HIPAA was enacted in 1996, and by April 2005 security standards were required to be in place for most covered entities. In 2013 key portions of this law were updated. This post provides an overview of key elements we believe security and technology professionals (and most citizens) should be tracking.
The technology and security communities focus largely on Title II of HIPAA, which provides changes to the law designed to reduce health care fraud and abuse while protecting privacy and enhancing security.
This is the section of the law that regulates the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. It includes any portion of a patient’s medical record or payment history.
In January 2013 HIPAA was updated to include changes meant to enhance security, including breach notifications, as part of the Health Information Technology for Economic and Clinical Health Act (HITECH).
With these modifications, the law now imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. These notification requirements are similar to many state data breach laws related to personally identifiable financial information. Breach notifications are to be made to patients, and if the breach impacts more than 500 patients then HHS must also be notified. This will result in HHS publicly posting the entities name on their website (see the current list here). Additionally, breaches involving more than 500 people in a state are required to notify prominent media in that state (normally done via press release).
These rules apply to any entity with patient information. Entities are generally discussed in two categories:
- Covered Entities (CE) are any providers of treatment, payment or operations in healthcare.
- Business Associates (BA) are any entities that have access to patient information, which can include subcontractors or other partners.
This breakout into two categories is important since the rules require covered entities to help enforce these standards with their business partners/associates. This must be enforced contractually.
Now to quickly review things you already assume are in the rules: The regulations are that PHI will be protected and guidance is given that there will be physical safeguards (including limiting facility access control and also access to workstations), technical safeguards (including access control, authorization and encryption), auditing (including records on activity that can be used in forensics), appropriate policies, and security of data in transit.
As for how these goals are met, there is leeway. Entities are permitted to use any security measures that allow them to reasonably and appropriately implement safeguards. Savvy CIOs in the healthcare domain are usually very familiar with community best practices and standards that apply here.
Complying with HIPAA is almost always an exercise in learning the terms and requirements of the law, knowing the business process of the entity processing information, and applying smart guidelines like the community-built “Critical Security Controls” collaboratively maintained by the Center for Internet Security (these are the controls previously known as the SANS Top 20).
Related Reading:
DoD Contractors: Complying with new DFARS regulations is easier with external help