The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law over 20 years ago. The Health Information Technology for Economic and Clinical Health Act (HITECH) was created in 2009 to, in part, encourage the implementation of electronic health records (EHR) and supporting technology.
A number of additions have been made to HIPAA to better safeguard patient data since enacted in 1996, the most recent being the Final Omnibus Rule of 2013. This rule didn’t introduce new legislation, but sought to clarify and update HIPAA/HITECH regulations. Amendments were included in this rule to address technological advances in the healthcare field, such as the increased use of mobile devices by healthcare professionals. According to HIPAAnswers, “The Final Omnibus Rule’s most important legacy was increasing CE’s awareness of HIPAA safeguards. It spurred many healthcare organizations who had been violating HIPAA –whether deliberately or by accident- to implement several measures to comply with the regulations. Many CEs introduced policies for their employees regarding the use of data encryption on portable devices and computer networks, and implemented secure messaging solutions for internal communications with care teams. They also installed web filters and taking more care to archive emails securely. The financial penalties now being issued for data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services and conducting damage mitigation makes investment in new technology to protect data appear cheap by comparison.”
Despite all of this, there are still a number of misconceptions about who it applies to, what it entails, and the repercussions for failing to abide by these regulations.
Short on time? View our infographic here.
"I’m too small for HIPAA compliance"
Organizations of all sizes can be penalized for HIPAA violations. In 2016, the Office of Civil Rights vowed to more actively investigate smaller healthcare data breaches (< 500 records breached); and recently, a practice with only 5 doctors was fined $100k for their lax security measures. When it comes to defending your practice and maintaining compliance, size may not matter, but keeping your employees informed does. Verizon’s 2018 Data Breach Investigation Report, shows that “the healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents healthcare is almost seven times more likely to feature a causal error than other verticals in our data set”. The report found the following threat action categories within healthcare incidents:
"It doesn't matter"
In March 2006, the Enforcement Rule was introduced to address the failure of many covered entities to fully adhere to the HIPAA Privacy and Security Rules. Under HIPAA, covered entities are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). This includes health plans (health insurance companies, government health programs, etc.), healthcare providers, and healthcare clearinghouses. The Enforcement Rule enables the Department of Health and Human Services to investigate complaints and leverage fines against covered entities who fail to comply with the Privacy Rule. The Office for Civil Rights was also given power to pursue criminal charges against frequent offenders who neglect to introduce corrective measures within a specified time frame.
According to HIPAA Journal, “the maximum penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million, per violation category, per year. If HIPAA violations have been allowed to persist for several years, or if multiple violations of HIPAA Rules are discovered, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA violations”.
Not only can violations carry hefty monetary fines, but you could also lose your patients’ confidence. In fact, a Ponemon Institute study found that 79% of respondents say it is important for healthcare providers to ensure the privacy of their health records and 48% would consider a new provider if their personal information was compromised. Patients can also bring about civil legal action against a covered entity if their personal health information was disclosed without their permission and it resulted in “serious harm”.
"I don't have PHI"
Protected health information (PHI), is any identifying patient information. It’s everywhere and it’s valuable. Something as simple as a patient name, address, or birthday is PHI and needs to be properly protected. Verizon’s DBI report found that social attacks (predominantly phishing and pretexting) account for approximately 14% of healthcare incidents. We’ve addressed phishing a lot, but as a refresher, phishing occurs when an attacker sends a misleading communication (typically email) to trick a person into clicking a malicious link/downloading a sketchy file/handing over their credentials. Phishing accounts for 70% of social attacks. Per Verizon, pretexting (20% of social attacks) occurs when “the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack”.
Once this information is stolen, it can be put to use in a number of nefarious ways. The Ponemon Institute surveyed victims of medical identity theft to see how their personal information was used (please note that multiple answers were permitted from each respondent):
Your patients depend on you.
Start the path to compliance with our HIPAA compliance and employee security training package.