Revised and updated for 2021.
Introduction to HIPAA Act
On 21 August 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law making it a breakthrough legislation that introduced comprehensive changes in the healthcare industry. The original 1996 HIPAA Act is supplemented by the following Rules:
- The Privacy Rule defines Protected Health Information (PHI) and provides guidance for safeguarding PHI while in storage.
- The Security Rule mandates standards for pr
- Protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) while at rest or in motion.
- The Enforcement Rule gives the Department of Health and Human Services (HHS) the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to lack of implementing the safeguards established by the Security Rule.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act compels healthcare authorities to use Electronic Health Records (EHRs) and to maintain the patients’ PHI in electronic format (ePHI), instead of using paper files.
- The Breach Notification Rule dictates that all breaches of unsecured PHI must be reported to the affected individuals, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and, in some instances, the media.
- The Final Omnibus Rule, fills gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
What is Protected Health Information?
HIPAA defines PHI as “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.”
PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Health information ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed, the health information is referred to as de-identified PHI. HIPAA rules no longer apply to de-identified PHI.
The Need for Safeguarding PHI in the post-COVID-19 era
As the healthcare industry has moved from physical records to electronic ones, the risk of data being accessed or viewed by unauthorized entities has increased significantly. In fact, malicious actors are targeting health data due to the increased black-market value of stolen medical records and PHI.
The COVID19 pandemic has created a new reality for the healthcare sector globally testing its limits. Adding to the overwhelming situation it is currently facing, the sector has become a direct target of cybersecurity attacks. Malicious actors taking advantage of the COVID19 pandemic have launched a series of phishing campaigns and ransomware attacks. The latest example in a series of phishing and ransomware attacks is the news of a spear-phishing campaign targeting the COVID-19 vaccine supply chain.
Hospitals and healthcare entities need to employ effective and efficient policies and practices, such as Identity and Access Management (IAM) controls, multi-factor authentication and strong encryption to ensure that ePHI is protected against malicious actors seeking to exploit emergencies.
The HIPAA Security Rule
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule institutes three security safeguards – administrative, physical and technical – that must be followed to achieve full compliance with HIPAA. The objectives of the safeguards are the following:
- Administrative: to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical: to control physical access to areas of data storage and protect against inappropriate access.
- Technical: to protect PHI when transmitted electronically over communications networks.
Technical Safeguards for ePHI
The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures of the information; and
- Ensure compliance by their workforce.
The Security Rule outlines technical safeguards as security measures that encompass access control, audit controls, integrity controls, and transmission security of ePHI. These technical safeguards, which are described in greater detail below, apply to all forms of ePHI and address not only the technology but also related policies and procedures that protect ePHI and define controls.
The Security Rule requires a covered entity or business associate to comply with the technical safeguard standards, but it does not specify the exact procedures entities must use to protect ePHI. There is some flexibility as to which security measures can be implemented to protect data, but HIPAA’s Security Rule has a few specific requirements for some types of implemented technology. Entities need to be aware of the following safeguards:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. Access control procedures include requirements for unique user identification, access to ePHI during an emergency, termination of an electronic session after a predetermined time of inactivity, and mechanisms to encrypt and decrypt ePHI.
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
Person or Entity Authentication. A covered entity must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network, such as the use of encryption that renders ePHI “unreadable, undecipherable or unusable” so any “acquired healthcare or payment information is of no use to an unauthorized third party”.
Data Encryption Requirements
The HIPAA Security Rule calls for covered entities and their business associates to implement technical safeguards to protect all ePHI either when stored or transmitted. Specifically, the Security Rule states that ePHI is “rendered unusable, unreadable, or indecipherable to unauthorized individuals” if it has been encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of Encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
HIPAA suggests that covered entities and their business associates should follow the policies and practices tested and promulgated by NIST both when ePHI is in transit and at rest:
“Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.”
“Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; SP 800-77, Guide to IPsec VPNs; or SP 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.”
In addition to the above, NIST has published the following publications which aim at securing ePHI:
NIST SP 1800-1, Securing Electronic Health Records on Mobile Devices: This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology (IT) sophistication. Specifically, the guide shows how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers who are using mobile devices.
NISTIR 8053, De-Identification of Personal Information: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. De-identification thus attempts to balance the contradictory goals of using and sharing personal information while protecting privacy. The process of de-identification, as it pertains to PHI is described in the HIPAA Privacy Rule. It should be noted that once information has been de-identified, it is no longer considered to be PHI.
The healthcare sector has long been a target of cybercriminals. But most recently, as all eyes focused on the coronavirus pandemic spanning the globe, other cybersecurity threats took advantage of the overwhelmed health care system, targeting the technologies so heavily relied upon by healthcare systems and providers.
In just the first half of 2020, the Department of Health and Human Services saw a nearly 50% increase in the number of health care-related cybersecurity breaches, with 132 reported incidents that targeted network servers, desktop and laptop computers, email and electronic medical record (EMR) systems. Piling on, the rapid adoption and onboarding of telehealth vendors led to a significantly increased digital footprint and attack surface, leaving both provider and patient data at risk. It’s critical to understand the current threats facing the healthcare environment so you can protect your organization.
ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors. We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event. Contact our experts to learn how ITEGRITI can help your company become HIPAA compliant.