The signs are all there. It’s time to get serious about complying with the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules. Are you compliant yet? If not, the U.S. Department of Health Human Services (HHS) wants you to know that tolerance for noncompliance with HIPAA regulations is lower than ever before. Your odds of being audited, or of paying significant civil monetary penalties should a breach occur, are higher than ever.
The Long Road to HIPAA Compliance: A Trip Down Memory Lane
It’s been more than fifteen years since the HIPAA legislation was passed in 1996, and almost nine years since the Security rule went into effect in 2004. Yet, despite the passing of time, the effects of the Security Rule are only now being felt. There are many reasons for the delay in compliance with HIPAA rules by healthcare entities. If we’re honest with ourselves, it comes down to the fact that for many years, putting together a security program that truly met the intent of HIPAA just wasn’t worth the pain of reading through the dense and ambiguous language of the Security Rule itself. Besides, with no significant penalties in the mix, why bother? A lack of real enforcement resulted in healthcare entities failing to change their basic behavior or make material investment in security and compliance programs to meet the requirements of the Rule.
Signpost #1: HITECH in 2009
In February 2009, that all changed with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The act addressed the privacy and security concerns associated with the electronic transmission of health information. Several significant changes were brought about as a result of the act, all acting synergistically to enforce compliance to HIPAA requirements. Among the most relevant changes, the HITECH Act:
Despite these sweeping changes, healthcare entities were still slow to adopt remediation programs. In the three years since the breach notification requirements of HITECH went into effect, the healthcare industry has seen a steady flow of breaches. According to HiTrust, an organization that regularly analyzes breaches reported to the HHS, the number of breaches affecting over 500 individuals totaled 495 as of October 1, 2012.
The rising amount of breaches isn’t surprising given that the Healthcare industry is focused on seeking technology solutions and processes that enable them to work faster and improve overall quality of care, while still enabling the entity to meet financial objectives. This focus creates an environment that tolerates such practices as credential sharing, an activity that would be frowned upon in a financial organization. Whether undertaken to gain “insider” information for personal use or to avoid administrative hassles at an often-used hospital workstation, the shared use of user name and password combinations is a dangerous practice that can lead to unacceptable risk to patients. In this industry, risk management is vital. Unprotected patient health information can put hospitals, physicians, insurance providers, IT professionals and others at risk of fines, lawsuits and reputational damage. Worst case, it puts the patients themselves at risk of life-threatening misdiagnosis or severe harm.
Signpost #2: Increasing Enforcement in 2012
Starting in 2012, the threat of fines for noncompliance with HIPAA regulations became real. In remarks made in June, OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past. He also rolled out the OCR’s new audit program, which signaled a more systematic approach to assessing HIPAA compliance as compared to OCR’s previous investigation and complaint process. The expectation was that 150 HIPAA audits were to be completed in 2012. As a result of the OCR’s increased focus on pursuing compliance infractions, the following settlements serve as examples of those that were reached after a period of negotiations that began in 2012:
The Wellpoint breach serves as an example of the damage that can occur when adequate policies and procedures do not exist for authorizing access to sensitive applications. In the Wellpoint case, security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.
Sign #3: Omnibus Rule in 2013
With the consequences of breaches and fines becoming more public, healthcare entities have sharply increased IT spending on privacy and security. And this spending couldn’t come a moment too soon.
In January 2013, the HHS announced a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule (“the final rule”) is NOT new rule-making. Rather, it is the finalization of HHS Interim Final Rules and proposed rulemaking that was already available for public review. It also comes with all-important effective dates which all healthcare entities and their BAs should note carefully. The Omnibus Rule is effective on March 26, 2103. Covered entities and BAs of all sizes will have 180 days beyond that date to come into compliance with most of the final rule’s provisions including these significant aspects:
It also includes changes to the definitions of business associates (BAs) and Protected Health Information (PHI) which all should go <here> to review.
Interpreting – and Acting Upon – the Signs
What this should all tell IT security professionals in the Healthcare industry is that you can no longer ignore the signs: HIPAA compliance is here and real, and you have less than 180 days to comply. With money and audit resources to back it, the HHS has served notice that you can and most likely will be audited. Once that happens, depending on the type of violation, you can expect the fines to be steep.
More than that, as professionals we should all reflect on what the Healthcare industry means to the nation. It is a vital part of the nation’s critical infrastructure. As such, the industry, and the information which is its lifeblood, should be diligently protected. Patients expect a higher level of privacy and security to be afforded to their information, and have placed their trust in healthcare entities, simply because of the role the Healthcare Industry plays in the nation. It’s not a coincidence that in the healthcare industry, data breaches have high impact in terms of absolute costs ($305/record v. $188/record on average) and customer churn. When someone you trust fails you, the consequences are high.
Moving forward, expect the Healthcare industry to be particularly impacted by the challenges of mobility, insider threat, and patient privacy requirements. In terms of trends, we see an influx of mobile technology within the hospital IT infrastructure, especially wireless technologies as exemplified by the “Wireless MD.” What this means is that IT security professionals in the Healthcare industry have to prepare NOW to meet the challenges of HIPAA compliance today – and tomorrow.
To do this, they must balance the demand for workflow efficiency and productivity with the need to secure patient data. The best way to do this is by controlling access to patient information in a robust and well-managed way, monitoring the activity of healthcare staff, especially those with broad privileges, and managing who has access to patient information and the systems where it resides. By applying good security controls in a layered, continuous and iterative manner around sensitive patient data, IT teams can mitigate total organization risk. Good security is then realized and HIPAA compliance is achieved as a “by-product” of this good security.