When most hear the word “HIPAA,” they recall a trip to the doctor’s office, forms to sign, and protected personal health information that is legally required to remain hidden from the outside world. But for companies who are U.S. based Health Care Delivery Organizations (HDOs), HIPAA conjures up an entirely different response, particularly if you are the CIO charged with the task of ensuring that an effective strategy to manage patient healthcare data exists, at all levels. Then HIPAA evokes the response, are we compliant?
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996,[1]which sets forth national standards with respect to sensitive patient data protection. The HIPAA Privacy Rule[2] requires that standards are in place to protect individually identifiable health information (“PHI”). At the same time, the HIPAA Security Rule[3] operationalizes the Privacy Rule’s security standards for protecting health information that is held or transferred in electronic form (“e-PHI”). The Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil monetary fines. To bolster compliance, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed to raise penalties, and was in direct response to the development of health technology and the explosion of health care data.
These laws have dramatically increased in relevance as the digital age has caused the proliferation of health information being virtually accessible 24/7, 365, and a prime target for cyber hackers. It is estimated that by 2023, 60% of healthcare consumers will have access to, and control health data using technology of their own choosing.[4] Further, by 2025, 50% of all healthcare delivery organizations will include material contributions from digital giants such as Google, Apple and Amazon in their clinical diagnostic or treatment processes.[5] We are seeing an expansion in the healthcare ecosystem, with more digital processes gathering more data, in different forms, from a variety of sources, digitally connecting HDOs and their business associates as data is shared. Whether it is a doctor’s computerized physician order entry system, a hospital’s electronic health records, computerized pharmacies, IoT medical devices, patient facing-apps, or the health insurer’s claims & care management systems, technology is creating and transferring e-PHI. New technology and connected smart devices improve quality and efficiency of patient care, yet can increase security risk. As healthcare providers and other entities dealing with e-PHI move to digital businesses, the need for security is amplified.
Companies that deal with all types of protected health information must have physical, network, and process security measures in place to be HIPAA compliant. Covered entities traditionally included health care providers, health plans, as well as clearinghouses and “business associates” of these entities, however, the list of covered entities has expanded due to more players being involved in how we collect, store, manage, and share data, and now includes anyone who has access to the protected information.
“HIPAA Certified” is a misnomer, it doesn’t exist. HIPAA compliance, on the other hand, requires covered entities to ensure: the confidentiality (not subject to unauthorized disclosure); integrity (not altered or destroyed), and availability (accessible and usable) of the ePHI they create, receive, maintain or transmit. Covered entities must also identify and protect against reasonably anticipated threats to the information, protect against impermissible use or disclosure, and ensure compliance of their workforce.[6] Fortunately, the Security Rule is flexible to allow a covered entity to implement policies, procedures, and technologies, including technical hardware and software infrastructure, that are suited to the entity’s size, structure, and risks faced.
HIPAA requires administrative, physical and technical safeguards, however, only looking at the technical safeguards, entities must focus on the following:
- Access Control – implementation of tech policies and procedures that only allow authorized personnel to access ePHI. Think of portals using unique user IDs, emergency access procedures, automatic log offs, and encryption/decryption.
- Audit Controls -implementation of hardware and software to record and examine activity in systems that contain or use ePHI. Think of audit reports or tracking logs that record activity on hardware and software.
- Integrity Controls – implementation of technical policies and procedures to confirm that ePHI is not altered or destroyed. Think of an IT disaster recovery plan to make sure ePHI is recovered accurately and intact.
- Transmission Controls – implementation of technical security measures to protect ePHI that is being transmitted. Think of securing data transferred via email, internet, private networks or private clouds.
Implementing security measures for e-PHI is complex. CIOs and Chief Information Security Officers (CISOs) are charged with the responsibility for implementing compliance programs, and looking to technology. Companies are undertaking voluntary activities such as vulnerability scans and penetration tests. Vulnerability scans are designed to test a system for vulnerabilities, holes, flaws or weaknesses, such as viruses or outdated legacy software in computer networks, firewalls, routers and applications. These scans are typically run quarterly or when new equipment or apps are introduced to provide cyber security check ups. Penetration testing is more targeted, and is an attempt to find holes in security to gain access to a network – to basically hack your system. Healthcare enterprises and their partners must monitor, test, and main secure networks. Manual penetration testing reveals the way real life hackers might compromise data and takes a look at system software, workflow processes, storage methods, as well as policies & procedures. According to recent reports, in February 2019, hacking and IT incidents, such as malware infections and ransomware attacks, dominated the healthcare data breach reports, making up 75% of all reported breaches and resulting in exposure or theft of 96.25% of the records that were breached[7]. Third parties can be retained to try to hack you as part of your compliance strategy. Because it is meant to provide some flexibility, HIPAA does not specifically require vulnerability scans or penetration tests, however, it is a smart move to incorporate these tools into a HIPAA compliance strategy, particularly to demonstrate compliance if you face an OCR audit.
CIOs need to implement digital platforms that can engage and protect the broad health ecosystem. They must have confidence in the level of control and accountability that exists with respect to safety, integrity and confidentiality of the tremendous amount of electronic personal health data that the business creates, receives, maintains or transmits to ensure HIPAA compliance. Technical evaluation of security, vulnerabilities, and a risk management plan is imperative.
Crowd Machine is a HIPAA Complaint zero code platform that builds, deploys, and manages, mission critical enterprise applications and solutions for the healthcare ecosystem. Crowd Machine employs a “defense in depth” security model, compliant with a number of standard security protocols to ensure that user, device, and service provider authentication requirements are challenged according to security standards. Crowd Machine also ensures the data integrity via a multi-tier approach to data management, regardless of underpinning host technology. Also among the many technical safeguards undertaken, Crowd Machine’s platform is subject to voluntary compliance activities, including penetration testing, on a regular basis. The Crowd Machine technology also has the ability to seamlessly integrate and transform legacy systems, which may be vulnerable, safely making legacy health data useful again. Crowd Machine’s technology is also flexible and can customize and scale to meet any HDOs changing needs or requirements, quickly and easily. Crowd Machine’s happy customers and CIO’s include major health insurance companies who trust Crowd Machine technology to ensure the safety, integrity, and confidentiality of their regulated e-PHI, while at the same time, deliver exceptional user experiences.
Disclaimer: This article
and information contained therein is provided for informational purposes only,
and not for the purpose of providing legal advice. You should contact your
attorney to obtain advice with respect to any particular issue or problem.
[1] Pub. L. 104-191.
[2] 45 C.F.R. §§ 160, 164, Sub. A, E.
[3] 45 C.F.R. §§ 160, 164 Sub., A, C.
[4] Gartner, February 25, 2019; ID G00382818, “Healthcare Provider CIOs: Get Control of Patient Data Across All Partners,” Susan Hull, Barry Runyon.
[5] Id.
[6] 45 C.F.R. §164.306(a).
[7] HIPAA Journal, March 18, 2019.