HIPAA Compliance Today

In the early 1990’s, it became clear that the health care industry needed to become more efficient with medical records and patient information. Managing filing systems in healthcare practices became full time jobs for individuals, progressing to dedicated teams of employees whose sole responsibility was to manage patient information on paper. Computerizing medical records was the next logical evolution of managing medical records, but there needed to be a set of standards that governed how healthcare data should be managed.

In 1996, the Health Insurance Portability and Accountability Act, or HIPAA, was passed into law. HIPAA’s purpose was to provide a streamlined process of helping patients move their health insurance from one provider to another as well as move medical records from one institution to another [7]. There were a variety of healthcare management improvements within the law, including health insurance coverage for employees that were between jobs; actions to combat fraud and abuse of health insurance and healthcare delivery; medical savings accounts; health insurance for employees with pre-existing medical conditions; and simply health insurance administration [5].

Although the HIPAA law was passed in 1996, it was essentially blank, written with only generic specifications and designed to allow Congress and the Secretary of Health and Human Services to determine the specific details of the law. There were areas of HIPAA that needed more research, legal reviews, and specifications in greater detail to be considered a final bill.

Thus, in 1999, the Privacy Rule was finalized and is known as the first aspect of HIPAA to be completed.Then, in 2000, the Transaction and Code Sets Final Rule was completed, followed closely by the Security Rule and the National Provider Identifier (Unique Identifier) rules.

Finally, in 2006, the Enforcement Rule specifications were finalized, officially completing the HIPAA law (Record Nations, n.d.). These latest additions to HIPAA were designed to encourage healthcare providers, whether they be insurance companies, hospitals, or private practices, to move to computerized and electronic medical records.

HIPAA Goals and Consequences

The healthcare industry is made up of general practitioners, specialists, and health insurance companies. Health insurance companies cannot pay doctors or hospitals without receiving invoices and supporting documentation that detail medical procedures, diagnosis, and other pertinent medical information about a patient. Long before the conversion to electronic medical records, institutions would mail invoices and documentation to health insurance providers for payment. The introduction of HIPAA was designed to streamline this process, alleviating the need to mail insurance companies these documents and instead, implore healthcare providers to electronically communicate with insurance companies regarding their patients.

The move to electronic health records was facilitated and encouraged by HIPAA not just for streamlining the insurance side of the healthcare industry, but also simplifying various administrative processes for patients. A specific amount of assurance needed to be provided to patients and healthcare institutions alike to ensure the integrity and validity of medical records in transit between a doctor and a health insurance provider. Thus, HIPAA defined a series of protocols for the portability of medical records and instituted accountability measures for those responsible for the movement of medical records from one institution to another.

The most important goal of the Security Rule, written and passed in 2000 for HIPAA, was to protect patient’s health information during the adoption and migration of new technologies by covered entities [3]. The Security Rule does not explicitly define the types of technology used to meet the goals and objectives of protecting patient privacy. Instead, the Security Rule serves up guidelines for HIPAA compliance, leaving policy, procedure, and technology implementation up to the healthcare institutions themselves [3].

The consequences for HIPAA non-compliance are quite stout, with penalties reaching as much as $1.5 million per year for total penalties for all non-compliance infractions [1]. There are four violation categories: did not know, reasonable cause, willful neglect – corrected, and willful neglect – not corrected. Each of these categories carries its own financial penalty, starting at $100 per violation up to $50,000 per violation [1]. Under HIPAA, a violation is considered any deviation from the compliance requirements, not per individual that is affected by a security breach, for example. In other words, if a database of patient data is compromised, the individual data records are not violations themselves. If the database is not encrypted, that counts as one violation. If access controls were not effective, that counts as another violation, and so on.

HIPAA Impact and Costs

HIPAA compliance is a daunting and challenging task for any healthcare institution, increasingly so given the advancements in technology. Many healthcare providers suggest that patient care has been hampered by HIPAA because patient information cannot be freely shared unless the patient gives implicit permission to share information [2]. Without the sharing of patient information, doctors and healthcare professionals say it takes longer to obtain information that could be critical to patient care.

