BY Stephen Cavey | 12/06/2020
To better protect healthcare data and patient privacy, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Despite this regulation, the healthcare industry has seen a huge surge in the number of cyberattacks over the years. In 2019 alone, there were 572 reported health data breaches in the U.S. Globally, the healthcare industry came in second for the highest number of breaches during the year.
Healthcare data has become an increasingly favored target for hackers as a single medical record can fetch up to $1,000 USD on the black market. This isn’t surprising as medical records typically contain a patient’s full name, Social Security Number (SSN), date of birth, healthcare insurance data and more, constituting an attractive “information package.”
So, how can healthcare organizations keep in compliance with HIPAA and better safeguard PHI from cyberattacks? It starts with understanding more about what HIPAA is along with implementing best practices to protect healthcare data.
HIPAA is a U.S. federal law that establishes national standards to protect the privacy and security of sensitive patient health data. While similar to other data protection legislation that governs the collection, use and disclosure of Personally Identifiable Information (PII), HIPAA focuses on providing a balance for the lawful use and disclosure of Protected Health Information (PHI).
PII is personal identifiable information that can be used alone or with a combination of other data to uniquely identify an individual. Examples of PII include an individual’s full name, birth date, SSN, bank account number, credit card number, email address or Internet Protocol (IP) address.
PHI is health information (including demographic data) in any form or medium, whether electronic, on paper, or oral, that can be reasonably used to identify an individual. A patient’s past, present or future health status, health care provision, or health care payment data constitute PHI when accompanied by common PII such as full name, birth date and SSN. For example, a medical chart with a patient’s name on it is PHI. Other types of PHI include biometric identifiers, medical record numbers, health insurance beneficiary numbers, and even conversations about patient care or treatment between doctors and nurses.
HIPAA covers a broad range of topics, but there are three main provisions of HIPAA that organizations related to the healthcare sector should be familiar with.
In essence, the HIPAA Privacy Rule aims to protect a patient’s privacy while permitting the flow of important health information when necessary. The Privacy Rule requires that covered entities (e.g., health plans, healthcare providers, and healthcare clearinghouses) assess their operational practices and ensure that the necessary measures are in place to limit the use and disclosure of personally identifiable PHI without a patient’s consent. This gives individuals more rights to access, understand and control when and how their health information may be used or shared.
For covered entities, this means adhering to the “minimum necessary” principle by only using, disclosing or requesting the minimum PHI needed to complete the intended purpose. This includes safeguarding and applying de-identification methods when health data is shared for studies, research or other purposes. There are times when covered entities are permitted to use or disclose PHI. For example, a covered entity may use and disclose PHI when it is required for healthcare operations.
HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to PHI in electronic form, also known as ePHI. According to the Security Rule, covered entities need to maintain appropriate security measures for protecting ePHI, such as ensuring that all ePHI that is created, received, maintained or transmitted is kept confidential, retains integrity, and is accessible and usable on-demand by authorized persons. Recognizing the diversity of covered entities in the healthcare industry, the Security Rule gives covered entities the flexibility to take into account their size, complexity, available infrastructure, cost, risk likelihood and other considerations when determining the best security practices to implement to secure ePHI.
A breach occurs when there is any use or disclosure of PHI that is impermissible under the HIPAA Privacy Rule. In the event that a breach of unsecured PHI happens, the HIPAA Breach Notification Rule dictates that covered entities must provide written notice to affected individuals without reasonable delay, and no later than 60 days from the discovery of the breach. In more severe cases, such as when a breach impacts more than 500 residents of a state or jurisdiction, the covered entities are also required to notify prominent media outlets about the breach.
These notices must:
Covered entities are also expected to provide insight on action that has been taken to prevent further breaches from happening.
Failing to take HIPAA obligations seriously can be costly. In 2018, one of the largest health benefits companies in the U.S. suffered a devastating data breach that exposed the ePHI of almost 79 million people. This led to a record $16 million fine as the company was found to have violated the HIPAA Privacy and Security Rules.
Other known HIPAA violations that cost organizations reputational and financial damages have included:
The first and most important step towards HIPAA compliance is to be able to answer the question, “Where is all our PHI data stored?” Once you have visibility into where PHI data resides, you can put the right controls in place, such as encryption, de-identification, disposal, and more.
Below is a list of best practices to guide your organization’s HIPAA compliance efforts.
At Ground Labs, we understand the value and vulnerability of healthcare data. With our flagship Enterprise Recon solution, you can quickly search across your organization to determine where all ePHI resides to identify high-risk, unsecured storage locations. Enterprise Recon comes ready with a PHI-centric data type profile that houses many identifiers listed under the HIPAA Safe Harbor method, including full names, mailing address, driver license number, SSN, drug enforcement agency number, Medicare Beneficiary Identifier (MBI), national health plan identifier, national provider number and health insurance claim number. You can further tailor it to organization-specific requirements such as medical record numbers or account numbers using Enterprise Recon’s custom data types.
Enterprise Recon’s scan scheduling enables this PHI data type profile to capture most data points specific to the U.S., and can be configured to capture other common types of HIPAA-sensitive data like credit card numbers and email addresses. With Enterprise Recon’s powerful remediation capabilities, you can take the Safe Harbor de-identification approach by masking sensitive PHI from the web console, or encrypting data at rest.
To find out how Enterprise Recon can address your organization’s HIPAA compliance needs, book a demo today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world shift to remote work environments, the need to keep sensitive data safe and protected is even more urgent. To help companies navigate these uncertain times and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.