HIPAA Compliance, HITECH and Cybersecurity
HIPAA is a federal law in the US aimed to improve and modernize healthcare across the country, enhanced
with the HITECH Act, HIPAA creates privacy, data protection and breach notification requirements
for the US healthcare entities and for their suppliers that handle health records.
What is HIPAA / HITECH and how do they impact cybersecurity?
Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that came in force in 1996. HIPAA is a fairly complicated legislation, consisting of five Titles spanning on over 160 pages. The law was initially designed to improve portability and continuity of health insurance coverage, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote use of medical savings accounts, to improve access to long-term care services and coverage, and to simplify the administration of health insurance.
ImmuniWeb can help you comply with HIPAA / HITECH cybersecurity and data protection requirements. Learn more
Among cybersecurity professionals, HIPAA is well known for addressing data security and privacy of Protected Health Information (PHI). Under the Act, PHI is broadly defined as any information about past, present or future health or medical condition of an individual including but not limited to diagnoses, treatment information, medical analyses or prescriptions that are attributable to the individual. For example, a medical prescription with patient’s name is a PHI, while prescription without any mention of the patient, its contacts or identifiers - unlikely constitutes a PHI.
PHI data protection and privacy are addressed by the virtue of the Security Rule and the Privacy Rule from the Second Title of HIPAA. The Privacy Rule covers both digital and paper-based PHI, while the Security Rule applies only for electronically stored PHI (also referred as to “ePHI” or “e-PHI”).
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 with a main purpose to bolster digitalization of healthcare in the US and to encourage organizations to use Electronic Health Records (EHR). The HITECH Act introduced important enhancements of HIPAA’s data protection regime by expanding the list of non-healthcare entities who must comply with its privacy and security requirements, by increasing possible penalties for HIPAA violations and by setting a higher standard for data breach notifications. The US Department of Health and Human Services (HHS) activated the HITECH’s enhancements with the Omnibus Final Rule passed in 2013.
Who is covered by HIPAA / HITECH cybersecurity regulations?
HIPAA applies to “covered entities” (CE) of all sizes, composed of a wide spectrum of public, private and even individual healthcare actors in the US. Covered entities include healthcare providers (e.g. hospital, clinics, nursing homes, pharmacies, doctors, psychologists, dentists and chiropractors), health insurance companies, governmental programs as Medicare and Medicaid, and clearinghouses that process healthcare data on behalf of third parties (e.g. billing or payment processing services).
The HITECH Act expanded coverage of the Security Rule and the Privacy Rule to “business associates” (BA): suppliers of covered entities that handle, store or process PHI on behalf of the covered entity. Therefore, vendors and companies, that provide services to the covered entities and have access or process their PHI, are also covered by HIPAA. According to the HHS guidelines, even if a vendor, such as a cloud service provider, merely stores encrypted PHI data and has no decryption key, the vendor is still subject to HIPAA security requirements including the duty to preserve integrity and availability of the PHI.
Importantly, covered entities should also keep in mind the FTC Act, vigorously enforced by the Federal Trade Commission (FTC), that prohibits companies from engaging in deceptive or unfair commercial practices. Under the Act, any misleading, materially incomplete or deceptive statements made to consumers of healthcare services about how their health data will be used, stored or processed, may be sanctioned by the Commission under the Section 5(a) of the FTC Act. Covered entities that handle genetic data of individuals should also consider reading Genetic Information Nondiscrimination Act (GINA), a dedicated US federal law that prohibits certain usage of genetic data.
Covered entities shall also attentively examine applicable state laws: HIPAA does not preempt state law that offers a higher PHI privacy protection than HIPAA.
Who does enforce HIPAA compliance and what are the penalties?
The HHS’s Office for Civil Rights (OCR) is responsible for enforcing HIPAA. The OCR may conduct ad hoc audits of covered entities at its own discretion or investigate alleged violations of HIPAA upon receipt of complaint. The OCR enjoys pretty broad investigatory powers during an audit.
Today, the OCR uses a four-tiers model for civil penalties where serious violations of HIPAA are punished by 50,000 USD fine per violation, going up to 1,500,000 USD per year. In 2020, the HHS adjusted these numbers to attain 59,522 USD and 1,754,698 USD threshold respectively.
The HITECH Act also empowers state Attorneys General (AG) to bring civil actions on behalf of state residents for violations of the Privacy Rule or the Security Rule to obtain damages and to enjoin further violations of HIPAA in their states.
Deliberate misusage or misappropriation of PHI may also constitute a federal crime. OCR collaborates with the US Department of Justice (DOJ) to refer possible criminal violations of HIPAA for criminal prosecution by the DOJ. Criminal penalties may go up to 10 years in jail. Individual employees may also be criminally liable, and ignorance of HIPAA requirements is no excuse.
What are the privacy requirements under HIPAA?
According to the HHS, the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media whether electronic, paper or oral.
