What is HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was initiated in 1996 to develop regulations protecting the privacy and security of healthcare data. As a result of this work, the Federal Department of Health and Human Services (HHS) published the following privacy protection standards:
The Privacy Rule
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information, specifically Personally Identifiable Information (PII), Protected Health Information (PHI) and electronic Protected Health Information (ePHI). These standards include setting limits and conditions on the uses and disclosures of PII without patient authorization.
The Security Rule
The Security Rule goes a step further to operationalize the Privacy Rule protections defined by HIPAA by addressing the administrative, physical, and technical safeguards that health care organizations or “covered entities” must put in place to secure and protect electronically stored and shared ePHI. These protections help ensure the protected health information’s confidentiality, integrity, and security.
HITECH Act (Health Information Technology for Economic and Clinical Health Act)
Hand-in-hand with HIPAA is the HITECH Act (Health Information Technology for Economic and Clinical Health Act), which passed in 2009 and urges health providers to:
- Adopt electronic health records (EHR) to improve quality of patient care
- Adhere to expanded data breach notification requirements
- Secure ePHI data using appropriate privacy protections
Both HIPAA and HITECH address ePHI security, but measures within HITECH support the enforcement of HIPAA through the Breach Notification Rule and the HIPAA Enforcement Rule.
Consequences of Not Complying with HIPAA
The need to share health data is there – by hospitals, clinics, insurers, research facilities, pharmacies, and public health organizations. However, very specific guidelines around how this information can be stored and shared are needed to ensure patient privacy. Breaching the trust of individuals who’ve entrusted their data comes with consequences.
According to HIPAA security laws and regulations for professionals, the Office for Civil Rights (OCR) within the HSS is responsible for enforcing Privacy and Security Rules, establishing compliance requirements as well as for levying civil monetary penalties.
Organizations that fail to comply with HIPAA regulations can see substantial fines levied against them, even if no actual PHI breach occurs. In addition, criminal charges and even civil action lawsuits can be filed following a breach. And it should be noted: ignorance of HIPAA compliance requirements doesn’t pass muster as a defense against violations sanctions. The OCR issues fines whether a violation is inadvertent or is the result of willful neglect.
Ensuring your administrative policies and procedures, physical protection, as well as technical solutions as a Covered Entity or Business Associate are in place can go a long way in keeping off the OCR’s radar.
What is a Covered Entity?
A Covered Entity is any health care provider, health plan, or health care clearinghouse who, as part of their day-to-day business, creates, maintains, or transmits PHI. There are a few exceptions, including:
- Most health care providers employed by a hospital, as the hospital itself is the Covered Entity and therefore the party responsible for implementing and enforcing HIPAA compliant policies.
- Employers, even though they may maintain some health care data on employees. They are exempt unless they provide self-insured health coverage or benefits such as an Employee Assistance Program (EAP). This would be considered a “hybrid” entity situation and still may be subject to HIPAA breach consequences for any unauthorized disclosure of PHI.
What is a Business Associate?
A Business Associate is defined as any person or business that provides a service to, or performs a function or activity for, a Covered Entity when that action involves accessing PHI maintained by the Covered Entity. Accountants, IT contractors, lawyers, billing companies, cloud storage services, email encryption services are all examples of Business Associates.
To be in HIPAA compliance, Business Associates must sign a Business Associate Agreement with the Covered Entity before gaining access to PHI which details what PHI they can access, how they plan to use it, and that the PHI will be returned or destroyed once the need for it or task is completed. The Business Associate is under the same HIPAA compliance obligations as the Covered Entity while they are in possession of the PHI.
HIPAA Security Rule Checklist
There are three categories of safeguards to help ensure the HIPAA Security Rule is adhered to by covered Entities and Business Associates – administrative, physical, and technical.
Administrative Safeguards to Meet HIPAA Security Rule Requirements
Identification and analysis
Identification and analysis of possible risks to e-PHI and placement of appropriate and reasonable security measures to reduce them.
Designate a security official
Designate a someone to be responsible for developing and implementing security policies and procedures.
Manage information access
Manage information access per Privacy and Security Rules. The Privacy Rule limits the use and disclosure of e-PHI to the "minimum necessary.” The Security Rule requires role-based access policies and procedures for authorizing access to e-PHI.
Training and management of workforce
Training and management of workforce on e-PHI policies and procedures. All workforce members must be training regarding a covered entity’s security policies and procedures with appropriate sanctions for violations of them.
Evaluation of Policies and Procedures
Evaluation of Security Rule Policies and Procedures: Periodically, current policies and procedures should be reviewed for how well they meet the established HIPAA requirements.
