HIPAA compliance not guaranteed with ePHI security
Medical facilities sometimes believe security is equivalent to compliance with HIPAA -- but not so fast. Organizations must consider other aspects when guarding patient data.
Your healthcare organization believes in a strong cybersecurity program. It employs the latest software to secure patient data, and you feel confident that the clinical files are protected against hackers.
This hypothetical setup seems to be solid. The bad news? Those efforts might not comply with HIPAA.
That's hard to accept in this age of constantly beefing up technologies to safeguard electronic protected health information (ePHI). But the above scenario illustrates the sometimes forgotten reality that ePHI security and HIPAA privacy obligations don't always work in parallel.
"You can't have privacy without security, but you can have security without privacy," said attorney Daniel Farris, partner and co-chair of the technology group at law firm Fox Rothschild LLP.
HIPAA broadly divides specifications among its Privacy and Security Rules. The privacy regulations govern how hospitals and other healthcare facilities use and share ePHI, Farris said. Meanwhile, the security provisions cover measures that curtail unauthorized access to ePHI, including the use of IT capabilities.
Providers need an audit trail
You can't have privacy without security, but you can have security without privacy.
Attorney Daniel Farrispartner and co-chair, Fox Rothschild LLP
The HIPAA Security Rule does not mandate what technology a healthcare provider uses to protect data; rather, healthcare organizations must evaluate software and platforms with ePHI security risks in mind (see "What does HIPAA prescribe for technology?").
The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) investigates HIPAA complaints. Its inspectors can judge compliant security technology approaches based on documentation. Consider some of the nuances in these actual cases:
In February 2017, Memorial Healthcare System (MHS), based in Hollywood, Fla., paid $5.5 million to HHS to settle potential HIPAA violations stemming from staff members allegedly using a former employee's login credentials to access and disclose thousands of patient files. "MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices," HHS wrote. In other words, by not auditing the passwords used by staff, MHS may have subverted ePHI security.
In January 2017, Metro Community Provider Network, based in Englewood, Colo., settled with HHS for $400,000 after an ePHI security breach occurred during a phishing incident. According to HHS, the healthcare provider took action to address the incident but didn't conduct a follow-up risk analysis until about two weeks later.
What does HIPAA prescribe for technology?
The HIPAA Security Rule sets a variety of IT provisions for covered entities, such as providers and health plans, that transmit electronic protected health information (ePHI). According to the U.S. Department of Health and Human Services, the rule requires the following:
Covered entities must evaluate IT capabilities, infrastructure, related costs and the likelihood of an ePHI security risk, but the types of technology aren't specified.
Covered entities must implement security measures and consistently modify them as needed.
Software, hardware or other mechanisms must ensure access control and auditing during ePHI transmission.
Both cases share a common theme: the lack of risk analyses and policy audits, which are key mandates in the Security Rule. Risk analysis is a familiar mantra at hospitals and other healthcare providers, whether for HIPAA compliance, infection control measures or emergency planning against outside disasters. Regardless of the security threat, a core aspect is to repeat a risk analysis at certain intervals to assess potential dangers.
George Indest III
Federal inspectors can request to see an organization's current HIPAA security procedures, security assessments dating from years earlier and any documented action an organization took to address weaknesses. "If you have a compliance plan in place and you [document that] you're following the compliance plan," you'll get credit for such actions from inspectors, said attorney George Indest III, president and managing partner at The Health Law Firm.
OCR inspections for HIPAA violations are rare, however, which can lead to laid-back compliance by providers, Indest added. "If you have a stretch of highway and the speed limit is 50 miles an hour, and everybody drives 70 or 80 because the cops never pull anyone over … you'll think enforcement is lax," he noted.
Data integrity a key issue
Elizabeth Litten
HIPAA's Privacy Rule is not just about stopping breaches; it also focuses on ensuring the integrity of patient data. That combination has implications for both technology and business associates, said attorney Elizabeth Litten, partner and HIPAA privacy and security officer at Fox Rothschild. A business associate is any party that works with providers and handles or discloses ePHI. Business associates must meet HIPAA requirements.
Litten offered the following example of how technology can intersect with data integrity and HIPAA: Suppose a cloud vendor hosts patient data from a hospital. All the data is encrypted, and the vendor doesn't have the encryption key. Even though the data is secure and access is limited, the OCR has stated that the vendor must still be part of a business associate agreement because the cloud service is responsible for the reliability of the data it hosts.
"That's where the line between privacy and security gets blended," Litten said.
Hackers don't always enter by the front door
Although hackers might test the security of servers that hold patient data, if they encounter any type of formidable security technology, they will likely move on to easier targets within a healthcare organization, Indest explained. It's important not to forget other areas -- including nonclinical ones -- that allow access points into the IT system.
Farris agreed, adding that major breaches across different industries have started through some of the least suspected systems, such as a server that controls a heating, ventilating and air conditioning system. A similar situation led to Target's massive retail data breach in 2013.
Daniel Farris
Farris said he heard of a security breach at a casino, which typically has tight access controls over its financial systems. A hacker exploited a vulnerability in software that operated an aquarium in the casino and subsequently was able to breach other systems. Healthcare providers, he advised, should consider similar kinds of vulnerabilities and perform security audits on any vendor that installs software or IT within the building.
George Indest III
Elizabeth Litten
Daniel Farris
