All you need to know about HIPAA
Remote working has been the life saviour of the Covid-19 pandemic - including all health services and providers. But it has also increased data protection challenges, thanks to the rapid growth in the capture and transfer of sensitive personal data to doctors, nurses, pharmaceutical companies and Telehealth providers. This data is now sitting on laptops, local servers, cloud services and is being passed between parties for analysis, collaboration and analytics.
In the United States, recent studies have shown that there was a 55% spike in healthcare-related data breaches in 2020, with hacking and IT incidents leading to 67.3% of all healthcare breaches [1].
The 2020 Blackbaud ransomware attack compromised an estimated two dozen providers and 10 million patients alone [2].
USA legislation states that any information breaches by healthcare providers fall within HIPAA (The Health Insurance Portability and Accountability Act 1996), which regulates how health-related data should be held, shared, and secured. The continually growing threat of data breaches and the sensitive nature of health data highlights why laws like HIPAA are vital when it comes to protecting sensitive health information.
What is HIPAA?
The Health Insurance Portability and Accountability Act protects: individuals from having their personal health information shared without their knowledge or consent by healthcare providers and any relevant third parties.
These providers are referred to as “covered entities” and include:
Health insurance companies
Health maintenance organisations
Government healthcare plans such as Medicaid, Medicare, military health programmes
Healthcare clearinghouses (organisations that process nonstandard information they receive from another entity into a standard, or vice versa)
Healthcare providers, i.e. doctors, dentists, pharmacies, psychologists, nursing homes, etc.
Business associates or contractors who also have to handle medical records
What exactly is health data?
Health data, or “protected health information” (PHI), is any identifiable and demographic information relating to (or which could be related to) an individual’s past, present or future physical and mental health. This huge umbrella of information not only includes the common identifiers (name, date of birth, social security number, etc.) but also the delivery of care given, all medical records - as well as all payment of healthcare (e.g. hospital bills).
Given the depths of what health information can reveal about individuals, it is no surprise that identifiable health data is considered one of the most sensitive forms of data - and therefore, one of the most necessary to protect.
Three main rules of HIPAA
If there is one thing you should take away from this article - take three.
The three main rules of HIPAA are the Privacy Rule, The Security Rule, and The Breach and Notification Rule - all of which rely on consent, secure storage, and necessary safeguards in place to protect privacy.
The Privacy Rule
The Privacy Rule covers the use and disclosure of PHI held by a covered entity. Also known as the “Standards for Privacy of Individually Identifiable Health Information”, it was established by the Office for Civil Rights (OCR) within the Department of Health and Human Services.
Above all, the rule requires that patient confidentiality is maintained.
This means organisations must keep track of disclosures - only releasing the least amount of information possible, and they must notify individuals when their PHI is to be used or shared. From a staff perspective, it means they need to be trained on the handling of all PHI, and a privacy official has to be appointed - to help with any mismanagement and complaints.
However, there are exemptions to the need for obtaining consent to release information -
such as for research (under certain conditions), to prevent serious threat to health and/or safety, or if disclosures are required by law.
A key exemption is that the Privacy Rule does not cover PHI that has been properly de-identified:
i.e. information that does not identify an individual (either on its own or combined with other information). For example, statistics on those receiving cancer treatment in a particular year could be de-identified information, as it would not include any personal identifiers or any related, identifiable data.
Covered entities can use two methods to classify health information as de-identified [3]:
“The expert determination” method
This means an expert can determine that there is no risk of re-identification of an individual from the data in question, provided they document how they came to this decision.
The “safe harbour” method:
A covered entity may consider information is no longer individually identifiable if they remove key personal identifiers, including:
Names
Addresses, phone numbers, device serial numbers
Birth dates, dates of admission, death date, etc.
Email addresses, IP addresses, fax numbers
Medical record numbers, social security numbers, account numbers
Biometric information (visual data captured from surveillance video)
Full-face photographs
The Security Rule
The Security Rule relates to the best practices for securing information and preventing unauthorised access.
This means organisations must implement and maintain the protection of PHI and ePHI (electronic protected health information) against breaches, loss, or theft of data, as well as ensure relevant third parties also secure the data.
