Introduction to HIPAA Act
On 21 August 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law making it a breakthrough legislation that introduced comprehensive changes in the healthcare industry. The original 1996 HIPAA Act is supplemented by the following Rules:
- The Privacy Rule, which defined what Protected Health Information (PHI) is and provided guidance for safekeeping PHI while in storage.
- The Security Rule, which sets standards for protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) while at rest or in motion.
- The Enforcement Rule, which gave the Department of Health and Human Services (HHS) the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards established by the Security Rule.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act, whose goal was to compel healthcare authorities to implement the use of Electronic Health Records (EHRs) and to maintain the patients’ PHI in electronic format (ePHI), instead of using paper files.
- The Breach Notification Rule, which stipulated that all breaches of unsecured PHI must be reported to the affected individuals, Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and, in some instances, the media.
- The Final Omnibus Rule, which filled gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
What is Protected Health Information?
HIPAA defines PHI as “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.”
PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed, the health information is referred to as de-identified PHI. HIPAA rules no longer apply to de-identified PHI.
The Need for Safeguarding PHI
As the healthcare industry has moved from physical records to electronic ones, the risk of data being accessed or viewed by unauthorized entities has increased significantly. In fact, malicious actors are targeting health data due to the increased black-market value of stolen medical records and PHI.
The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks. Password protection of these devices – and the data they contain – is a reasonable step to prevent unauthorized access, but that method alone may prove to be insufficient in protecting health data. Unfortunately, passwords, especially those that are short or non-complex in nature, can easily be cracked by hackers and do not provide a high level of security. Breaches of this sort are easily avoidable if all ePHI is encrypted.
The HIPAA Security Rule
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule instituted three security safeguards – administrative, physical and technical – that must be followed in order to achieve full compliance with HIPAA. The safeguards maintain the following goals:
- Administrative: to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical: to control physical access to areas of data storage and protect against inappropriate access.
- Technical: to protect PHI when transmitted electronically over communications networks.
Technical Safeguards for ePHI
The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures of the information; and
- Ensure compliance by their workforce.
The Security Rule outlines technical safeguards as security measures that encompass access control, audit controls, integrity controls, and transmission security of ePHI. These technical safeguards, which are described in greater detail below, apply to all forms of ePHI and address not only the technology, but also related policies and procedures that protect ePHI and define controls.
The Security Rule requires a covered entity or business associate to comply with the technical safeguard standards, but it does not specify the exact procedures entities must use to protect ePHI. There is some flexibility as to which security measures can be implemented to protect data, but HIPAA’s Security Rule has a few specific requirements for some types of implemented technology. Entities need to be aware of the following safeguards:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. Access control procedures include requirements for unique user identification, access to ePHI during an emergency, termination of an electronic session after a predetermined time of inactivity, and mechanisms to encrypt and decrypt ePHI.
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
Person or Entity Authentication. A covered entity must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network, such as the use of encryption that renders ePHI “unreadable, undecipherable or unusable” so any “acquired healthcare or payment information is of no use to an unauthorized third party”.
Data Encryption Requirements
The HIPAA Security Rule calls for covered entities and their business associates to implement technical safeguards to protect all ePHI either when stored or transmitted. Specifically, the Security Rule states that ePHI is “rendered unusable, unreadable, or indecipherable to unauthorized individuals” if it has been encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of Encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
HIPAA suggests that covered entities and their business associates follow the policies and practices tested and promulgated by NIST both when ePHI is in transit and at rest:
“Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.”
“Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; SP 800-77, Guide to IPsec VPNs; or SP 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.”
In addition to the aforementioned publications, NIST has published the following publications which aim at securing ePHI:
NIST SP 1800-1, Securing Electronic Health Records on Mobile Devices: This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology (IT) sophistication. Specifically, the guide shows how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers who are using mobile devices.
NISTIR 8053, De-Identification of Personal Information: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. De-identification thus attempts to balance the contradictory goals of using and sharing personal information while protecting privacy. The process of de-identification, as it pertains to PHI is described in the HIPAA Privacy Rule. It should be noted that once information has been de-identified, it is no longer considered to be PHI.
So far in 2019, approximately 38 million healthcare records were exposed due to security breaches. What’s more, 2018 ended up being a record year for HIPAA enforcement with fines and settlements totaling $28,683,400. The proliferation of Internet of Medical Things (IoMT) and the digital transformation of the healthcare sector has increased the attack surface. Because PHI can be such a lucrative target for malicious actors, healthcare organizations must take proactive steps to protect this information by establishing HIPAA compliant policies and procedures and implementing the proper technical safeguards. It’s important to remember that employing security measures, such as encryption protocols and access management controls, not only lessens the likelihood of an ePHI breach but may also mitigate the consequences of an OCR investigation if a breach materializes. Learn how ITEGRITI can help your company become HIPAA compliant.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.