HIPAA and IT Security
The health care system, and the research organizations within it, is a sensitive sector and one of the most exposed to privacy risks, which makes the security of health information crucial.
Information security obeys data protection laws and regulations, of which the Health Insurance Portability and Accountability Act (HIPAA) applies in US.
How are HIPAA and Information Security related?
The Health Insurance Portability and Accountability Act (HIPAA) is divided into 5 titles, of which title II “Administrative Simplification Rules” is the one related to IT and information security. This section covers the HIPAA IT and compliance requirements to ensure privacy and security of health information (whether it is electronic, oral or written in hard copies) when it is sent, in transit, received, in use or stored. It contains the following topics:
Unique Identifiers Standards for health care providers, health plans, and employers
These identifiers aim to simplify administration through assignment at the national level of a specific 10-digit number for each health care stakeholder.
There are four unique identifier types:
- The Employer Identification Number (EIN): Used in the Internal Revenue Service (IRS) Form W-2, Wage and Tax Statement which the employee gets from his employer. It aims to more easily identify the affiliation of workers to health plan or insurance.
- The National Provider Identifier (NPI): A 10-digit number that every covered entity has in order to simplify HIPAA administrative and financial transactions.
- The National Health Plan Identifier (NHI): Aims to distinguish between health plans and other payers.
- The National Individual Identifier (NII): Has been discarded by the government.
Electronic health transaction standards and medical data code sets
The electronic health transaction standards under the Electronic Transaction rule or Electronic Data Interchange (EDI) aim to make covered entities use standardized and harmonized electronic processes using specific codes for insurance claims. Indeed, the HIPAA does not require covered entities to comply with specific standards such as Electronic Fund Transfer (EFT) and claims attachment, but if the transaction is made online, covered entities (both sender and receiver) should use the related standard and respect the required content and format. This concerns information related to the following areas: health care claims or equivalent encounter information, electronic funds transfers (EFT), health care payment or remittance advice (ERA), coordination of benefits, eligibility for a health plan, health care claims status, enrollment and disenrollment in a health plan, referral certification and authorization, health plan premium payments.
The Medical Data Code sets are all the codes that covered entities should use for inpatient/outpatient performed medical procedures and diagnosis reporting in all transactions. These codes include the Current Procedural Terminology (CPT®), the Health Care Procedure Coding System (HCPCS) and the International Classification of Diseases, Tenth Revision (ICD-10).
This rule requires covered entities and business associates to protect the privacy of any kind of patient health information that can identify an individual (e.g., name, address, birth date, Social Security Number), whether it is electronic or not, and gives standards related to Protected Health Information (PHI) uses and disclosures and whether they need patient consent/authorization or not. Indeed, they are not required when it comes to justice enforcement, public health interventions, certain marketing and fundraising activities, victims of neglect and violence, and so forth. In other cases, such as maintaining the covered entity directory, it is possible to use PHI as long as the patient does not have an objection.
Furthermore, the privacy rule sets patient’s rights under it, including the right to: ask for a health record copy, examine it and request corrections; receive a notification related to the use and disclosure of PHI; give consent and authorization on the use and disclosure of PHI; receive a full report of use and disclosure activities; file complaints; and ask questions about one’s own rights.
The nature of patient health information varies and includes demographic data, the health and care history of the patient as well as the related payment history of that patient. However, the rule does not include records related to employees, for instance, as well as other types of information covered by the Family Educational Rights and Privacy Act.
The privacy rule covers administrative requirements that are applicable to most of the covered entities:
- Nominating a privacy officer;
- Training the employees;
- Planning policies and procedures to safeguard PHI according to the characteristics of the organization (size, activities, etc.);
- Setting adequate and sufficient safeguards to protect PHI;
- Setting a process of complaints registration;
- Applying sanctions on employees committing breaches;
- Known harm management (including harms coming from business associates);
- Keeping required documentation for at least six years; and
- Not intimidating, retaliating individuals in general nor requiring them to renounce to register a complaint with the secretary.
