The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) recently issued a bulletin to remind healthcare providers of their statutory and regulatory obligations to continue to guard protected health information (PHI), while simultaneously empowering healthcare providers to introduce remote worker technologies to help them deliver distance patient care, education, and administration.
The bulletin, released on March 20, said that OCR would be “exercising its enforcement discretion to not impose penalties for HIPAA violations for good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.” The bulletin seems to indicate that healthcare providers who hastily introduce telehealth programs, assuming they continue with good faith efforts to protect PHI, would be granted safe harbor during the public health emergency.
Healthcare providers are trying to balance providing safe, reliable, and quick medical solutions (e.g., remotely confirming COVID-19 status) against fully vetting all security vulnerabilities. As healthcare providers adopt the necessary technologies to provide distance health, here are some suggestions for how they can demonstrate their PHI protection due diligence:
- Document your approach throughout the telehealth deployment. It’s a simple and effective way to formalize the steps taken to deploy telehealth solutions securely.
- Update your risk assessment to include new threats and vulnerabilities that telehealth introduces.
- Review and document the security posture of any new business associates (i.e., new business partner arrangements) needed to support telehealth, including a formal risk assessment for solutions that may impact PHI.
- Conduct vulnerability tests against the telehealth solutions expanded attack surface, to verify you aren’t introducing security weaknesses to the network.
- Train the staff supporting remote healthcare services on properly protecting ePHI.
Secureworks® is responding to the needs of healthcare organizations during the pandemic by offering a Remote information Security Assessment that helps identify gaps in security controls. This is just one of a suite of flexible remote workforce security solutions with rapid deployment and flexible payment options to help keep community-critical organizations safe as they protect the public.
As I mentioned in my original blog below, healthcare organizations continue to be a top target for cyberattacks, so consider these fundamental steps to formally demonstrate your good faith efforts as you adapt to remotely treating patients.
Originally published: Friday, DECEMBER 13, 2019
BY: BRIAN DEAN
Since May 2005, more than 244 million medical records have been reported compromised. In the first half of 2019, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reported an average of 37.2 data breaches a month, compared to 29.5 reported in 2018.
What is HIPAA?
In 1996, the United States introduced HIPAA, or the Health Information Portability and Accountability Act, as federal law. The law intended to make personal health information data portable for the purposes of insurance but also to improve the availability of patient data for physicians, doctors, and covered entities, subsequently improving service. To make data more readily available (i.e., portable), lawmakers needed to also put protections around it.
HIPAA and Subsequent Amendments Timeline: 1996 and Beyond
The law contained multiple components, each with respective effective dates.
- Privacy Rule: It established a national standard that covered entity must comply with when protecting patients’ medical records; specifically, protected health information (PHI). It defined patients’ rights and provided the ability to restrict how PHI should be collected, used, shared, protected, and ultimately when it is destroyed (effective date: April 2003).
- Security Rule: It specifically set a national standard for the secure maintenance, transmission, and storage of electronic PHI (ePHI); focusing on administrative, technical, and physical safeguards (effective date: April 2005).
- Breach Notification Rule: It provided the HHS and Center for Medicare & Medicaid Services (CMS) power to investigate any complaints about the failure of a covered entity to comply to the Privacy Rule. It also gave the Office of Civil Rights the power to issue financial penalties (and/or corrective action plans) to covered entities that failed to comply with HIPAA Rules (effective date: March 2006). It stipulated that all breaches of ePHI affecting more than 500 individuals must immediately be reported to the HHS’s Office for Civil Rights. The criteria for reporting breaches of ePHI were subsequently extended in the final Omnibus Rule of March 2013. The breach notification rules outline a definitive timeline by which covered entities need to communicate the loss to HHS, as well as state regulators, and ultimately, the patients that have been breached.In their notification to patients, covered entities will need to include what was lost, when it was lost, and what patients can do to protect themselves.
