The Health Insurance Portability and Accountability Act of 1996, or HIPAA for short, is a federal law that stipulates how personally identifiable information (PII) is stored, transmitted and protected by healthcare providers and anyone else with access to protected health information (PHI). HIPAA sets the national standards for protecting the sensitive data of patients and who needs to do the protecting. The law applies to two types of organizations – covered entities and business associates. Covered entities are any organization that collects, creates or disseminates PHI. Business associates are any organization, through contracted work with a covered entity, comes in contact with the PHI. The two most common examples of a business associate would be your organizations’ billing agency and the health insurance provider of the patient.
While HIPAA consists of five rules, we will spend our time covering three that are directly related to your organization’s cybersecurity.
HIPAA Cybersecurity Top 3
The Privacy Rule – This rule sets the standard for the access rights of the patients PHI and only applies to covered entities. It sets the rules as to who can permit or deny access to PHI. It mandates that an organization must fully state its procedures in an annually updated policy as well as perform mandatory annual training of employees. Are you training your employees annually on protecting PHI? Is that training properly documented? HIPAA requires that you do both to be compliant.
The Security Rule – This rule sets the framework as to how PHI, particularly electronic PHI, is stored and transmitted. This rule applies to both covered entities as well as business associates. The Security Rule is there to ensure that the security triad - confidentiality, availability, and integrity (CIA) of the data you store is secure and intact. It also mandates that you record the specifics in your HIPAA Policy and Procedures document of the how and what you are doing to keep data secure. And again, there is annual training of all employees on these policies and procedures. Do you have your security policy documented and are your staff trained annually? If not, you may not be HIPAA compliant.
The Breach Notification Rule – In essence, this rule states that HIPAA covered entities and their business associates are obligated to provide notification following the breach of unsecured PHI. The rule itself defines what constitutes a breach, whether or not the data was actually compromised and who and when, if required, needs to be notified. Are you aware that, if applicable, your organization may be required by law to notify the media after a breach?
Without getting too far into the weeds, we will briefly examine the key tenets of HIPAA you need to understand in order to protect yourself, your employees as well as your organization. We will explain what data needs to be protected, what happens if you don’t protect that data, and how do you know if you are compliant or are protecting that data sufficiently.
What data needs to be protected?
HIPAA spells out the type of data that needs to be protected - specifically individual protected health information (PHI). Bear in mind, HIPAA does allow for the dissemination of data stripped of PII but that is outside of the scope of this blog. You just need to know that anything that includes identifiers of patient information is subject to the controls of HIPAA. The affected data includes, but is not limited to:
· Date of birth
· Social Security Number
· Medical information such as diagnosis, prognosis, and treatment plans
· Financial information such as credit card and bank account numbers
· Biometric data and facial photos (In Illinois, the Biometric Information Privacy Act (BIPA) also affects you as an employer but we’ll save that for a future Qubit)
· Essentially any data that can be used to identify a patient
What happens if you don’t protect the data?
One important thing to understand is that not all breaches constitute an actual violation. The Department of Health and Human Services’ Office for Civil Rights or the HHS OCR, is the enforcement agency when it comes to HIPAA violations. The HHS OCR views a violation as any breach that compromises the integrity of the protected data. The breach must be the result of negligence, lack of compliance policies or the wantful disregard of the requirements set forth in HIPAA. For example, a breach could be the unauthorized access to sensitive patient data located on an internal server. The violation occurs when the affected data was unencrypted or firewall policies of the internal server were inadequate.
As mentioned above, HHS OCR is responsible for enforcement. The HHS OCR will investigate in depth, any allegations of a HIPAA violation as well as conduct a review of an organizations compliance policies. If a violation is found, most often HHS OCR will attempt to resolve the case by ensuring the organization voluntarily completes any necessary corrective actions and then agrees to future compliance. More serious violations, or those who fail to voluntarily comply after an initial finding, typically result in monetary fines with the most egregious occurrences leading to possible criminal charges!
