HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA, set the standard for protecting sensitive patient data. Any company that deals with protecting patient data. Any company dealing with protected health information (PHI) must ensure that all the required physical, network and process security measure are in place.
It provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs.
HIPPA was approved to provide the public the following benefits:
- Reduce health care fraud and abuse.
- Mandate industry-wide standards for health care information on electronic billing and other processes.
- To establish basic privacy and security protection of health information.
- To guarantee individuals the right to access their health information and learn how it is used and disclosed
- To simplify payment for health care.
- Requires the protection and confidential handling of protected health information.
Why HIPAA was needed:
The Health Insurance Portability and Accountability Act, or HIPPA, is important because it protects patient privacy and ensures coverage of individuals with pre-existing conditions.
It ensures that information remains secure, medical providers must ensure that records are safeguarded and that only authorized and trained personnel have access to them.
HIPPA was needed because:
- Protected information cannot be shared without the patient’s consent. Consent is not needed to share information to coordinate care, for billing purposes, to protect public health or when providers are legally required to report injuries, such as gunshot wounds.
- HIPPA gives patients the right to request copies of their medical records and request corrections if information is inaccurate.
- A very important aspect of HIPAA law, is the right for you to designate who can speak for you. In order for anyone to speak on your behalf, a form must be filled out. This includes if you have someone helping with your insurance issues or bills.
HIPAA Rules and Regulations:
There are 5 main rules for HIPPA that are:
-HIPAA Privacy Rule
-HIPAA Security Rule
-HIPAA Breach Notification Rule
-HIPAA Omnibus Rule
-HIPAA Enforcement Rule
The Privacy rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule.
The Security rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule. Typically, ePHI is stored in:
- Computer hard drives
- Magnetic tapes, disks, memory cards
- Any kind of removable/transportable digital memory media
- All transmission media used to exchange information such as the Internet, leased lines, dial-up, intranets, and private networks
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
HIPAA Privacy Rule:
HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HIPAA Privacy Rule governs how ePHI (electronic Protected Health Insurance) can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), and healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients or their nominated representatives rights over their health information; including the right to obtain a copy of their health records or examine them and the ability to request corrections if necessary.
Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advice patients and plan members of the circumstances under which their data will be used or shared.
Covered entities are also advised to:
- Provide training to employees to ensure they are aware what information may and may not be shared outside of an organization’s security mechanism.
- Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients. Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research. Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.
HIPAA Security Rule:
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual.
There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist.
These have to do with the policies and procedures you have in place to ensure the proper employee management, training and oversight for staff that come into contact or manage protected health information.
These are details that HIPAA compliance software like True Vault manages that providers of HIPAA hosting don’t touch. They include things like encryption and decryption, audit controls, emergency access procedures, HIPAA file storage and more.
These are the safeguards around the security of the data. True Vault and other HIPAA compliant hosting companies cover this portion of the safeguards and includes data redundancy and failure requirements, access to servers and more.
HIPAA Breach Notification Rule
The Breach Notification Rule requires most healthcare providers to notify patients when there is a breach of unsecured PHI. The Breach Notification Rule also requires the entities to promptly notify HHS if there is any breach of unsecured PHI, and notify the media and public if the breach affects more than 500 patients.
HIPAA Omnibus Rule:
HIPAA omnibus rule clarifies procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors.
Business Associates are classed as any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a covered entity. The term Business Associate also includes contractors, consultants, data storage companies, health information organizations and any subcontractors used by Business Associates.
HIPAA IT Compliance
HIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA compliance checklist are covered. Risk assessment and management is a key consideration for HIPAA IT compliance.
HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure the confidentiality, integrity, and availability of ePHI.
One way to help ensure risks are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework.
NIST Cybersecurity Framework:
The NIST Cybersecurity Framework will help you to prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur. This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
HIPAA Compliance Tools:
SIMBUS is a complete HIPAA Compliance office management system complete with a custom dashboard and access to an editable and printable set of Policies, Procedures and Forms. Simply go through the tasks at your own pace and get compliant. Add employees, send tasks, manage audits, mitigate breaches and get support through a secure, mobile friendly management system. No software to install, get access immediately.
Office Safe streamlines everything that is needed to comply with HIPAA. In office safe user can customize and maintain all required HIPAA policies, Take and store result of mandatory risk assessment, easily add users and access account information, train employees with videos, quizzes and other resources, create emergency and incident response plan and Generate Business Associate Agreements.
Data Motion is one of the tools that implements “Email Encryption” technique that is one of the components of the HIPPA security.
The software includes the following features engaging the workflows for salesforce in an email
- Secure messaging
- Encryption for email
- File transfers
- Data transfers
- Integration between CRM and smartphones apps
Along with the safe data delivery the software includes reporting and tracking for all the progress, also data recovery, content filtering and de-identification in case of data loss is available.
QliqSOFT software is one of the tools that provides a secure gateway for texting maintaining the integrity of doctor-patient confidentiality.
The main features included in the software are as follows:
- On-call scheduling and notifications for the users
- Share images and documents for the patients to share their data without having to be at the workstation
- Customized quick messages to send a quick response using frequently used messages
- Group and broadcast messaging is implanted to send alerts and make announcements without having to call a meeting
- Presence Status can be marked by the doctors to show their availability status
- Escalated notifications are also integrated and can be set to a specific time period so that the user is alerted when a qliq message is sent
- Active directory contacts are implemented so it’s easy to list down all the active and available doctors for duty
- EMR integration is implemented to easily access the patient’s data and receive notifications and alerts
Also qliqSOFT implements HIPPA security rule using the following features
- Message Archiving:
This includes the copies of messages along with timestamps that help in auditing.
