HIPAA and the Undeniable Trend toward Increasing Regulation & Enforcement in IT Security

Governments at the State and Federal levels have recognized the growing exposure related to information security. As a result, to combat these threats, there are increasing mandates to control and access our data. Evidence of this trend is that many of these mandates are finding their way in legislation not originally intended to address data protection. Let’s take a look at what has happened with HIPAA in the healthcare industry, which is the first of many industries to be affected by this type of regulation in the near future.

Under the American Recovery and Reinvestment Act of 2009, commonly known as the Stimulus Bill, States’ Attorneys General were empowered to prosecute HIPAA violations. So what was once only a Federal violation has now become a violation at both the Federal and State level.¹

In March 2013, the U.S. Department of Health and Human Services (HHS) moved forward to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Their Omnibus Final Rule greatly enhanced a patient’s privacy protections, provided individuals new rights to their health information, and strengthened the government’s ability to enforce the law. The Omnibus Rule marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996. Among other things, the Omnibus Final Rule revised the existing rule on breach notification for unsecured protected health information under the HITECH Act.

The rule added language to the definition of a breach to identify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or Business Associate demonstrates that there is a low probability that the protected health information has been compromised. The rule also removed the harm standard and modified the risk assessment in order to focus objectively on the risk that the protected health information has been compromised.

The more objective factors that must be considered when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary are also identified in the Omnibus Final Rule.²

From HIPAA and other regulations we see that electronic devices that store or access private data (in particular health-related and financial-related data) require companies that handle such data to be extremely cautious with this data or risk loss of revenues, negative customer impact (which can trigger lawsuits), and the bad publicity and its impact on an organization’s reputation. The potential consequences of not being able to prove you have performed due diligence in the protection of sensitive information can be severe.

You can read more about this topic by downloading our full Legal & Security Risks in Management and Disposal of Off-Network Technology whitepaper here: http://bit.ly/SecurityRiskWP

References:

1. Under the Act, Subtitle D §13410 specifically provides for improved enforcement from the State’s Attorney Generals (SAG). SAG may bring civil actions for alleged violations of the Privacy in Security on behalf of state residence. The ARRA/HITECH portions of the legislation institute federal breach notification requirements. The Bill extends liability under federal rules to Business Associates Covered Entities. The potential consequences of not protecting privacy or security can be severe. Health information is defined as “including demographic information collected from the individual if it is created or received by a health care provider, health plan, employer, or health care clearinghouse…”

Privacy Rule is defined in 45 CFR, part 164, titled “Security and Privacy”. Subpart D, among other things:

• Establishes standards for use and disclosure of Personal Health Information (PHI) by covered entities
• Establishes individual’s rights with regard to their PHI
• Sets out general rules that covered entities/business Associates may only use and disclose PHI as permitted or required by the HIPAA privacy rule
• Provides standards explaining permitted and required uses and disclosures
• Outlines administrative requirements for covered entities.
• Addresses security standards and implementation specifications to prevent electronic PHI (ePHI) from unauthorized disclosure or access
• Defines three types of safeguards that covered entities are required to have in place to protect ePHI:

o       Administrative

o       Physical

o       Technical

2. The factors that must be considered as part of the risk assessment are:

(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(2) The unauthorized person who used the protected health information or to whom the disclosure was made;

(3) Whether the protected health information was actually acquired or viewed; and

(4) The extent to which the risk to the protected health information has been mitigated.

Depending on the circumstances, other factors may also be considered as part of the risk assessment. 78 Fed. Reg. 5566 (January 25, 2013).