The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is both a shield for patients against intrusion into private information and an ongoing headache for almost everyone involved in health care. As the law gets closer to its 20th anniversary, some aspects of the legislation have become comparatively routine, while others remain complex and challenging.
For health care organizations, the fundamental challenge is to stay in compliance. At its most fundamental level, that means avoiding data breaches – and adhering to a welter of practices needed to keep not only electronic data but even conversations confidential. Those who aren't able to achieve that goal, find their organization's name displayed on a government “wall of shame” and paying hefty fines. But since there is no exact formula for how to ensure compliance – current requirements are risk based – it's an open-ended challenge. Thus, organizations must balance the fear that no matter what they do it won't be enough against the reality that everything they do to comply costs money.
A widely watched case has perhaps muddied the waters even more. In October 2013, the Second Appellate District Court of California dismissed a case against the University of California, dating back to 2011, in which a laptop with 16,000 patient records was stolen from a physician's home. A plaintiff sued the university under the Confidentiality of Medical Information Act (CMIA), a state statute, and lost. The fact that the data was encrypted, which is often regarded as providing protection to medical entities under HIPAA and other statutes. However, also stolen were file cards that included an encryption key, potentially allowing the thieves to access the data.
Most of the time when laptops go missing they are unencrypted. "What was different about the California case was that the drive was encrypted, but the plaintiff was unable to provide that there was any breach of actual data,” notes IDC analyst Lynne Dunbrack.
However, Dunbrack says the outcome certainly underscores the importance of encryption both in motion and at rest. Dunbrack notes that encryption has been resisted by users because it adds complexity and typically takes more time. Perhaps, she speculates, this decision in California “will lead to more pushback, now that IT can demonstrate that if files are encrypted it can mitigate the impact of one of the most common kinds of data breach, namely lost or stolen laptops.”
HIPAA is a very strange law, says Skip Snow, senior health care analyst at Forrester, because it applies to a single doctor as well as to the world's biggest health insurance company. And it is applied through Byzantine rules. Thus, is an encrypted laptop was stolen from a group practice of 50 physicians, although encryption itself will likely protect the data, they could still be fined if they didn't actually have a policy for using encryption to ensure patient privacy. On the other hand, if you did have a policy that said you would take reasonable measures to protect patient privacy by using encryption, you would be covered. “It isn't so much what the law says as it is individual institutions defining their policies,” he explains.
Typically, Snow notes, a large institution will have a more rigorous framework or set of policies and rules than a small institution. In the former, a dedicated, trained security officer is usually in charge of ensuring compliance, while in a small organization, HIPAA compliance may be one of many responsibilities handled by a glorified administrative assistant.
Beyond that broad landscape, Snow sees two important compliance trends emerging. The first is the Final Omnibus Rule, which became mandatory in September. The measure includes an update to the Security Rule and Breach Notification of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The most critical changes involve an expansion of compliance requirements to include business associates, where previously only covered entities had originally been required to uphold these sections of the law.
According to Snow, the essence of the change is that if you are a vendor to a covered entity and you handle personal health information, whether you want to or not, you are now treated just like a covered entity. “That rule forced a lot of vendors, particularly cloud providers, to change the way they do business and to clarify their processes and how they will comply,” he says. As a consequence of cloud providers being forced to “do the right thing,” Snow says business has actually boomed for them. The requirements have essentially green-lighted a movement away from relying on on-premises IT for HIPAA functions. “It has had the opposite effect of what almost everyone predicted,” he says.
The new rules also updated the definition of 'significant harm' from a breach. Previously, a regulator needed proof that harm had occurred, whereas now there is a presumption of harm that must be disproved, he explains.
Secondly, according to Snow, in September 2013 the Health IT Policy Committee (HITPC) approved recommendations from the Food and Drug Administration Safety and Innovation Act (FDASIA) working group for a risk-based regulatory framework for health information technology. “I don't think there is a direct connection [between that and HIPAA] except that security is an underlying service and factors into the risk framework that is proposed,” notes Snow. And evolution in that realm could eventually impact how HIPAA risks are assessed.
So, what can organizations do to stay out of trouble in the current evolving compliance environment? Andrew Hicks, health care practice director at Coalfire, an IT governance, risk and compliance firm, says companies and organizations that comply with HIPAA need to focus on several things. They must know where their data is, so every point where personal health care information (PHI) exists must be inventoried. They must have policies and procedures for handling PHI. And they need to formalize training and risk assessment.
Hicks says one of the helpful steps taken recently by the government was the development of the Security Risk Assessment (SRA) by the Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help organizations conduct and document a risk assessment – specifically including the information security risks in their organizations under HIPAA. The tool is available at www.HealthIT.gov/security-risk-assessment. Hicks says although the tool is intended for small- and midsized organizations, it could also be helpful for larger companies, even though they may, implicitly, be held to a different standard.
Still, notes Kurt Hagerman, CISO at FireHost, a cloud-hosting company, risk assessment should be part of simply doing more to be secure. “Given the nature of the law [HIPAA] and the way it has been refined, you can't over comply,” he says. "With HIPAA, being compliant from a security and rules perspective means you have built a program to protect health information from all reasonable threats and that you have used reasonable measures based on an understanding of risks."And, the stakes are only getting more demanding. Health care organizations need to get ready for a potentially more rigorous HIPAA enforcement, warns Paul Proctor, vice president and distinguished analyst at Gartner. The 2015 budget calls for more funds for the OCR which is charged with making sure that HIPAA has teeth, he notes. And that's bound to cause more sleepless nights for IT security and compliance professionals.