Since 2009, the U.S. government has paid over $24 billion to healthcare providers who adopt and demonstrate “meaningful use” of certified electronic health record technology. As a result, thousands of providers are now seeing millions of patients and generating countless medical records and billing episodes that, for the first time, are created, transmitted, stored, and/or paid completely electronically. This is just the beginning.
Earlier this year, the Office of the National Coordinator for Health Information Technology (ONC) released its “10-Year Vision to Achieve An Interoperable Health IT Infrastructure.” Its stated goal is to “make the right data available to the right people at the right time across products and organizations in a way that can be relied upon and used by recipients.” This represents a massive technological undertaking that has, at its core, the secure creation, storage, transmission and sharing of unprecedented amounts of personal health information (PHI) and other forms of sensitive data. While banks and retailers have decades of experience with massive cyber security infrastructure, the healthcare industry has, until recently, remained decidedly low-tech.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) began to change this. Among other things, HIPAA started the development of a national policy governing the electronic transfer of medical information. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA’s privacy and security protections for health information, promoted the adoption and meaningful use of health information technology such as electronic medical records, and extended the government’s ability to enforce HIPAA’s privacy and security requirements against business associates (BAs) and other subcontractors. The HIPAA/HITECH Privacy Rule, Security Rule, Breach Notification Rule and Enforcement Rule are the bedrock of healthcare information security in the United States. Despite the considerable gains that have been made in healthcare security and privacy practices, some security analysts regard the healthcare industry as a whole as woefully unprepared for a focused cyberattack and believe that a massive healthcare data breach is inevitable.
1. The HIPAA Privacy Rule
The HIPAA Privacy Rule limits the use and disclosure of PHI that is created, transmitted or possessed by health providers, health plans or healthcare clearing houses, which are collectively known as covered entities (CEs). Generally speaking, CEs may use and/or disclose PHI only for activities related to treatment, payment or healthcare operations unless a specific, written authorization is obtained from the patient or their personal representative. The Privacy Rule also requires CEs and their BAs to limit their use and disclosure of PHI, even if for permitted or authorized purposes, to the “minimum necessary.” It also mandates that patients be notified of their rights under HIPAA, including that they may access their PHI, obtain an accounting of disclosures, and request amendments to their records.
The Privacy Rule also imposes a number of administrative requirements, including development and implementation of written privacy policies and procedures; designation of an individual responsible for implementation of such policies; workforce training and management; reasonable and appropriate administrative, technical and physical safeguards to prevent the intentional or unintentional use or disclosure of PHI; and protection of individuals who exercise their rights under the Privacy Rule. It also mandates the retention and documentation of compliance activities for at least six years.
Any entity or person that, on behalf of a CE, performs functions or activities that involve the use or disclosure of PHI can be a BA. Examples of BAs include third parties who assist with claims processing and outside vendors whose services require access to PHI to perform administration, data analysis, utilization review, quality assurance, billing/accounting, benefits management, practice management or other functions, including outside legal work. CEs are required to obtain “satisfactory assurances” in the form of a written contract that, among other things, requires the BA to appropriately safeguard PHI it receives or creates on behalf of the CE and to report any known breaches of PHI to the CE in a timely manner.
2. The HIPAA Security Rule
HIPAA’s Security Rule establishes a set of national standards for the confidentiality, integrity, and availability of electronic PHI (ePHI) by requiring that CEs and BAs implement reasonable and appropriate administrative, technical, and physical safeguards. This includes but is not limited to ensuring the confidentiality, integrity, and availability on-demand to an authorized user of all ePHI that is created, received, maintained or transmitted; identifying and protecting against reasonably anticipated threats to the security or integrity of ePHI; protecting against reasonably anticipated impermissible uses or disclosures of ePHI; and ensuring workforce compliance.
The Security Rule’s requirements concerning risk analysis and risk management have been the subject of recent enforcement emphasis. Risk analysis requires a CE or BA to evaluate the likelihood and impact of potential risks to ePHI. Risk management is the implementation and documentation of appropriate security measures that address identified risks; and the maintenance of continuous, reasonable, appropriate security measures while regularly reevaluating potential risks to ePHI.
The Security Rule permits scalable implementation of these requirements depending on the size, complexity and capabilities of the entity involved as well as the technical hardware and software infrastructure available, the costs of security measures, and the severity of risks to the ePHI.
3. The HIPAA Breach Notification Rule
HIPAA’s breach notification requirements are intended to increase public transparency and also hold CEs and BAs accountable for data losses. A “breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI in a manner that compromises its security or privacy. Any unauthorized access, acquisition, use or disclosure of PHI is presumed to be a breach unless a “low probability” that the PHI has been compromised can be demonstrated. This is done through a risk assessment that addresses, at a minimum: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the identity of unauthorized persons who used PHI, or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. Written policies and procedures regarding breach notification are also required.
CEs and BAs that encrypt PHI in accordance with HHS guidance are not required to provide breach notification because such data, even if lost, are not considered “unsecured.” A breach of unsecured PHI requires written notice to affected individuals without unreasonable delay, but no later than 60 days after discovery. To the extent possible, this notification must include a brief description of the incident; a description of the types of information involved in the breach; steps that affected individuals should take to protect themselves; a summary of what is being done to investigate the breach, minimize the harm, and prevent future breaches; and contact information to obtain more information. If the breach involves 500 or more individuals in a single jurisdiction, local media must also be informed of the breach without unreasonable delay, but no later than 60 days after discovery. All breaches of unsecured PHI must be reported to HHS. If a breach affects 500 or more individuals, HHS must be notified within 60 days. If fewer than 500 individuals are affected, HHS must be notified no later than March 1 of the year following the calendar year in which the breach was discovered.
Future parts of the series will discuss the HIPAA Enforcement Rule, external and internal threats to PHI, the costs of security, and risk mitigation options.
HIPAA Enforcement Rule