The Security Rule is the one that interests the majority of information security providers and is the most important for IT security. Indeed it is specifically related to electronic protected health information (ePHI) and how covered entities (and their business associates) should safeguard their CIA triad. The security rule requires covered entities to use three types of safeguards:
- Security Management Process
- Security Personnel
- Information Access Management
- Workforce Training and Management
- Facility Access and Control
- Workstation and Device Security
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
The Enforcement Rule (completed and updated by the Health Information Technology for Economic and Clinical Health, or HITECH, Act in 2009) requires covered entities and business associates to comply with HIPAA requirements. Indeed, the Rule sets civil (monetary penalties) and criminal penalties (imprisonment) that may apply in case of non-compliance or violations.
The Office of Civil Rights (OCR) is responsible for investigating compliance with HIPAA privacy standards through complaints and compliance reviews or audits, while the Centers for Medicare & Medicaid (CMS) is responsible for both the transaction and code set standards and the security rule.
Breach Notification Rule
The rule describes the cases considered as breach of unsecured protected information and gives standards of notification by covered entities to individuals, to the media in case over 500 individuals are affected, and to the Secretary; and also from business associates to covered entities.
Which security careers are concerned with HIPAA?
Due to the complexity of HIPAA, compliance to it requires health organizations to employ people dedicated to HIPAA or otherwise externalize the service to a specialized security group. In both cases, the security officer plays a crucial role in order to make the organization compliant with the HIPAA security rule. His main tasks include:
- Setting, implementing and monitoring all the procedures and policies, standards, guidelines and ePHI plans to track access to ePHI and comply with the HIPAA security rule;
- Staying up to date regarding information security laws, accreditation standards and innovations in the field in order to be able to make the organization quickly adapt to new threats;
- Collaborating with the information privacy officer to harmonize security and privacy practices and with any other function directly responsible for compliance with HIPAA;
- Performing security management, which involves risk assessment and management;
- Setting an incident response plan (IRP) to be used in case of security breach;
- Conducting internal security audits (in collaboration with different departments) or external ones (in collaboration with OCR, ISO, etc.);
- Developing internal information security culture;
- Being the person to refer to in terms of safeguarding ePHI and complying to the HIPAA security rule;
- Being the intermediary between the organization and legal bodies such as OCR and other external regulatory bodies and serve the interest of the organization in the best way;
- Being the intermediary between the organization and external security specialists hired to improve internal security;
- Creating a backup plan so that the organization can continue operations in extreme cases such as disasters or security breaches;
- Tracking violations of information security and take necessary measures to address those violations (employees’ sanction, setting new passwords, etc.); and
- Elaborating and running trainings in information security matters.
Variants of the security officer role that have more or less the same responsibilities adapted to the needs and organization of each health organization could be: chief information security officer or IT chief security officer at a higher hierarchic level (when the officer supervises the tasks instead of performing them himself), privacy and security officer, security engineer, information security analyst, security systems administrator and IT security consultant.
As said, securing ePHI should involve everyone in the organization from the top management to the very basic function in the organization and in all departments not only IT but also HR, medical units, finance and legal department, etc.
What HIPAA training and information is important for IT Security?
Being the most important for information security, the HIPAA privacy and security rules are the most important to train for in IT security. Both basic and mandatory training require you to cover important topics:
HIPAA privacy rule: basic training
- What PHI is, how to identify it and who can access it;
- When, how and by whom it could be disclosed;
- What CIA is;
- Patients’ rights;
- Business associate obligations;
- Consequences of violation of the rule.
HIPAA security rule: mandatory training
- Potential threats to information security related to the use of internal information systems (password shared to other people), social media, websites, emails, and devices;
- How to protect from those threats (encryption, e-signatures, etc.);
- Actions to take when something goes wrong or is not normal;
- Any other information security policy, guideline or procedure;
- Security updates (i.e. new internal policy);
- Consequences of not following the security rule.
The training of employees at all levels as well as the organization’s business associates is a requirement of HIPAA. Additionally, it is important to educate about how to keep the privacy and security of data and why. In order to raise awareness on information security, explaining the HIPAA compliance requirements, communicating information security objectives and the applicable sanctions in case of violation of internal policies is necessary. Having well trained personnel would ensure that an organization can take quick action in case of security breach, stop it and limit the damages.
Information security is a serious matter not only to protect patients but also for the business. The HIPAA privacy and security rules guide health care organizations and their business associates to maintain strong information security and requires them to comply with it. It is the role of the organization in general and the Information Security officer in particular to develop and maintain an information security culture within the organization.