The Security Rule outlines how to carry out these practices through three different methods:
Administrative safeguards – written procedures in place to demonstrate how entities comply with HIPAA
Physical safeguards – implementation of physical access controls to prevent unauthorised access to PHI, e.g. training on physical access responsibilities
Technical safeguards – i.e. maintaining data integrity and authentication controls, using encryption on data that is transmitted, etc.
The Breach Notification Rule
The Breach Notification Rule requires covered entities to report data breaches.
These breaches must be reported to:
The OCR
All impacted individuals
The media (when breaches are large)
Large data breaches (affecting 500+ patients) must be reported within 60 days of discovery, whereas small breaches (affecting less than 500 patients) must be reported within 60 days of the end of the calendar year.
What happens if HIPAA is violated?
The OCR can enforce fines or criminal penalties, which are dependent on the severity of the breach, the amount of harm caused, and the company’s history of compliance.
HIPAA fines are determined through a tier system, which is based on the knowledge the covered entity had of the breach - fines can range from $100-$50,000 per violation. For example, a Tier 1 violation is one a covered entity was unaware of and could not have avoided - whereas a Tier 4 violation would arise through wilful neglect where no attempt was made to rectify it.
What has the last year meant for HIPAA?
Due to lockdowns, social distancing and the increase in infections and sickness, Telehealth communications and the documenting of health information in the States has skyrocketed, with an over
3000% increase in Telehealth claims alone between October 2019 and October 2020 [4].
As a result, HIPAA regulations have been temporarily changed to try and balance the workload that comes with compliance.
In December 2020, the OCR published guidance temporarily waiving the requirements around disclosure of PHI to public health authorities and agreed to exercise discretion with fines and penalties. Despite this, they have expressed clear expectations for organisations to continue to make efforts to only share the minimum necessary when it comes to PHI and other health data [5]. This temporary waiver also applies to Telehealth services and health authorities using systems that may not be fully HIPAA compliant.
Covered entities are now proactively reporting patient testing data and other PHI to a Health Information Exchange for public health reporting, without the need to worry about breaching the HIPAA.
They can also now freely disclose health information to family, friends, and others involved in the care of the data subject. Even in recent months, the Department of Health and Human Services has proposed further relaxations to the Privacy Rule, including making it easier to carry out coordinated care i.e. sharing PHI with bodies like social services and community-based service providers, and giving patients greater access to their PHI [6]. However, there are concerns about further relaxations to HIPAA making patients’ sensitive health information more vulnerable, and in turn, more susceptible to breaches.
In this bid to keep health services afloat, there has been a lot of misinformation about what protections HIPAA actually provides, as well as fake Acts created and shared online.
HIPAA is now often cited as a reason not to disclose vaccination or health status to employers or other establishments.
Despite the negative cyber effects, this temporary suspension of some of HIPAA’s rules will be in place until the Secretary of Health and Human Services determines that the public health emergency no longer exists [7][8]. When the tide of covid begins to wade, HIPAA will most likely be steadily brought back into full effect, and therefore leniency in enforcing fines for breaches will also be affected.
Easy ways to ensure you are HIPAA compliant
Some useful suggestions to keep in mind include:
Appoint a HIPAA Compliance Officer and conduct HIPAA training for your staff members
Secure the network where PHI is stored and use methods like encryption to protect data
Redact personal data where necessary, especially information pertaining to third parties
Use automated message lifespans that delete messages after a defined period and encourage the use of automatic log-offs
Make use of authentication methods to ensure no unauthorised access to data
Maintain updated policies and protocols for staff members to report breaches
Conduct regular internal audits and assessments to uncover any potential breaches, and also ensure your business associates uphold similar standards
Here are some useful links to check out: :
Combined Regulation
https://www.renalandurologynews.com/home/departments/hipaa-compliance/hipaa-covid-19-guidance-rule-changes-public-health/
https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
Despite the waivers currently in place, the importance of compliance with the rules of managing data - particularly sensitive health data - cannot be understated. As a result of HIPAA, health organisations must protect data and privacy and put clear policies in place to manage any breaches. This will also allow health bodies to highlight the importance they place on protecting data for both their customers and employees.
Other useful links: