The signs are all there.  It’s time to get serious about complying with the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules.  Are you compliant yet?  If not, the U.S. Department of Health Human Services (HHS) wants you to know that tolerance for noncompliance with HIPAA regulations is lower than ever before.  Your odds of being audited, or of paying significant civil monetary penalties should a breach occur, are higher than ever.

The Long Road to HIPAA Compliance:  A Trip Down Memory Lane
It’s been more than fifteen years since the HIPAA legislation was passed in 1996, and almost nine years since the Security rule went into effect in 2004.  Yet, despite the passing of time, the effects of the Security Rule are only now being felt.  There are many reasons for the delay in compliance with HIPAA rules by healthcare entities.  If we’re honest with ourselves, it comes down to the fact that for many years, putting together a security program that truly met the intent of HIPAA just wasn’t worth the pain of reading through the dense and ambiguous language of the Security Rule itself.  Besides, with no significant penalties in the mix, why bother?   A lack of real enforcement resulted in healthcare entities failing to change their basic behavior or make material investment in security and compliance programs to meet the requirements of the Rule.

A breakdown of the HIPAA violations that resulted in the illegal exposure of personal information.

A breakdown of the HIPAA violations that resulted in the illegal exposure of personal information.

Signpost #1:  HITECH in 2009
In February 2009, that all changed with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The act addressed the privacy and security concerns associated with the electronic transmission of health information. Several significant changes were brought about as a result of the act, all acting synergistically to enforce compliance to HIPAA requirements. Among the most relevant changes, the HITECH Act:

  • Extended the complete Privacy and Security Provisions of HIPAA to Business Associates (BAs) of covered entities.
  • Introduced the first federally mandated Data Breach Notification requirements on covered entities, business associates, vendors of personal health records (PHR) and related entities.
  • Significantly increased the penalty amounts the HHS Secretary may impose for violations of the HIPAA rules and encouraged prompt corrective action.
  • Redirected penalties obtained back into enforcement activities rather than a general fund.
  • Opened the way for enforcement action by states’ attorneys general.

Despite these sweeping changes, healthcare entities were still slow to adopt remediation programs.  In the three years since the breach notification requirements of HITECH went into effect, the healthcare industry has seen a steady flow of breaches.  According to HiTrust, an organization that regularly analyzes breaches reported to the HHS, the number of breaches affecting over 500 individuals totaled 495 as of October 1, 2012.

The rising amount of breaches isn’t surprising given that the Healthcare industry is focused on seeking technology solutions and processes that enable them to work faster and improve overall quality of care, while still enabling the entity to meet financial objectives.  This focus creates an environment that tolerates such practices as credential sharing, an activity that would be frowned upon in a financial organization.  Whether undertaken to gain “insider” information for personal use or to avoid administrative hassles at an often-used hospital workstation, the shared use of user name and password combinations is a dangerous practice that can lead to unacceptable risk to patients.  In this industry, risk management is vital.  Unprotected patient health information can put hospitals, physicians, insurance providers, IT professionals and others at risk of fines, lawsuits and reputational damage. Worst case, it puts the patients themselves at risk of life-threatening misdiagnosis or severe harm.

Signpost #2:  Increasing Enforcement in 2012
Starting in 2012, the threat of fines for noncompliance with HIPAA regulations became real.  In remarks made in June, OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.  He also rolled out the OCR’s new audit program, which signaled a more systematic approach to assessing HIPAA compliance as compared to OCR’s previous investigation and complaint process.  The expectation was that 150 HIPAA audits were to be completed in 2012.  As a result of the OCR’s increased focus on pursuing compliance infractions, the following settlements serve as examples of those that were reached after a period of negotiations that began in 2012:

  • March 2012:  Blue Cross Blue Shield of Tennessee agreed to pay the HHS $1,500,000 to settle potential violations of HIPPA Privacy and Security Rules.
  • May 2013:  Idaho State University  agreed to pay $400,000 to the HHS to settle alleged HIPAA violations.
  • July 2013: WellPoint pays HHS $1.7 million to settle potential violations of the HIPAA Security Rule.

The Wellpoint breach serves as an example of the damage that can occur when adequate policies and procedures do not exist for authorizing access to sensitive applications. In the Wellpoint case, security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.

Sign #3:  Omnibus Rule in 2013
With the consequences of breaches and fines becoming more public, healthcare entities have sharply increased IT spending on privacy and security.  And this spending couldn’t come a moment too soon.

In January 2013, the HHS announced a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule (“the final rule”) is NOT new rule-making.  Rather, it is the finalization of HHS Interim Final Rules and proposed rulemaking that was already available for public review.  It also comes with all-important effective dates which all healthcare entities and their BAs should note carefully.  The Omnibus Rule is effective on March 26, 2103.  Covered entities and BAs of all sizes will have 180 days beyond that date to come into compliance with most of the final rule’s provisions including these significant aspects:

  • Enforcement Rule
    • Substantial increases in minimum penalty amounts, with a maximum penalty amount of $1.5 million annually for all violations of an identical provision.  In the final rule, the HHS makes it perfectly clear that the number of identical violations is exactly equal to the number of individuals affected.  In the case of a large breach of unsecured PHI, this could be a hugely damaging financial hit to a healthcare entity.
    • CEs and BAs are liable for the acts of the BA agents.
    • Entities have 30 days to notify HHS of a violation due to willful neglect, to begin on the first day they have actual or constructive knowledge of the violation.
  • Breach Notification Rule
    • Breach notification is NOT required if a CE or BA demonstrates through a Risk Assessment (RA) that there is a low probability that PHI has been compromised.
    • The Risk Assessment should answer:
      • The nature and extent of the PHI involved
      • The unauthorized person who used the PHI or to whom the PHI was disclosed
      • Whether the PHI was actually acquired or viewed
      • The extent to which the risk to the PHI has been mitigated

It also includes changes to the definitions of business associates (BAs) and Protected Health Information (PHI) which all should go <here> to review.

Interpreting – and Acting Upon – the Signs
What this should all tell IT security professionals in the Healthcare industry is that you can no longer ignore the signs: HIPAA compliance is here and real, and you have less than 180 days to comply.  With money and audit resources to back it, the HHS has served notice that you can and most likely will be audited.  Once that happens, depending on the type of violation, you can expect the fines to be steep.

More than that, as professionals we should all reflect on what the Healthcare industry means to the nation.  It is a vital part of the nation’s critical infrastructure.  As such, the industry, and the information which is its lifeblood, should be diligently protected.  Patients expect a higher level of privacy and security to be afforded to their information, and have placed their trust in healthcare entities, simply because of the role the Healthcare Industry plays in the nation.   It’s not a coincidence that in the healthcare industry, data breaches have high impact in terms of absolute costs ($305/record v. $188/record on average) and customer churn.  When someone you trust fails you, the consequences are high.

Moving forward, expect the Healthcare industry to be particularly impacted by the challenges of mobility, insider threat, and patient privacy requirements.  In terms of trends, we see an influx of mobile technology within the hospital IT infrastructure, especially wireless technologies as exemplified by the “Wireless MD.”  What this means is that IT security professionals in the Healthcare industry have to prepare NOW to meet the challenges of HIPAA compliance today – and tomorrow.

To do this, they must balance the demand for workflow efficiency and productivity with the need to secure patient data. The best way to do this is by controlling access to patient information in a robust and well-managed way, monitoring the activity of healthcare staff, especially those with broad privileges, and managing who has access to patient information and the systems where it resides. By applying good security controls in a layered, continuous and iterative manner around sensitive patient data, IT teams can mitigate total organization risk.  Good security is then realized and HIPAA compliance is achieved as a “by-product” of this good security.

Kent Purdy
Jan 22, 2014
8:44 am