An overview of HIPAA and HITECH
The two most important pieces of legislation that mandate the protection of sensitive data in the U.S. healthcare system are known as HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act). Together they impose extensive data security requirements on all entities and their business associates (BAs) that have access to, process, store, or maintain any protected health information.
The original Health Insurance Portability and Accountability Act was signed into law in 1996. Title II of HIPAA defines policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. It also outlines numerous offenses relating to healthcare and sets civil and criminal penalties for violations. This law denotes the “covered entities” that are responsible for protecting the health information—primarily doctors, hospitals, insurers and other healthcare providers.
The Health Information Technology for Economic and Clinical Health Act was enacted in 2009. This act expands and promotes the adoption of health information technology and creates a nationwide network for electronic health records (EHRs). This act requires entities covered by HIPAA to report data breaches that affect 500 or more persons to the HHS, to the news media, and to the people affected by the data breaches. Moreover, the complete Privacy and Security Provisions of HIPAA are extended to the business associates of covered entities.
Penalties for HIPAA Violations
HIPAA and HITECH mandate strict privacy controls on protected health information (PHI) and the penalties for the loss of PHI can be severe. In one of the largest HIPAA enforcement actions by the US government to date, New York Presbyterian Hospital and Columbia University were recently fined $4.8 million by the US Departments of Health and Human Services Office for Civil Rights (OCR) for mistakenly sharing patient data online. Following similar enforcement actions against QCA Health Plan ($250,000) for the theft of unencrypted health information, the OCR stated, “Our message to these organizations is simple: encryption is your best defense against these incidents.” While significant, fines can be dwarfed by consumer lawsuits and loss of business.
The OCR, which is responsible for enforcing HIPAA, publishes a list of breaches that have affected 500 or more individuals whose PHI has been disclosed via a data breach. This is a shaming list (well, technically it’s a breach disclosure list) that no company wants to appear on. On the black market, PHI can be worth 20 times as much as a credit card number, because it allows a cyber criminal to open multiple fraudulent accounts. Records for terminally ill patients are especially valuable, since they are less likely to detect their identity has been compromised. Patients whose information has been lost in a breach can spend years of cleaning their personal credit records, and correspondingly these breach notifications are often followed by a wave of patient lawsuits, sometimes prepared just hours after a breach is made public.
Who must comply with these laws
An important provision of the HIPAA Omnibus rule, which went into effect in March of 2013, states that business associates of the primary data handlers (as well as subcontractors of these BAs) also must be HIPAA compliant. A BA is defined as any person or entity that, on behalf of a covered entity, “creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.”
The intent is to ensure that HIPAA protections extend “no matter how far ‘down the chain’ the information flows.” BAs are subject to the same civil and criminal penalties under HIPAA as covered entities. IT service providers, including cloud service providers, are considered business associates under the healthcare law.
Top requirements of HIPAA and HITECH
Where data protection and IT practices are concerned, the top requirements of HIPAA and HITECH are the Privacy Rule, the Security Rule, and the Breach Notification Rule.
- The HIPAA Privacy Rule regulates the use and disclosure of PHI held by covered entities and business associates. Interpreted broadly, PHI can include any information that concerns health status, provision of healthcare, or payment of healthcare that can be linked to an individual.
- The Security Rule deals specifically with Electronic Protected Health Information (ePHI) and specifies three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications.
- The Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers, pursuant to the HITECH Act.
The importance of data encryption
Under the Security Rule, one required technical safeguard of particular interest is encryption, which is one of the key features of a CASB. The regulation states that when information flows over open networks – such as to a cloud service – some form of encryption must be utilized. Encryption is considered an appropriate safeguard to protect the confidentiality, integrity and availability of patients’ PHI. However, just 9.4% of cloud providers store data encrypted, creating a need for third party cloud encryption controls.
Encryption not only protects patients from having their private information exposed, but it also protects the “covered entities” and business associates from potential fines, lawsuits and required notifications in the event that systems are somehow compromised. Data that is adequately protected via encryption is not considered breached, so this allows the organization to forgo the public announcement and individual notifications about a breach. As the notification process can be quite expensive, an organization can potentially save millions of dollars by not having to go through the process at all.
If your organization is handling private information that is covered by HIPAA-HITECH, be certain you have adequate data protection. Talk to us about how you can ensure the covered data you store in cloud services is fully secured through strong academia- and peer-reviewed encryption that supports important application functions such as search and sort.