By Richard Bailey, lead IT consultant, Atlantic.Net.
The Health Insurance Portability and Accountability Act of 1996 is a day-to-day concern for medical professionals and healthcare management teams in the United States. HIPAA, and the subsequent Privacy and Security amendments of 2003, were created to protect the confidentiality of Protected Health Information (PHI).
The Breach Notification Rule was added in 2009 to include specific laws about how to respond to a breach, and the Final Omnibus Rule was added in 2013 to harden the enforcement rules and response requirements.
A HIPAA breach is a serious concern, it can be very costly, instantly creating financial and reputational damage. A breach must be responded to appropriately by the HIPAA-covered entities and any impacted Business Associates.
The threat landscape has definitely changed in 2020/2021, COVID-19 has changed the way front-line healthcare is delivered, and it has also put great pressure on upholding the data integrity of PHI, despite some concessions being offered by the Office for Civil Rights (OCR) during the pandemic.
Between March 2020 and March 2021, there have been 530 reported data breaches to the OCR, this includes both confirmed data breaches, and breaches that are currently under investigation. These figures suggest that 26,023,940 patient records have been exposed in data breaches in one single year, quite a staggering figure.
What is a HIPAA data breach?
There are two types of breaches classified by the U.S Department of Health and Human Services (HHS). A breach that does not disclose PHI is considered “not a breach.” A breach that does disclose PHI must be classified as either an intentional or unintentional disclosure. Deliberate disclosure is considered a very serious breach and typically involves significant penalties.
The primary cause of breaches is usually a lost or stolen computing device, such as laptops, cell phones, and tablets. Many losses are attributed to employee carelessness or employee mistakes or unintentional actions. The other major cause is third-party involvement, this could be hackers, malicious actors, and so on.
By Richard Bailey, lead IT strategist, Atlantic.Net.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
Areas of risk are highlighted, and a roadmap is created for the CE to become HIPAA compliant. Most risk assessments follow the NIST cybersecurity framework, and the NIST schema is a straightforward but highly productive process. There are five essential parts of the NIST framework, and these are; Identify, Protect, Detect, Respond, and Recover. The OCR takes this further with the nine essential elements of Risk Analysis but either framework covers similar topics.