business associates, in the event of a data breach involving ePHI, to notify affected individuals, the secretary of the U.S. Health & Human Services Department (HHS) and, in some cases, prominent media outlets – unless they can prove there is a low risk of compromise based on a risk assessment.
Consequences:
The Office of Civil rights (OCR), within HHS, has received more than 85,000 HIPAA-related complaints since 2003. More than 30,000 of those have warranted an investigation, some 66 percent of which resulted in corrective action being required. And that number is certain to rise. A newly released electronic complaint portal is expected to nearly double the number of legitimate complaints from around 10,000 per year to about 18,000.
In 2012, the OCR launched the Audit Pilot Program, with the initial round consisting of 115 audits of health care providers, health plans and health care clearinghouses – collectively meant to represent a broad sampling of the industry. Going forward, however, every covered entity or business associate is eligible for an audit.
OCR investigations may result in penalties, which greatly vary and are determined by the date of the violation, whether the covered entity knew, or should have known, about the violation and whether the violation was due to willful neglect.
| Civil Penalties | |
|---|---|
| Before Feb. 18, 2009 | After Feb. 18, 2009 |
| Up to $100 per Violation | $100 to $50,000 or more per Violation |
| $25,000 Annual Cap | $1,500,000 Annual Cap |
| Criminal Penalties | |
|---|---|
| Willful Violation | Up to $50,000 and 1 Year Prison |
| Violation Involving False Pretense | $100,000 and Up to 5 Years |
| Intent to sell, transfer or use individually health information for commercial advantage, personal gain or malicious harm | Up to $250,00 and Up to 10 Years |
The OCR may choose to reduce a penalty if the failure to comply is due to a reasonable cause and/or the penalty would be excessive given the nature and extent of non-compliance. A penalty will not be imposed if:
- Failure to comply was not due to willful neglect and was corrected during a 30-day period after the entity knew, or should have known, about the violation.
- The U.S. Department of Justice already imposed a criminal penalty for the failure to comply.
Solutions:
Trustwave provides a comprehensive portfolio that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA.
Plan and Prepare
Conducting a HIPAA Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and HIPAA requirements. The customizable assessments, scaled individually for covered entities and business associates, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
Address Gaps and Vulnerabilities
HIPAA requires covered entities and their business associations to deploy technical controls to prepare for audits and protect sensitive ePHI, whether it is being stored or transmitted. Some of the ways we can help you include:
Urgent Care Solutions Bundle
A comprehensive solution addressing both HIPAA / HITECH and PCI compliance specifically tailored for Urgent Care facilities and operators.
Data Loss Prevention
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Secure Web Gateway
Enables safe and productive access to Web 2.0 while ensuring compliance, minimizing data loss and eliminating malware risks
File Integrity Monitoring
Addresses the HIPAA Security Rule standard that specifically references “integrity” and states ePHI cannot be improperly altered or destroyed.
Network Access Control
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.
Web Application Firewall
Protects web applications against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.
SIEM
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.
Security Awareness Education
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including password management and the safe use of web and social media tools.
Penetration Testing
Identifies and manages potential vulnerabilities in your networks, applications or databases.
Automate and Manage
TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.
Documentation:
Download the Trustwave Health Care Technologies for HIPAA Data Sheet (PDF).