An acronym standing for the Health Insurance Portability And Accountability Act, HIPAA refers to a set of regulatory standards signed into law a quarter-century ago. HIPAA was designed to make security provisions around data privacy with the goal of keeping medical information safe for patients. HIPAA is a legally mandated standard throughout the United States health industry, whether that’s a healthcare service provider or organization, hospital, or any other partner body that has access to patients’ Protected Health Information (PHI).
A lot has changed in the 25 years since HIPAA was signed. Cyber security was in its infancy in 1996, to the extent that the law did not even contain any provisions or guidelines for this area. However, the importance of these rules has only been heightened by technological change in the years since.
As more and more healthcare providers and other organizations in the field transition to computerized operations across every domain of medical practice, the need to adequately protect patients’ sensitive data has become increasingly profound.
Safeguarding patient information
With more data than ever being carried out and stored digitally, HIPAA is needed to safeguard patient information and healthcare providers. A potential security breach could hurt patients, damage the reputation of healthcare providers, and cause the latter to be fined or otherwise subjected to disciplinary action courtesy of the Centers for Medicare and Medicaid Services (CMS) or USA Office of Civil Rights (OCR). Some penalties for violating HIPAA rules can reach as high as $1,500,000 per year for each violation category.
Unfortunately, the healthcare field continues to suffer from breaches and cyber attacks. These attacks range from ransomware that’s designed to encrypt or exfiltrate vital files, including patient data, and then extort the rightful owners for money for its return through devastating distributed denial of service (DDoS) attacks intended to disrupt organizations by knocking vital services offline.
Between January and November 2020, an estimated 79% of data breaches involved healthcare organizations of some stripe. Between November 2020 and January 2021, there was a 45% increase in cyber-attacks made against healthcare organizations. This trend does not look set to slow down any time soon. Instead, it looks likely to continue ramping up.
The HIPAA Safe Harbor bill
Against this background, the HIPAA Safe Harbor bill (a.k.a. H.R. 7898) was signed on January 5, 2021. The bill amended the previously existing HITECH Act and required that the Department of Health and Human Services (HHS) incentivize those who implement good cybersecurity measures in order to conform to HIPAA rules. Essentially, it means that, provided they have done their best to meet the right HIPAA Security Rule guidelines, fines and other punishments will be more lenient even when investigating a potentially serious data breach.
It doesn’t lessen the seriousness of breaches, but it does reward those who have taken the right technical safeguarding steps to mitigate risk.
This new addition to the law comes at a time when there’s increasing awareness of the changing threat landscape for healthcare. Security teams must find ways to use often limited budgets to properly focus on the highest risk threats. The HIPAA Safe Harbor bill offers a reprieve of sorts to those who take the right steps to protect themselves — but to reap the benefits of this they must, of course, take those preventative steps.
There are several measures they can take. One of the most important measures for an organization is to use a compliance checklist for HIPAA to ensure that they are conforming to all administrative, technical, and other safeguarding measures required by law. This includes requirements about HIPAA data breach notification rules and privacy. It covers self-audits, remediation plans, policies, procedures, employee training, proper documentation, incident management, and more.
Acting in good faith
Beyond this, organizations must implement strong data security measures to demonstrate “good faith” effort and to minimize the probability, impact, and scope of a breach.
One of the technical safeguards organizations should take involves access control, making sure that only the correct, authorized individuals are able to access confidential information, however, it is stored.
Another is audit control that tracks attempted access to electronically protected health information (ePHI) and what has happened to this following access. Another involves integrity controls to make sure that this ePHI isn’t altered or destroyed in an improper manner. One other is transmission security, which states that entities that deal with ePHI received or transmitted over an electronic network properly protect it.
The challenges surrounding healthcare data and the ensuing threats aren’t going away. While HIPAA Safe Harbor allows some to breathe a sigh of relief, safe in the knowledge that they are taking every precaution that they can, this group does not yet involve all who are operating in this sector.
Making sure that you join them if you have not already, is of paramount importance.