HIPAA Compliance Explained

Leif Dvorak is the Security & Compliance Administrator for Green House Data facilities.

If your organization handles electronic health records in any form, whether they’re your own workers', part of a Software as a Service platform, or you are a fellow hosting provider, you must make sure every employee handles that data in a responsible manner, or else face steep fines and other legal ramifications. Here’s what you need to know now about HIPAA compliance.
 

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act, and first became law in 1996. HIPAA’s main goals were to:

• ensure the protection of patient information
• provide electronic and physical security of patient information
• limit disclosure of information to the minimum necessary
• specify patient rights to this information
• minimize fraud/abuse
• simplify bill and other transactions

Out of all of these the greatest success was in regards to the billing, which worked better than expected at controlling costs.

The original version of HIPAA didn’t really have consequences that were regularly enforced regarding data breaches until the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009. With the addition of the HITECH standards, the Office of Civil Rights (part of the US Department of Health & Human Services) was given additional authority and encouraged to fine companies that experienced HIPAA breaches.

What happens after a HIPAA breach?

With the implementation of HITECH, there was also an attitude shift regarding how to handle breaches. In years past OCR was encouraged to work with companies to correct HIPAA issues. Now, while they still do so, they also levy heavy fines on violators. You can see those that have reached a resolution agreement for breaches on the HHS Wall of Shame.

Any breach that effects more than 500 people must be immediately reported to HHS and the Office of Civil Rights. If the breach effected 499 or less, it can be reported at the end of the year during the mandated reporting period. Fines for violations are based on the number of people affected and not the number of breaches.

How to avoid breach penalties

Knowing how fines and reporting work, the question becomes, “How can I avoid the fines?” Well, if you are breached the fines are unavoidable, but there are basics to help avoid a breach in the first place.

The main things to do are:

• provide good user education
• enact good security (both physical and logical)
• software patching for known vulnerabilities

and last but not least, your “get out of jail free card” for any lost or stolen hardware (the most common source of a breach)…

• disk encryption

Encrypting hard drives and storage on servers, desktops, laptops, tablets, and cell phones minimizes the risk of a data breach, as the data is inaccessible if the hardware is lost or stolen.

So how do I know if I am working with data that falls under HIPAA? If it’s one of following types of Personally Identifiable Information (PII) it is potentially covered by HIPAA. This list isn’t perfect, so remember there are other items that can be considered PII.

Examples of sensitive PII elements include, but are not limited to:

• Names or nicknames
• Social Security number (even partial)
• Driver's license or other government ID numbers
• Citizenship, legal status
• Gender
• Race or ethnicity
• Birth date
• Place of birth
• Telephone numbers
• Email address
• Mailing or home address
• Religious preference
• Security clearance
• Mother's middle and maiden names
• Spouse information
• Marital status
• Child information
• Emergency contact information
• Biometrics
• Financial information
• Medical or disability information
• Law enforcement information
• Employment information
• Educational information
• Military records

Examples of non-sensitive PII elements include, but are not limited to:

• Office location
• Business telephone number
• Business email address
• Badge number
• Other information that is releasable to the public

I’m not a healthcare provider. Why does it matter to me?

The first question you might ask yourself is, “I don’t work with any of those things, why do I care about HIPAA?”

For Green House Data employees, the reality is we work around HIPAA data every day. Whether we are simply on the data center floor, where customers host their data, or working on a customer network, we have the potential to interact with this information.

Other organizations that commonly interact with HIPAA data include billing or accounting providers, marketing companies, lawyers, Software as a Service providers, or even some employers that provide a group health plan to their employees.

The third party organizations mentioned above fall under a Business Associates Agreement (BAA). These agreements are geared to define responsibilities of how we interact with our customers, their data, and what our responsibilities are regarding their environment and data. Even if you have not signed a BAA, HIPAA implies that one exists, which means all of the HIPAA requirements apply to the data or equipment and your interactions with it.

If you handle any of the above information types on behalf of a customer or your own employees, do yourself a favor and read up on your legal responsibilities under HIPAA. By educating any employees that work around or directly with sensitive data on security best practices, as well as leveraging encryption and mobile device management, you can keep a watchful eye over electronic health information and avoid a costly breach report.

Regardless of whether it’s your job function, or your neighbors job function being trained and educated on how to handle HIPAA and other sensitive data is a best practice for  everyone.