March 20, 2020
"While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules."
That's what Jocelyn Samuels, Director of the Office of Civil Rights (OCR), U.S. Department of Health and Human Services, said in February 2016.
There is enough evidence that the OCR is dead serious about enforcing HIPAA. In 2015, the Phonix Cardiac Surgery paid a fine of US$100,000 for non-compliance with HIPAA.
Until February 29, 2020, the OCR had levied more than US$116 million as civil penalties for HIPAA violations, informs the HIPAA enforcement highlights page of the HHS.
The number of cases that the OCR had investigated and resolved for HIPAA non-compliance until that date was 27, 829.
Civil monetary fines do not constitute the only penalty for failing to comply with HIPAA. A criminal penalty through sentencing by the U.S. Department of Justice is also possible.
In October 2016, a federal judge sentenced a former respiratory therapist to two years on probation, a fine of US$500, and one day in prison. The offender had illegally accessed patient data in the hospital where she was then employed.
That is a case of criminal conviction and prosecution for HIPAA violation.
There is an important narrative in the snapshot we have presented above. The date to ensure HIPAA Security Rule compliance was April 20, 2005. Only small health plans had an extension up to April 20, 2006.
Yet, the U.S. healthcare industry does not seem to have fully grasped the significance of HIPAA and the criticality of complying with it. The number of cases the OCR has investigated and settled tells us that.
So do the two cases of penalty mentioned. A full understanding of HIPAA and the adverse impacts non-compliance may cause seem to be eluding U.S. healthcare organizations and professionals.
This article presents in a clear, easy-to-understand language everything you need to know about the HIPAA Security Rule. The simplicity does not indicate any lack of thoroughness or any degree of incomplete information.
However, there is another part to HIPAA: the HIPAA Privacy Rule. We have discussed that in a different article.
Health Insurance Portability and Accountability Act: that is what HIPAA is. It is a 1996 law that has last been amended in 2003. The main aim of HIPAA is to increase individual access to and control over personal health information.
The natural corollary of that is to reduce the way the health industry can use individual health information. The concept of protected health information (PHI) is central to HIPAA. Any health information that can identify an individual is protected.
Any individually identifiable health-related information falls within the scope of PHI. Below is a ready checklist:
However, it is possible to de-identify some health information by removing the individual identifiers in them. De-identified information is not within the purview of PHI.
The HIPAA Security Rule applies to PHI in electronic format (e-PHI).
The Security Standards for the Protection of Electronic Protected Health Information: that is the formal name of the document that contains the national standards issued by the Secretary, HHS. It is popularly known as the HIPAA Security Rule.
The aim of these standards is to ensure the security of individual health data as the healthcare industry becomes increasingly more technology-dependent. The HIPAA Security Rule elucidates the measures necessary to implement the HIPAA Privacy Rule.
HIPAA grants individuals the right to retain their privacy and control over health-related data. The HIPAA Privacy Rule articulates those rights. The Security Rule informs the healthcare industry in the U.S. what to do to comply with the Privacy Rule.
Integration of information technology (IT) and artificial intelligence (AI) is necessary for healthcare service delivery to be more efficient and effective. Yet, such integration leads to the emergence of data breach threats.
Breached health data compromises the individual right to the privacy of individually identifiable health information. HIPAA Security Rule aims to prevent such a situation.
It simultaneously promotes the adoption of new technologies by the healthcare industry for delivering quality healthcare to patients. In recognition of the diversity of healthcare providers and professionals, the Security Rule has both flexibility and scalability.
Healthcare providing organizations and individual healthcare practitioners can adapt the Security Rule as per the size of their practice and the services they offer.
Organizations and individuals in the healthcare industry covered by the HIPAA Security Rule are called "covered entities." Business associates of covered entities under the HIPAA Privacy Rule are covered entities under the Security Rule.
Below is a list of covered entities under the HIPAA Privacy Rule:
A business associate in this context is an agency or individual who performs certain actions on behalf of any of the covered entities. Such functions need to involve access to e-PHI.
Below is a list of typical business associated who are covered entities under the HIPAA Security Rule:
The HITECH Act of 2009 has broadened the responsibilities of business associates under the HIPAA Security Rule. The Secretary, HHS, has developed regulations that incorporate these changes.
Are you a business associate of a healthcare delivery organization or an individual healthcare provider? There are measures that you must implement in order to be HIPAA compliant.
Basic measures require having administrative, physical, and technical safeguards to protect e-PHI. The typical action points are to:
As per the HIPAA Security Rule, "availability" means that e-PHI must remain accessible for use by an authorized person. "Confidentiality" in this context implies that e-PHI is not accessible to any unauthorized person. "Integrity" implies that e-PHI must not be changed or destroyed in an unauthorized manner.
The Security Rule does not specify the measures necessary to ascertain the above. That is because the relevant measures depend upon the size of the covered entity, as also on the nature of the hardware and software they use.
Every covered entity must decide on the measures necessary for them. Such adaptation needs risk analysis for identifying and managing potential security threats to e-PHI.
A risk analysis process helps a covered entity to determine what specific measures it must implement for HIPAA Security Rule compliance. Such a process includes the following:
The Office for Civil Rights (OCR), HHS, is responsible for investigating and determining complaints of HIPAA violations. Security Rule violation penalties are tied to the compliance needs of the HIPAA Privacy Rule.
Broadly speaking, the OCR looks at violations from a tiered approach and levy penalties accordingly.
When a covered entity is unaware of a violation, and could not have avoided it even after exercising reasonable care for HIPAA compliance, it is considered a tier 1 violation. That can attract a minimum fine of US$100 per violation, with a cap of US$25,000 in a calendar year.
A tier 2 violation is one that a covered entity should have been aware of, but could not have avoided with reasonable care. The penalty is a minimum of US$1000 per violation, with a calendar year cap of US$100,000.
A violation that happens because of deliberate neglect of HIPAA rules, but corrective measures have since been taken, is a tier 3 violation. A minimum amount of US$10,000 per violation is the penalty, but the total fines in a calendar year cannot exceed US$250,000.
Wilful neglect of HIPAA rules with no corrective measures being taken is a tier 4 offense. The penalty for it is a minimum of US$50,000 per violation. The maximum limit in a calendar year is US$1.5 million.
In limited cases, there can be criminal procedures for HIPAA non-compliance, which are determined by the US Department of Justice. Up to 10 years in prison is a possibility.
As we've mentioned at the outset, the U.S. healthcare industry seems to be lagging behind in ensuring HIPAA compliance. That is a poor business decision. Implementing the action points detailed in this article will help you be HIPAA compliant.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|