- Public and Private Key Encryption:
Unique key encryption is provided to the user to access the data and can only be decrypted by specific users, also public key is provided to access data on the servers before re-encryption.
- Cloud Pass Thru:
Using the cloud-pass thru data is transferred directly from one qliq user to another reducing the possibility of data breach.
- User Authentication:
The data is protected using passwords and Id for login and monitoring data .
- Remote Lock and Data Wipe:
All the devices connected to the server are easily monitored and in case the device is lost an “Easy Wipe” feature is available to avoid security breach
- Business Associate Agreement:
When requested, qliqSOFT provides a Business Associate Agreement to customers maintaining HIPAA compliance.
Sakoosa is a tool that provides cloud based security, All the tools such as “Dropbox”, “Google Drive” etc. are maintained by categorizing the files on the basis of risk analysis and then encrypted to avoid security breach.
HIPAA Testing strategies:
Initial Sanity Testing
- For each high risk role, Operation and Component perform sanity testing and identify the major risks in the beginning.
- View encryption for any health information in the database.
- View and update the audit trail for an application .
Develop a Roles Matrix
- Identify the roles, components and operations associated with the application.
- Get approval from the customer and the identification of the risk level associated with each role
- Risk identification factors (information disclosure, frequency of use, chance of error, and impact to the customer if an error occurs in a given component.)
Create Test Cases
- Identify test scenarios and write low level cases for each scenario to provide better traceability.
- Provide clarity in defect status reports.
HIPPA Compliance Testing Areas:
- User authentication in an application is typically one of the following:
In user authentication not only the positive but negative scenarios are also covered.
- Login failure for each of the following reasons, where applicable:
- empty user id
- empty password
- invalid user id (including case-sensitivity if applicable)
- invalid password (including case-sensitivity if applicable)
- expired account
- blocked account
- Locked-out account (after repeatedly failing login x number of times)
- Login success after password change
- Characteristics of password change itself:
- cannot reuse previous x passwords
- forced to change after certain time period
- Login idle timeout (user session expires after being idle for a period of time) on both workstations and mobile devices
- Login credentials not stored in application memory (if required for security)
There are two main strategies that are used in this category but tested on the basis of the operation application is using
- Role Based Access:
In this the users are grouped into the classes that are associated with the level of access the are granted while using a specific component.
- Patient Allocation
This is done based on the requirements of the application and test cases are designed keeping in context the PA limitations such as:
- Application users are only able to view/add/modify/delete patient information that they have access to.
- Ensure that all the electronic information related to the patient is deleted if the application is uninstalled
In case of audit trails a following set of verifications needs to be performed:
-All audit trail entries exist, for every operation performed on the EPHI (electronic protected health information).
-Ensure that the entries against all the platforms exist in the audit trail.
Each audit trail has the following information:
- Date and timestamp of the action.
- The user id / name of the user performing the action.
- The access level of the user.
- The patient record id (if applicable) on which the action was performed.
- The action performed or attempted.
- The specific application component from which it was performed (e.g., billing vs. patient charting).
- The location or system id (if applicable) from which the action occurred (e.g., the hospital or clinic’s NPI (National Provider Identifier).
- Audit trail can be easily followed for future investigations if required .
- The audit trail in uneditable .
- Access to view the audit trail is only granted to a limited set of users.
- In case of security breach, user identification is easy to follow.
- The Audit trail is encrypted.
In case have surety that the encryption is present during data transfers (Wireshark) software is used to assess the following:
-Data access for all the workstations and database is present on which the application is installed
-Data transfer to an external location
-Movement of data to an offline location
In case of payment transfers this needs to be ensured that proper X12 format is used
Information on Correct Data Usage:
In this section we verify that prior to access to the data it is explained to the user how to use the application by using a help section explaining how each operation is performed using electronic health data protection.
Another way to perform this is to provide the team with the training version of the application so that they can familiarize themselves with the flow of the application and then start working on the real EHPI.
HIPAA regulation include:
-Privacy of health information
-Security of health information
-Notification of breaches of confidentiality
-Penalties of violating HIPAA
“The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
HIPAA Violations & Penalties:
At its simplest, a HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI, according to the guidelines in the HIPAA Privacy Rule.
The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.
Fines will increase with the number of patients and the amount of neglect. Starting with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision. To the other end of the spectrum where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).
The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”.
Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
The penalties for a HIPAA violation can be sever with both civil and criminal penalties that can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
Generally speaking, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved.
Here is a quick chart that shows how the range of civil penalties that can reach a maximum of $1.5 million per violation.
|Violation||Minimum Penalty||Maximum Penalty|
|Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA||$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to reasonable cause and not due to willful neglect||$1,000 per violation, with an annual maximum of $100,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to willful neglect but violation is corrected within the required time period||$10,000 per violation, with an annual maximum of $250,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation is due to willful neglect and is not corrected||$50,000 per violation, with an annual maximum of $1.5 million||$50,000 per violation, with an annual maximum of $1.5 million|
Criminal penalties can also be applied when HIPAA violations are knowingly committed with increases in the fine per violation and imprisonment.
Criminal penalties are divided into three tiers:
|Tier||Potential Jail Term|
|Reasonable cause or no knowledge of violation||Up to 1 year|
|Obtaining PHI under false pretenses||Up to 5 years|
|Obtaining PHI for personal gain or malicious intent||Up to 10 years|