Even healthcare researchers are impacted by HIPAA as they cannot obtain patient charts and medical history unless a patient authorizes release of the data to them [2]. But not all HIPAA impacts are negative, and as the previous information indicates, patient protections are at the forefront of the positive impacts from HIPAA. With the addition of the Privacy Rule to HIPAA, not only has there been the creation of a compliant culture within healthcare institutions, overall security has improved too. Given the state of technology and the use of electronic communication, when patients authorize the release of their medical information, transmits occur immediately and quickly (Brown & Fortunato, 2015). HIPAA has also aided the creation of standards for medical records collection and storage.

HIPAA compliance does not happen without extra costs however. When HIPAA was completed and finalized in 2013, HHS released a cost estimation document of what the typical costs would be for compliance [9]. According to HHS, updating the Notice of Privacy Practices would cost $80, breach notification requirement updates would cost $763, business associate agreement updates would cost $84, and security rule compliance would cost only $113 [9]. The last item on the list for security rule compliance is an inaccurate estimate, especially considering the security rule has 250-plus requirements that must be met for HIPAA compliance.

A firewall, a device meant to secure network access, costs more than $113, with a bottom-of-the-barrel firewall starting at about $800 with limited capability. If a healthcare institution is serious about HIPAA compliance and avoiding hefty penalties, they won’t be looking at the sub-$1,000 security solutions. There are several factors that affect HIPAA compliance cost such as institution type, size, culture, environment, and dedicated HIPAA team [9]. A hospital will have very different HIPAA compliance costs as compared to a psychologist’s office. A hospital will need a superior network security system and supporting team whereas a psychologist’s office will need similar technology, but not as robust or scalable.

There are costs to be considered outside of the costs incurred for HIPAA compliance. A healthcare institution could go the route of doing the bare minimum for compliance, but they run additional risks. When considering the costs of HIPAA compliance, healthcare institutions must consider the costs associated with data breaches too. Setting the penalties for non-compliance aside, class-action lawsuits, legal fees, patient loss (customer loss), breach notification costs, and technology repairs can reach into the millions of dollars [9]. Doing the bare minimum, in terms of HIPAA compliance, will result in heavier fines, higher legal fees, and increased costs to purchase the proper equipment and hire qualified personnel to manage the proper equipment.

Risk management, training, third-party audits, vulnerability scans, and penetration testing are also key factors in HIPAA compliance and great security posture. These do not come at their own costs either, even though many of these items are controlled internally. Of course, healthcare institutions do not have to pay out for these items if they do not deem it necessary. However, institutions that do not effectively secure patient data and comply with HIPAA face steeper penalties at discretion of HHS. In other words, HIPAA compliance is costly, but non-compliance is exponentially costlier.

HIPAA Effectiveness

In 2013, the Hospice of North Idaho settled with the Department of Health and Human Services for a HIPAA violation in the amount of $50,000 [6]. An unencrypted laptop storing health records for over 400 patients was stolen in 2010. During HHS’s investigation into the HIPAA notification, it was determined that the Hospice was not conducting frequent and adequate risk analysis and therefore had no safeguards in place for patient data on portable devices [6].

In 2012, South Shore Hospital in Boston, Massachusetts reached a settlement where the hospital agrees to pay $750,000 in fines for HIPAA violations [10]. The hospital shipped 473 unencrypted backup computer tapes to an offsite contractor to be erased and destroyed. These tapes contained the health information of over 800,000 individuals, and during transport of these backup tapes, they went missing save for one box [10]. South Shore Hospital did not inform their third-party contractor of the sensitivity of the data contained on the backup tapes nor did they determine if their business partner had sufficient safeguards in place to protect and secure sensitive patient health information. As a result, the hospital was leveraged several penalties for their HIPAA violations.

These two cases are just a small sampling of the effectiveness of HIPAA over the last decade and a half. There is an ineffectiveness surrounding HIPAA however, and it is seen in HHS’s inability to audit healthcare practices and investigate HIPAA complaints and violations. Although the above anecdotes are a small sampling of the successes with HIPAA, there are far more occurrences of HIPAA violations that HHS and its employees can keep up with. HHS focuses on those non-compliance violations that are egregious rather than on all violations. Some of this is due to how HIPAA was written, and some of it has to do with poor government planning on implementing and enforcing HIPAA regulations. And, as one might surmise, advancements in technology presents its own share of complications for HIPAA.

