There’s no surprise that information security has been a big topic in recent headlines. Over the past two decades everyone from retail stores to government agencies have fallen under the shade of the wily black hat. As a result, this malicious activity shifted public perspective on data trust and subsequently made confidentiality a hot topic.
Soon, questions concerning privacy were louder than the looming dot com boom and the risks became too great. Thus in order to encourage investment, quiet the skeptics, and discourage fraud, actions had to be taken. Something had to be protected, but it had to be something everyone wanted private. So why not healthcare?
In 1996 President Bill Clinton instituted the Health Insurance Portability and Accountability Act (HIPAA), an act to improve trust, faith, and confidence in the healthcare industry. The statute contains five sections or titles that mandate specific principles.
Title II advises the Health and Human Services to establish national standards for processing electronic healthcare data. It also requires data centers to implement security protocols and remain in compliance with privacy regulations set by the HHS.
Don’t think HIPAA works? In 2012 a complaint was leveraged against a St. Elizabeth’s Medical Center in Boston over a cloud-based file sharing platform, which was in non-compliance with HIPAA laws and regulations. The hospital was forced to pay nearly a quarter of a million dollars in fines to the department of Health and Human Services Office of Civil Rights and was also forced to no longer use the platform until it was in accordance with HIPAA law. You can read more about the case here (credit to hhs.gov).
But what does it mean to be HIPAA compliant?
In the high-tech sector HIPAA compliance means adhering to the Administrative Simplification provisions. These are broken into two standards and three rules for a total of five HIPAA compliance requirements.
First, is the National Provider Identifier Standard. According to this provision any and all individuals, employers, health plans, or healthcare providers are required to have a 10-digit national provider identifier or NPI. Providers are required to use this unique number to distinguish themselves in all HIPAA Transactions.
The second requirement is the Transaction and Code Set standard. Healthcare services are required to adopt the electronic data interchange (EDI) standard when processing or submitting claims for individuals. The EDI rule is based on the highly technical X12N EDI data transmission protocol standard and directs the way data is transferred between terminals.
The third rule, known as the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, institutes national standards to protect patient’s Personal Health Information (PHI). The rule requires that the appropriate security measures be placed in effect to protect the privacy of the patient. In addition, the patient is given more capacity over their health information. These include rights to examine and obtain a copy of their health records.
The fourth rule, The HIPAA Security Rule, sets national standards for electronically stored patient information. Under this rule, electronic and physical security measures must be brought to the attention when addressing risks and vulnerabilities with electronic protected health information (ePHI).
The final rule is the HIPAA enforcement rule. This rule contains mandates/rules for investigations into HIPAA compliance violations.
There are a number of steps that an organization needs to take In order for an organization to be considered HIPAA compliant. These include administrative, physical, and technical standards set in place by the HIPAA act. It is only then that an organization is considered to be HIPAA compliant.
However, there are further administrative mandates and statutes that must be taken into consideration. The Security Management Process within §164.308(a)(1) includes further requirements for HIPAA Risk Analysis and Risk Management.
This process is the basis of principles in which all mandatory security measures are established upon. As a result, a data center’s HROC or HIPAA Report on Compliance provides the baseline for the risk analysis and management plan. This security strategy can also serve as an universal standard if you were to ever decide to outsource to different clients.
Data centers who have adopted an HIPAA risk assessment are required to provide a copy of their HIPAA compliance report if audited. Being able to present a HIPAA compliance report mitigates costs for clients in the long run by thwarting further HIPAA compliance evaluations.
However, if an organization decides to migrate services to another business associate who does not have a HIPAA Compliance report available then it’s expected that the organization in question have their own policies and procedures in effect.
There are a number of other administrative security provisions that a data center should also have in place when storing, transporting or preparing ePHI these include:
Besides the administrative security measures, there are also physical, technical, and organizational security implementations that need to be considered when taking on the task of erecting any HIPAA compliant data center. All these restrictions need to be followed or consequences could be costly.
The HIPAA Omnibus Rule was enforced by the HHS to coordinate adjustments to HIPAA with protocol set by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH). This legislation outlines the duties that any data center must take on with a business associate.
As a result, implementation of the omnibus rule increased penalties for all HIPAA compliance violations to a maximum of $1.5 million per occurrence.
The HIPAA Breach Notification Rule requires that those covered whether businesses or individuals be notified following a data breach. In addition, fees can also accrue by not following HIPAA privacy and security mandates.
Therefore, in order to mitigate risks many companies implement HIPAA compliance training companies and offer “in-house” certifications to reinforce their guarantee.