Our HIPAA history lesson starts on 21st August 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law as an Act to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions and simplifies the administration of health insurance.
The procedures for simplifying the administration of health insurance became a vehicle to encourage the healthcare industry to computerize patients´ medical records. This particular part of the Act spawned the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which in turn lead to the introduction of the Meaningful Use incentive program – described by leaders in the healthcare industry as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.
The HIPAA Privacy and Security Rules Take Shape
Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules. The Privacy Rule had an effective compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
Instructions were issued on how PHI should be disclosed and that permission should be sought from patients before using their personal information for marketing, fundraising or research. It also gave patients the right to withhold information about their healthcare from health insurance providers when their treatment is privately funded.
The HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be adhered to in full in order to comply with HIPAA. The safeguards had the following goals:
- Administrative – to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical – to control physical access to areas of data storage to protect against inappropriate access
- Technical – to protect communications containing PHI when transmitted electronically over open networks
The Introduction of the Enforcement Rule
The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules resulted in the introduction of the Enforcement Rule in March 2006. The Enforcement Rule gave the Department of Health and Human Services the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards laid down in by the Security Rule.
The Department´s Office for Civil Rights was also given the power to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days. Individuals also have the right to pursue civil legal action against the covered entity if their personal healthcare information has been disclosed without their permission if it causes them to come to “serious harm”.
HITECH 2009 and the Breach Notification Rule
HIPAA history continued in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the primary goal of compelling healthcare authorities to implement the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out the following year, incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, rather than in paper files.
With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare industry, and the introduction of the Breach Notification Rule – which stipulated that all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were subsequently extended in the Final Omnibus Rule of March 2013.
The Final Omnibus Rule of 2013
The most recent act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule barely introduced any new legislation, but filled gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
Many definitions were amended or added to clear up grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.
The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule.
Amendments were also included to account for changing work practices brought about by technological advances, covering the use of mobile devices in particular. A significant number of healthcare professionals are now using their own mobile devices to access and communicate ePHI, and the Final Omnibus Rule included new administrative procedures and policies to account this, and to cover scenarios which could not have been foreseen in 1996. The full text of the Final Omnibus Rule can be found here.
Consequences of the Final Omnibus Rule
What the Final Omnibus Rule achieved more than any previous legislation was to make covered entities more aware of HIPAA safeguards that they had to adhere to. Many healthcare organizations – who had been in breach of HIPAA for almost two decades – implemented a number of measures to comply with the regulations, such as using data encryption on portable devices and computer networks, implementing secure messaging solutions for internal communications with care teams, installing web filters and taking more care to archive emails securely.
The financial penalties now being issued for data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services and conducting damage mitigation makes investment in new technology to protect data appear cheap by comparison.
The HIPAA Compliance Audit Program
In 2011, the Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first found of audits was completed in 2012 and highlighted the dire state of healthcare compliance.
Audited organizations registered numerous violations of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter resulting in the highest number of violations. The OCR issued action plans to help those organizations achieve compliance; however for the second round of audits it is not expected to be as lenient.
Audits are expected to target the specific areas which proved problematic for so many healthcare providers, while a permanent audit plan is being planned to ensure continued HIPAA compliance. The age of lax security standards has now passed and the healthcare industry, like the financial industry before it, must raise standards to ensure confidential data remains private.
Any covered entity that does not implement the required controls faces financial penalties, sanctions, potential loss of license and even criminal proceedings for failing to secure ePHI.
How to Achieve Full HIPAA Compliance
Our “HIPAA Compliance Checklist” covers the elements of the Health Insurance Portability and Accountability Act relating to the storage, transmission and disposal of electronic Protected Health Information, the actions organizations must take in response to a breach and the policies and procedures which must be adopted to achieve full compliance.
HIPAA regulations may be strict, yet covered organizations are allowed some flexibility on the privacy and security safeguards used to protect data. Data encryption, for instance, must be addressed but not necessarily implemented if other controls provide the necessary protection.