Like GDPR, the Privacy Rule empowers individuals to request access and correction of their PHI at disposal of a covered entity. Furthermore, covered entity must establish a process for receiving and responding to privacy complaints from individuals. Finally, a covered entity may not retaliate against a person for exercising his or her rights granted by the HIPAA Privacy Rule.
What are the cybersecurity requirements under HIPAA / HITECH?
The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) applies to electronic PHI (ePHI) only. Differently from the Privacy rule, it does not apply to PHI transmitted orally or in writing. After enactment of the HITECH Act, covered entities, their business associates and all their subcontractors must abide by the Security Rule.
The Security Rule expressly mandates the covered entities to:
- Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit; and
- Identify and protect against reasonably anticipated threats to security or integrity of the information; and
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The covered entities must establish risk-based safeguards to protect ePHI including (i) administrative safeguards, (ii) physical safeguards and (iii) technical safeguards. The safeguards must adequately mitigate reasonably foreseeable risks and threats that must be meticulously identified by a risk analysis. The HHS says that risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to ePHI.
The HHS provides more detailed cybersecurity and data protection requirements in its guidance “Framework for the Independent Assessment of Security and Privacy Controls for Enhanced Direct Enrollment Entities” for Centers for Medicare & Medicaid Services (CMS). The guidance mandates yearly security and privacy auditing by a qualified external assessor, including penetration testing of web applications for OWASP Top 10 vulnerabilities (Section 5.6 “Penetration Testing”). Other practical insights may be found in the HHS guides dedicated to various hot topics, such as HIPAA and Cloud Computing that elaborates specific duties of Cloud Service Providers (CSP) when processing or storing ePHI on behalf of a covered entity.
Corporate cybersecurity strategy must be carefully documented. The HHS says that a covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must also maintain and preserve written security policies, procedures and written records of required actions, activities or assessments.
In 2020, HR 7898 amended the HITECH Act by to require the HHS Secretary to consider certain recognized security practices, such as NIST guidelines, of covered entities and business associates when, among other things, making determinations for sanctions and penalties.
Eventually, covered entities should regularly update their data protection and cybersecurity processes, taking into consideration rapidly changing cyber threat landscape and evolution of technology.
ImmuniWeb can help you comply with HIPAA / HITECH cybersecurity and data protection requirements. Learn more
What are the data breach notification requirements under HIPAA / HITECH?
The Breach Notification Rule (45 CFR §§ 164.400-414) mandates the covered entities and business associates to report breaches of unsecured PHI. Unusable, unreadable, encrypted and indecipherable PHI is usually not considered to be “unsecured PHI” under HIPAA for the purpose of breach notification. There are also some narrow exceptions for low-risk disclosures of PHI, for example, when the affected organization has a good faith belief that the unauthorized person, who unlawfully accessed the PHI, was not able to retain the PHI or its excerpts. Organizations should be, however, very prudent when relying on the exceptions.
The covered entities are responsible to notify individuals about a data breach but, when appropriate, they may also contractually delegate this duty to their business associates who caused the notifiable breach. Business associate must inform the covered entity without undue delay about any breaches involving PHI entrusted to them.
Notification under the Breach Notification Rule must be made to the affected individuals by a first-class mail or by email if electronic notification method was consented and accepted by the individual. The notification to aggrieved individuals must be performed without undue delay and not later than in 60 days since discovery of the data breach. The notification must contain a brief description of the incident and suggested risk mitigation steps, explain what PHI data was compromised, and include a toll-free phone number, active for at least 90 days, where individuals can request further information about the breach.
If a data breach impacts more than 500 individuals in a state or jurisdiction, the compromised organization must also issue a press release about the data breach to prominent local media. The notice to press must likewise take place no later than 60 days since discovery of the breach.
Finally, the HHS Secretary must be notified about the breach within the same timeframe (excluding breaches affecting less than 500 individuals, which are reportable to the HHS on an annual basis). HHS provides an electronic form to report both types of data breaches online on its website.
Covered entities and business associates have the burden of demonstrating that all required notifications have been duly provided. Therefore, the entire notification process must be carefully documented in writing and preserved for eventual audits.
What are the supply chain security requirements under HIPAA / HITECH?
According to the HHS, a “business associate” is a healthcare institution’s subcontractor that creates, receives, maintains or transmits PHI on behalf of the covered entity.
The HITECH Act expanded application of the Privacy Rule and the Security Rule on business associates who may be fined and criminally prosecuted, in the same manner as the covered entities, for failure to comply with the HIPAA rules. The Breach Notification Rule also applies for business associates. Subcontractors of business associates may likewise be directly liable under HIPAA.
Akin to the GDPR requirements for special contractual relationships between data controllers and data processors, HIPAA requires covered entities to impose a wide spectrum of contractual duties upon their business associates. Contractual clauses, among other things, shall limit usage and processing of the entrusted PHI, impose strict safeguard requirements while storing or processing PHI, and mandate undelayed data breach notifications to the covered entity. HHS provides template of the contract (Business Associate Agreement) on its website.