Physical Safeguards for HIPAA Security Rule Compliance
- Limit physical access to and control of facilities while still allowing authorized access.
- Secure workstations and devices. Policies and procedures should specify proper, secure use of and access to workstations and electronic media as well as the transfer, removal, disposal, and re-use of electronic media, to protect electronic health information.
Technical Safeguards Help Ensure HIPAA Security Rules Compliance
Putting robust technical safeguards in place is not only necessary it also makes complying with HIPAA regulations easier, especially when data security solutions are coupled with automation to help reduce the risks of human error and reduce the compliance burden of a Covered Entity’s IT staff.
Per HIPAA’s Security Rule, Covered Entities must:
Control access by implementing policies and procedures that allow only authorized persons to access e-PHI.
Audit controls by putting hardware, software, and/or procedural mechanisms to record and examine all access and activity surrounding e-PHI.
Ensure the integrity of e-PHI by implementing policies and procedures to ensure that the personal health information is not improperly altered or destroyed. Electronic measures must be put in place to confirm the integrity of e-PHI.
HIPAA Security Rule Technical Solutions from Fortra
Covered Entities and Business Associates meet their HIPAA Security Rule obligations through proven, robust technical solutions, regardless of infrastructure, end-to-end. Fortra's best-of-breed and simple to deploy and manage solutions not only can safeguard health care information, meet critical HIPAA compliance requirements, and help avoid making security breach headlines, they also can assist your organization in increasing efficiency and productivity by seamlessly integrating automation into your critical health care business processes with minimal impact on internal resources and productivity.
Data Loss Protection (DLP)
Detect, inspect, and secure your critical healthcare data across email, web, and the cloud with Clearswift, Fortra's DLP solution. End-point protection ensures data flagged to be protected by HIPAA is secured throughout its entire journey or lifecycle. And adaptive redaction allows for content that would be considered a HIPAA breach to be dynamically modified (redacted or sanitized), allowing the rest of the communication to be delivered unhindered to help ensure secure but continuous collaboration.
Secure Managed File Transfer (MFT)
A multi-layered HIPAA-compliant defense structure that includes managed file transfer, such as Fortra's GoAnywhere MFT helps secure and automate the exchange of ePHI, protecting healthcare information, encrypting data at rest and in motion and providing comprehensive audit and reporting logs, required for HIPAA compliance.
GoAnywhere surrounds sensitive healthcare data at all points in time, wherever it resides. Covered Entities can streamline and secure the exchange of data between systems, Business Associates, employees, patients, insurers, and other authorized recipients for secure collaboration, automation of vital business processes, and complete information control.
The foundation of a solid data security strategy begins with data classification from Fortra's Data Classification solutions, which support compliance with HIPAA by allowing users to identify valuable data with classification labels or tags. This enables critical decisions to be made about how healthcare data is stored and transmitted. Note: An organization’s investment in, and application of, such a classification system may itself constitute a “reasonable measures” defense, should there be a HIPAA breach charge.
Digital Rights Management (DRM)
Fortra's digital rights management solution, Vera, allows healthcare entities to share their files securely by ensuring that the security policy sticks to the data, anywhere it goes. So, when patient data needs to be shared externally, they can share with the confidence that the data can only be accessed by those they choose, even after it’s open.
Security and Compliance Solutions for IBM i
If your healthcare organization has IBMi systems in your environment, Fortra's Powertech solutions can help you meet HIPAA’s Security Rule technical safeguard requirements by acting as an automatic security control to hardening your system security and providing visibility to your database access.
These automated, simplified security solutions can help healthcare entities more easily meet auditor demands and protect healthcare data.
Offensive security solutions from Fortra are ideal for conducting risk analysis, which is critical piece of HIPAA compliance. Vulnerability management and penetration testing solutions assess risk by uncovering, identifying, and prioritizing vulnerabilities that could be exploited by attackers. Additionally, these tools have robust reporting capabilities to provide auditors thorough documentation of all activities, proving that risk analysis has been effectively completed.
Identity and Access Management (IAM)
Fortra's identity governance solutions help healthcare organizations create, manage and certify access to protect their sensitive data. With automated user provisioning, access reviews, password management, and policy management you can get immediate visibility into who has access to what, simplifying compliance regulation.
Privileged Access Management (PAM)
Get control of sensitive information, by centrally managing privileged access across your healthcare organization. Fortra's privileged access management (PAM) solutions ensure the principle of least privilege access by only giving users the access they need, helping meet HIPAA requirements.
Learn more about how Fortra can help with HIPAA Security Rule compliance
Fortra is the single provider you need to implement the technical safeguards healthcare organizations require to feel confident in their ability to meet stringent HIPAA Security Rule compliance mandates.