In 2009, the U.S. Government signed into law the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH law was written to promote the adoption and use of health information technology, technology specifically developed for the healthcare industry [4]. Under HIPAA, healthcare institutions had to interpret much of what was required for compliance for those areas referring to technology. HIPAA provides guidelines, but no specifics, on what types of electronic security to use, what types of encryption to use for data at rest and in transit, or any other technical specifications as it relates to the privacy and protection of patient health information. HITECH was created as a solution to the individual perception and understanding that individual healthcare institutions were using to become HIPAA compliant.

HITECH brings new compliance requirements to the healthcare industry, but it is also known as an extension of HIPAA law. The 2009 law expands on data breach notifications, protections of electronic health information, application and use of health information, and the relationships third-party vendors and associates have with a healthcare institution [8]. HITECH defines the rights and responsibilities of healthcare institutions, particularly requirements for doing business with business affiliates. Much of the 2009 law stems from previous HIPAA violations that are on record and as such, penalties for non-compliance are stiffer and now include prison sentences in addition to fines.

HITECH is, by design, an extension of HIPAA and therefore the two coexist very effectively. All healthcare institutions must comply with both laws, which on the surface would appear to increase the complexity and time to become compliant. However, HITECH is such an improvement over HIPAA that by complying with HITECH, most of the HIPAA Security and Privacy rules are satisfied. Where HIPAA fails to provide detailed guidelines for security and privacy compliance, HITECH takes over to provide specific measures to take to assess, audit, and comply with the protection of patient health information.

Conclusion

Whether it is the first human-powered vehicle from the early 1400’s, or a new firewall with built-in intrusion detection and prevention software, technology continually advances increasing the efficiency and productivity of everyday life. Improvements in medical instruments leads to improvement in healthcare, and laws and regulations must keep up to protect patients, consumers, businesses, and governments alike. HIPAA was enacted to satisfy a growing need of protecting patient health information in a time where said information was moving from paper to 1’s and 0’s in a computer.

At some point in the future, HIPAA will be deprecated, and a new law or regulation will be enacted to further refine and define patient protections. This is clearly supported by the enactment of the HITECH law in 2009 which refined and defined in greater detail the technological requirements for safeguarding patient health information. In the nearly two decades that HIPAA has been law, countless cases of non-compliance have been adjudicated and thousands of healthcare institutions are improving their security footprint to protect patient data. The successes of HIPAA and HITECH in the healthcare industry will carry over to other industries, and perhaps one day, negate the need for government legislation to protect and secure personal information.

Originally written June 2018 for Bryan’s Master of Cybersecurity degree through Purdue University

References

[1] Brown, M. (2014). _What is the penalty for a HIPAA violation?_Retrieved June 14, 2018 from https://www.truevault.com/blog/what-is-the-penalty-for-a-hipaa-violation.html

[2] Brown & Fortunato Law. (2015). The HIPAA privacy rule and its impact on healthcare organizations. Retrieved June 14, 2018 from https://www.bf-law.com/the-hipaa-privacy-rule-and-its-impact-on-healthcare-organizations/

[3] HHS.gov (a). (n.d.).Summary of the HIPAA Security Rule. Retrieved June 14, 2018 from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

[4] HHS.gov (b). (n.d.). HITECH Act enforcement interim final rule. Retrieved June 14, 2018 from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html

[5] HIPAA Journal. (n.d.). HIPAA history. Retrieved June 14, 2018 from https://www.hipaajournal.com/hipaa-history/

[6] McCann, E. (2013). First-of-its-kind HIPAA settlement announced, Idaho hospice group to pay. Retrieved June 14, 2018 from http://www.healthcareitnews.com/news/idaho-group-involved-first-its-kind-hipaa-breach-settlement

[7] Records Nations. (n.d.). The history of HIPAA & the consequences of a HIPAA violation. Retrieved June 14, 2018 from https://www.recordnations.com/articles/history-hipaa/

[8] Rouse, M. (2018). HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009. Retrieved June 14, 2018 from https://searchhealthit.techtarget.com/definition/HITECH-Act

[9] Stone, J. (2018). _How much does HIPAA compliance cost?_Retrieved June 14, 2018 from http://blog.securitymetrics.com/2015/04/how-much-does-hipaa-cost.html

[10] Tomes, J. (2012). Boston hospital’s security breach results in $750,000 settlement | HIPAA. Retrieved June 14, 2018 from http://www.veteranspress.com/bostons-south-shore-hospitals-security-breach-results-in-750000-settlement-hipaa