Understanding HIPAA Today
Look back into the Healthcare Privacy and Security Standard’s growth to understand where we are today.
By Chris Lyons
When the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August of 1996, the intent was to provide an improved method of allowing employees to ensure they were able to retain healthcare coverage between jobs, combat waste and fraud in healthcare, and encourage the use of medical savings accounts by offering tax cuts.
However, HIPAA is better known today as a series of regulations that employs a variety of security and privacy rules used to protect healthcare consumers from data breaches and to guide medical offices on the use of electronic patient records.
This is attributable primarily to the explosive growth of the internet and the vulnerability to patient records it introduced.
What is the Cost of a Healthcare Data Breach?
Consider the demand for stolen medical records on the black market: While a credit card number is worth $.25 – $1, medical record information is worth $10-$50 per record. This is due to the fact a credit card number can be easily changed, while medical record information such as social security number and birth date cannot.
Furthermore, according to the Ponemon Institute, the cost of a data breach of medical records is approximately $363 per record, but the cost of a breach across all other industries is $154 per record. This equates to almost $10 million for 25,000 records, the number typical of a small medical practice.
Understanding HIPAA today is made easier by taking a look back at its evolution.
HIPAA began under the directive of providing portability of insurance and continued with that focus until April 2003 when the first portion of the rule that has defined what HIPAA is today was introduced; the Privacy Rule.
What is the HIPAA Privacy Rule?
The Privacy Rule was introduced to identify Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”. The Privacy Rule sets guidelines about how PHI can be disclosed, what is required in a notice of privacy practices, and many other instructions.
This is important because it dictates how healthcare providers and support staff interact with you and other providers responsible for your care. For example, the Privacy Rule requires healthcare providers discretely check you in for an appointment, ensures only the necessary information for your care is provided to other caregivers, and makes sure your medical information is shared only with authorized individuals such as approved friends, family or personal representatives.
What is the HIPAA Security Rule?
The HIPAA Security rule was passed in April 2005 and provided guidance on how entities store, transmit, and protect electronic PHI (ePHI). While electronic medical records (EMR) enable convenient and speedy sharing of information amongst authorized providers and support staff, accessibility makes it even more important that the proper controls are placed around those records and systems to prevent breaches that can result from hacks, ransomware attacks, malware attacks, and shoddy workplace controls such as poor passwords or lack of proper encryption. Also of concern is the use of mobile devices such as laptops, iPads and smartphones which can easily be lost or stolen, that could contain hundreds or even thousands of patient records.
Since the introduction of the Privacy and Security rules, there have been several other items passed that have affected how healthcare entities must protect PHI.
What is HITECH?
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed. This act provided a vehicle to help and encourage covered entities to computerize patient medical information. This act also led to the Meaningful Use incentive program that provided financial incentives to covered entities to move to electronic medical records as well as the Breach Notification Rule. This Act promulgated the use of electronic patient portals, which provide patients a way to view their records and make appointments electronically through a secure portal.
What is the Final Omnibus Rule?
In 2013, the Final Omnibus Rule was passed. This is the most recent rule change within HIPAA. This rule introduced few new requirements, but instead cleared up some of the vagueness of several areas of the existing rules.
Some changes included how to render ePHI unreadable, the definition of who would be considered “workforce” members, and the use of mobile devices.
One of the biggest changes that came about from the Omnibus Rule is the stipulation that Business Associates would now be held responsible for breaches of PHI. One main point of the Omnibus Rule was to make entities that have contact to PHI become aware of HIPAA and the requirements to be compliant with laws that had been around for almost 20 years.
HIPAA continues to evolve as new technologies and new breaches occur. The Office for Civil Rights is holding healthcare companies responsible for these breaches. At $42 million, federal fines for 2016 and 2017 almost tripled over fines for 2014 and 2015 of $14 million and the trend continues today.
Many of the requirements of HIPAA are not specifically stated as to what a company must do, and as such it gives each company some flexibility to do what is best for its organization. The main thing to remember for HIPAA is that while there are not specific “you must do it this way,” it is mentioned many times in the rules that a company must do “what is reasonable and appropriate” to protect PHI.
Every company should remember that HIPAA is not the “Gold Standard” for security of PHI, it is a minimum specification of what a company must do. Ultimately, if there is a breach, the entity that has the breach will be held responsible.
The bottom line is: companies must do everything they can to protect all patients’ PHI.
HIPAA is always changing, aiming to improve the security provided by healthcare organizations to protect consumers. Sword & Shield’s HIPAA Compliance Program (HCP) provides a cost-effective way for organizations to ensure on-going compliance with the HIPAA Security, Privacy, and Breach Notification Rules.
Request a consultation to get started.
As a security consultant for Sword & Shield, Chris Lyons provides senior security consulting services for HIPAA compliance and security and privacy risk assessments for healthcare companies of all sizes. Lyons writes, reviews and edits corporate security and privacy policies and procedures and provides remote as well as onsite security reviews for hospitals, doctor offices, radiology, dental, and other providers that work with Protected Health Information (PHI) to ensure HIPAA compliance. He has a master’s degree in technology and online training, an MBA, a bachelor’s degree in business administration and holds a number of certifications including a Healthcare Information Security and Privacy Practitioner certificate and several Microsoft and CompTia certifications.