November 17, 2022
What is HIPAA Compliance?
HIPAA, or the Health Insurance Portability and Accountability Act, is one of the first data privacy laws passed anywhere in the world. It has transformed how companies handle personal health information in the United States and made it one of the most protected data types. It has also resulted in healthcare providers and companies struggling with innovation and the high cost of HIPAA compliance. The question in modern health care is, “can companies and medical practices comply with HIPAA while remaining flexible and controlling their costs?”
This article isn’t a replacement for the advice of a qualified legal professional with detailed knowledge of your practices. Instead, it’s meant as a primer to help decision makers understand what HIPAA is generally asking for, and what compliance options they may have. With that in mind, let’s dive into HIPAA.
The Security Rule
While HIPAA is the law that mandated certain regulations, it doesn’t contain them—it essentially ordered the Secretary of Health and Human Services to formulate the regulations. The result of that process is the Security Rule, which outlines who is covered by HIPAA, and what protections they must be provided.
The Department of Health and Human Services states that the rule “applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.” Given the broadness of that definition, it’s good that the agency includes a tool to help organizations determine if they are required to comply with the rule. It’s important to note that even though your company may not be originating the information, you may still be required to comply with the law as a business associate.
Protected Health Information
The next critical concept in HIPAA is “protect health information.” HIPPA defines this as “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” This includes information about the following:
- The individual’s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
For the data to be protected, it must identify the individual or create a reasonable basis to believe that the individual could be identified from the data. Consequently, “deidentified” data, or “anonymized” data, isn’t required to have the same level of protection. It’s also important to recognize that while what most people would consider “health records” is covered by HIPAA, so are records related to payments for healthcare by an individual.
Covered entities are required to do the following under HIPAA:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
These requirements are where HIPAA compliance becomes very tricky relative to other data privacy laws. While ensuring confidentiality is a common requirement, reasonably anticipating threats to security or unauthorized disclosure is an uncommon and potentially difficult-to-satisfy requirement. What constitutes a threat that you should have “reasonably” anticipated? The flexibility in the language here allows for post-hoc analysis of your approach to security.
If there ever is a leak or breach of your systems, then it’s hard to imagine a scenario in which a government agency ruled that you “reasonably” anticipated what occurred. Instead, the law’s vagueness means that companies can easily be held responsible when things go wrong, even if they took reasonable steps and the events that occurred were truly outside of their control.
HIPAA Compliance Challenges
The solution to HIPAA’s open-ended nature is for companies to focus on prevention and regular compliance actions. HIPAA requires risk analysis, or regular audits of your policies and procedures, and physical and digital security actions. The second largest fine ever imposed on a company under this law was for failure to conduct a thorough risk analysis that directly led to a massive breach. Consequently, covered entities must perform regular risk audits and analyses.
However, the issue with this approach is that, no matter how many audits you run, you won’t find the things you aren’t looking for. Is one of your doctors snooping in patients’ files? It may sound farfetched, but UCLA Hospitals were fined for just that when one of their doctors accessed the files of celebrities and other patients whom he had never treated.
Even innocuous-seeming actions can result in HIPAA violations. Imagine one of your front-office workers asks another to forward them a document because the system won’t give them access. Maybe they should have access to it, in which case the system is either too overzealous or not granular enough. Each request represents disruption and a loss of efficiency and could result in a huge strain on company resources. And sending a file like that might move it outside the audit logging process. Months or years later, an investigator may want to know how and why that file was sent, and you might not be able to bring the receipts.
Or maybe they shouldn’t have access. Perhaps they’re about to leak it. But, in an environment where the system isn’t perfect, it’s hard for your staff always to do the most secure thing. If they previously had to work around the safeguards to get their job done, the trend will be towards more serious violations over time.
How Mage Helps with HIPAA Compliance
There’s a good chance your company already has a compliance system. But, if it’s slowing down your work or not giving you complete protection, then you’re not just getting reduced benefits; you might as well not be getting any at all. Mage’s solutions can replace or sit on top of your existing provider, allowing for near-real-time, comprehensive access logging. And it can increase your flexibility with dynamic data masking, where doctors, administrators, and financial staff can access the same file but only be allowed to see the information they need to do their job.