Some of the main technical safeguards used to protect and control ePHI actually help to streamline communication and information flow, and organizations which have adopted secure communications channels and implemented data controls have benefited from improved efficiency, faster response times and have improved patient outcomes, while ensuring that patient health data remains fully protected at all times.
Technical Safeguards to Secure ePHI and Personal Identifiers
The use of laptop computers and other mobile devices for storing or accessing ePHI inevitably results in a HIPAA breach if those devices are lost, stolen or improperly recycled. Password protection of devices – and the data they contain – is a reasonable step to prevent unauthorized access, but alone it is insufficient to provide the necessary protection for health data. Passwords can easily be cracked by hackers and do not provide a sufficiently high level of security.
Data encryption involves the conversion of data into indecipherable symbols – termed cipher text – by complex algorithms, that require a security key to convert the data back into its original form. Data encryption ensures privacy, but can offer other security benefits such as verification of users, access logging, the prevention of record changes and non-repudiation of access and/or theft.
The level of security can be adjusted as appropriate based on the sensitivity of the data it is used to protect. Data can be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption).
If a mobile device is lost or stolen or if computer networks are hacked, while this will be considered a security breach, it would not be a HIPAA violation unless the access key is also disclosed.
The healthcare industry and the pager appear almost inseparable, yet this is about to change. The focus on HIPAA compliance currently centers on Smartphones and wearable technology, yet the pager is not HIPAA compliant. All mobile devices transmit data over unsecured networks and therefore rely on the users not sending ePHI.
BYOD schemes have now been introduced by many healthcare providers, although modern mobile devices have even greater potential to cause HIPAA violations due to the ease at which personal identifiers and ePHI can be sent. Policies and procedures may be put in place to control how these devices are used, although surveys suggest that in practice many medical professionals are still using the devices to communicate ePHI.
Secure messaging solutions prevent this. They work by maintaining ePHI on a secure database and then allowing authorized medical professionals to access the data via downloadable secure messaging apps. Communications are channeled through a secure messaging platform which has administrative controls in place to monitor the activity of the authorized personnel. They also compliance officers to produce risk assessments, as required by HIPAA and Office for Civil Rights’ auditors.
Many healthcare organizations have reported that the implementation of secure messaging solutions has increased productivity by streamlining communications, increasing message accountability and accelerating response times. According to studies conducted in HIPAA-compliant medical facilities, efficiency has also increased, resulting in a higher standard of healthcare being delivered to patients.
Compliant Cloud Storage
The move from physical health records to electronic data formats has required considerable investment in IT infrastructure. The demands placed on healthcare organizations to continually upgrade servers and networks, and employ the staff to manage data centers, can be considerable. In addition to the hardware, space must be devoted to storing the equipment and physical controls must be used to control access.
The computer equipment now required to run large networks and store healthcare data requires cooling systems to be installed to dissipate the heat the equipment generates. The most cost effective solution for many healthcare providers is to outsource data storage and take advantage of the cloud to store data. HIPAA-compliant cloud hosting employs the appropriate controls to secure all stored data with encryption. By outsourcing, healthcare organizations can comply with HIPAA regulations without having to invest so heavily in IT infrastructure.
Compliant Mobile Platforms (App Development)
Mobile health apps are popular with patients for tracking and monitoring health and fitness, and wearable devices have potential to revolutionize home healthcare. They can be used in conjunction with e-visits to provide home care services to patients at a fraction of the healthcare center visits.
Patient portals similarly have great potential and improve interaction between care providers and patients, and cut down on unnecessary costs while helping to improve patient outcomes. The development of HIPAA compliant mobile apps frameworks, compliant storage and HIPAA compliant web solutions means healthcare providers can take advantage of the benefits of new technology without jeopardizing the privacy and security of patient data.
More technical safeguards to secure ePHI and personal identifiers are no doubt in the planning stage now and will impact HIPAA history in the future. In the meantime, here is a brief HIPAA history timeline.