The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines the privacy standards for handling protected health information (PHI). HIPAA is a federal law that requires healthcare providers, clearinghouses, and all those who store and transmit any form of electronic data to respect the confidentiality and security of personal health information.
The three main components are:
- Privacy Standards: These include rules about what may be done with patient information;
- Security Standards: This includes rules about how to protect personal health records from unauthorized access or disclosure;
- Breach Notification Requirements: This section outlines an incident involving medical records that should be disclosed to protect affected persons. The first two sections have been around for years, but the Omnibus Rule added the breach notification requirements passed by the Department of Health and Human Rights in 2009.
If you are a health care provider or are a data storage provider with access to private patient information, your business will likely be affected by HIPAA standards. As such, it is essential to keep up-to-date on the latest requirements so that your business complies with the law.
The Security Rule requires safeguards for electronic protected health information (ePHI). These security standards establish the techniques for protecting this sensitive data from unauthorized access or use.
Violations with Healthcare Data
If a healthcare organization fails to comply with HIPAA regulations it can face severe penalties for its actions. For example, if there was an unintentional breach of protected health information (PHI), the following may occur:
- The healthcare provider will notify each person affected by the breach no later than 60 days after discovery.
- Depending on whether the organization discovered the breach through an internal or external event, they would also be required to report this incident to The U.S. Department of Health and Human Services (HHS) within seven business days of discovering it. Additionally, HIPAA-covered entities are required to advise affected persons on the measures they can take to mitigate the risk of identity theft. Many companies now offer a minimum of one year of free credit monitoring services in their notification letters to those affected by this breach, especially where the PHI included social security numbers.
- Finally, if there was ever a determination that theft or wrongful access caused such a breach, they would be considered in violation of Section 1177 and are subject to fines up to $250,000 or ten-year imprisonment (or both) for failure to comply.
Despite HIPAA and subsidiary regulation being around for some time now, HIPAA violations occur with surprising regularity. For example, since the April 2003 compliance date of the privacy rule, the Office for Civil Rights (OCR) has received over 267,736 HIPAA complaints, investigated and resolved over 28,959 cases by requiring changes in privacy practices and corrective actions, and settled or imposed penalties in over 100 cases amounting to more than $130 million.
Below is a look at some of the common pitfalls and the actions organizations can take to mitigate the risk.
Impermissible Uses and Disclosures of PHI
There are many different impermissible uses and disclosures of PHI. For example, a healthcare data storage company can violate HIPAA by not encrypting information when it’s entered into its system or letting someone not permitted to have such information enter the PHI in the database.
Other examples of impermissible use and disclosure of PHI include:
- Sending patients’ medical records to another healthcare provider without their consent.
- Sending information about the patient to their insurance company without the patient’s consent.
- Sharing health and diagnosis information with people outside of the healthcare facility, such as an attorney, researcher, or social worker, without the patient’s permission.
- Inappropriate public responses on social media that inadvertently disclose PHI. For example, in 2016, a private dental practice in Dallas was forced to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services after disclosing a Patients’ Protected Health Information on social media. A client left a review on Yelp, and in their response to the review, the dental practice revealed some personal details.
Lack of Safeguards
Every organization faces the possibility of a cybersecurity breach. The loss of PHI can be a devastating blow to both the patients and healthcare organizations. A data breach can result from a sophisticated attack or something as simple as someone leaving their computer unlocked and unattended.
Data breaches can lead to financial penalties, HIPAA violations, data theft, data spills, data exposure, and compromised patient care. For this reason, the Office of the National Coordinator for Health Information Technology has provided guidelines for the privacy and security of health information. The HIPAA Security rules mandate three types of safeguards, administrative, physical, and technical.
Administrative safeguards include policies and procedures put in place by an organization to protect a patient’s PHI, such as requiring users of technology to maintain privacy standards. Subpart D of the Security Rule requires covered entities to prioritize administrative safeguards over technical safeguards when appropriate.
An example of critical administrative safeguards is the case of Cedar Springs Hospital located in Colorado Springs. In late 2020, the hospital provided an official from the Colorado Department of Public Health and Environment with a storage device that contained unencrypted PHI as part of a survey. Unfortunately, the officer misplaced the device putting the data at risk of falling into the wrong hands. The hospital had to file a notification report because the data was unencrypted.
Physical safeguards refer to physical controls on computer equipment such as doors, walls, locks, and guards. Physical safeguards restrict access to hardware and data centers where electronic protected health information is stored or transmitted. The use of biometrics is one example of a physical safeguard for encryption keys.
Technical safeguards are software security measures that include two-factor authentication (2FA). 2FA involves using another password besides your regular password when you log into an account.
The Breach Notification Rule
In the event of a breach, organizations are required to notify those affected. Determining who should be notified and in what time frame can be tricky. The Breach Notification Rule states that a covered entity must notify “all or the majority of individuals whose unsecured protected health information has been accessed” within 60 days following the discovery of the breach. The OCR recommends that notifications are sent out as soon as possible, so those affected have ample time to take action to mitigate any harm resulting from the breach.
Legislative changes on data protection laws will continue alongside security and technology innovation; it is vital for data storage companies to stay up-to-date on these changes and remain HIPAA compliant.
Lack of Patience Access to PHI Data
A patient is entitled to a copy of their PHI within 30 days of their request. Furthermore, the data must be provided in the form and format requested. An Arizona healthcare company was recently fined $200,000 for violating this regulation.
Failure to follow these disclosure policies and give patients their information leads to a HIPAA violation.
Lastly, patients also have the right to get a copy of their PHI if requested by someone else or when there is a need for an additional copy because it was damaged. When another person’s request for PHI arises, then you may release it under specific conditions:
- It is from a licensed healthcare provider who needs this info for treatment purposes.
- It is from someone the patient has designated, such as a family member or patient representative, due to their inability to make decisions on their own,
If you have not yet done so, it’s time to update your data policies and procedures with the latest security measures. Luckily, there are many ways that companies can remain compliant with HIPAA regulations today, such as using HIPAA compliant cloud storage, implementing technical, administrative, and physical guards, and conducting regular data assessments.
However, if a breach occurs within your system and PHI is compromised due to an impermissible disclosure or access by someone without proper authorization, fines of up to $1.5 million dollars could be imposed for each violation.
Read next: 6 Developments in Healthcare Data Storage