- Omnibus Rule: The Health Information Technology for Economic and Clinical Health Act (HITECH) had the primary goal of compelling health care authorities to implement the use of electronic health records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use rolled out the following year, incentivizing health care organizations to maintain the protected health information of patients in electronic format, rather than in paper files (effective date: March 2013). The Omnibus Rule also intended to further strengthen the privacy and security protections for health information. Notably, it saw the introduction of a new clause for covered entities which meant that not only covered entities had to protect the data, but if they give the data to somebody else (e.g., service providers), contractually the new recipient was required to protect the data as well.
How is PHI defined as Covered by HIPAA?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).3
HIPAA broadly defines PHI as medical data about a person obtained by a covered entity or downstream business associate (i.e., a specifically defined HIPAA term for service providers receiving PHI). PHI is any health information that can be tied to an individual, which under HIPAA, means protected health information includes one or more of 18 identifiers. If these identifiers are removed, the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
When is Health Information Not Protected by HIPAA?
PHI created or maintained by a covered entity or service provider/business associate must be protected. For example, if you go to a health care provider like a doctor or hospital, and you give them information, or they derive information from tests, that’s all protected health information. However, if you talk to your employer and tell them you are not feeling well, that has nothing to do with a covered entity and is not protected under HIPAA but may be covered by state/federal and privacy laws.
What Organizations Need to be HIPAA Compliant?
This federal law is compulsory for covered entities and business associates, defined as:
- Health care providers (e.g., hospitals, doctors, dentists)
- Health Plans (e.g., insurance agencies, company health plans)
- Health care clearinghouses (entities that get PHI and manipulates it to make available for other purposes. For example, the Center for Disease Control might need certain data points to protect U.S. citizens from disease, and that data may be shared from covered entities or health care providers to help them facilitate their efforts.)
- Per the Omnibus Rule of 2013, it is also a contractual obligation for service providers (i.e., business associates) that covered entities may share ePHI with.
Do I Have Reporting Requirements to Become HIPAA Certified?
There is no regulatory agency certifying HIPAA compliance. Unlike certification frameworks like PCI and ISO 27001, the HIPAA statute and subsequent amendments do not outline a finite set of compliance or controls requirements which you can be tested and certified against by a HHS approved assessor. Covered entities and service providers can, however, validate their compliance or use an objective third-party service provider to deliver an objective validation that controls are in place and effective (e.g., Security Controls Assessments, also known as Gap Assessments). In addition, there are industry organizations to help organization leverage best practice (e.g., NIST and HITRUST). These frameworks were designed to meet the spirit of HIPAA by defining controls. While it’s required that covered entities and service providers comply with HIPAA, it’s not required that you follow a specific framework.
Today, HITRUST CSF is the most widely adopted U.S. HIPAA security framework. The state of Texas now provides additional protections for covered entities and their business associates who obtain CSF Certification. The demand for business associates is increasingly important, as covered entities use the HITRUST certification to verify that the business partners they are trusting with their patients’ data is adequately protected.
How Does Secureworks® Help with HIPAA?
Secureworks experts can provide independent third-party expertise by performing an objective review of existing controls to help covered entities and service providers meet HIPAA data security protection requirements with confidence. During a Security Controls Assessment, our security and HIPAA experts can help you navigate compliance, identify weaknesses and gaps, and provide recommendations so you not only strengthen your security posture, but you also meet HIPAA Security Rules requirements, prevent fines, and protect patients.
Building a HIPAA Compliance program is not a one-time project. Instead it is a program, an ongoing process to not only be compliant throughout the year, but to be secure. Using a trusted partner with the expertise to build the HIPAA program can improve security posture, improve compliance, but more importantly implement a cost-effective program that is sustainable and defensible in the event of a reportable data breach.
Additional Resource: Download our HITRUST Solution Brief to understand how Secureworks approaches HITRUST Certification.
Such content herein is provided “as is where is,” and Secureworks makes no representations or warranties about the accuracy or completeness of the content contained herein. Additionally, although the content set forth in this blog may discuss or relate to legal issues, Secureworks does not provide legal advice or services, and none of such content shall be deemed, construed as or constitute legal advice. You are ultimately responsible for retaining your own legal counsel to provide legal advice. Furthermore, this content shall not be deemed to be legal opinion and may not and should not be relied upon as proof, evidence or any guarantee or assurance as to you for legal or regulatory compliance.