Monetary fines are based on a tiered arrangement. The Secretary of the HHS is responsible for determining the amount of the fine based upon the nature and extent of the violation. Believe it or not, the HHS OCR really does want organizations to willfully comply. The Secretary doesn’t necessarily want to impose punitive damages. For example. The secretary of the HHS may not impose, by law, any fines if the violation were to be corrected within 30 days and the violation did not occur due to willful neglect. So, in essence, if your organization is found to have committed a violation, it would behoove you to correct the situation that caused the violation within those first thirty days to avoid any costly penalties. And just how costly are these those penalties? Read on.
Civil penalties, those that are negligent in manner, are adjudicated with hefty monetary fines. The HHS OCR has broken down the penalties into tiers and the differing ways that the violation had occurred.
Tier 1 – (Unknowingly) A violation in which the party was unaware of, nor could have reasonably avoided had reasonable care been taken.
Penalty – Minimum fine of $100 dollars per violation up to $50,000 per violation with an annual max $25,000 for multiple violations.
Tier 2 – (Reasonable Cause) A violation in which the party should have been aware of but couldn’t avoid even with reasonable care.
Penalty – Minimum fine of $1,000 dollars per violation up to $50,000 per violation with an annual max of $100,000 for multiple violations
Tier 3 – (Willful Neglect with correction) A violation that occurred due to willful neglect but an attempt was made to remedy the situation within the required time.
Penalty – Minimum fine of $10,000 dollars per violation up to $50,000 per violation with an annual max of $250,000 for multiple violations
Tier 4 – (Willful Neglect without correction) A violation that occurred due to the willful neglect AND no subsequent attempt was made to correct the violation.
Penalty – Minimum fine of $50,000 dollars per violation with a max of $1.5 million. That’s $1.5 million dollars per violation.
Just as a side note. These penalties increase every year as the actual imposed fine will be adjusted for inflation. As of 2021, the fine you would receive for a Tier 1 violation is $120 dollars not $100. For a Tier 4 violation it would be $60,226 dollars after inflationary adjustment. The maximum Tier 4 fine? It adjusts to $1.8 million dollars. Can your organization suffer such devastating fines?
Violations that occur due to negligence and result in a monetary penalty, are typically imposed upon the organization itself. Criminal penalties are another matter. Violations that occur knowingly or intentionally by individuals are prosecuted criminally by the Department of Justice (DOJ). Not only do you face financial penalties, but these matters often end up with individuals being prosecuted and imprisoned. Knowingly is a key phrase and important to understand. The DOJ interprets this as the key element to defining a criminal action. All that the DOJ needs to prosecute is that the covered entity had knowledge of the violation. More importantly, specific knowledge that an action is in violation of HIPAA is not needed to preclude you from being prosecuted. In essence, ignorance of the law is not a credible defense. You may be culpable of an offense without knowing that you are culpable.
Much like civil penalties, the criminal penalties are tiered as well. What exactly are the consequences?
Tier 1 – Reasonable cause or knowledge of violation
Penalty - Up to one year in prison and a $50,000 dollar fine
Tier 2 – Obtaining PHI under false pretenses
Penalty - Up to five years in prison with a $100,000 dollar fine
Tier 3 – Obtaining PHI with the intent to sell or disseminate for personal gain or malicious intent
Penalty - Up to ten years in jail and a $250,000 dollar fine
As you can see, the consequences can be severe, particularly the criminal penalties. Many organizations have shuttered their doors due to the damages suffered by HIPAA violations. There are plenty of documented cases online that should reinforce the importance of ensuring your organization and employees are HIPAA compliant (1). Far too often we hear about the curious employee with access to medical records that accessed the personal health information of a known celebrity and was subsequently sent to jail for their HIPAA violation (2, 3, & 4). Or, the facility that not only has a data breach due to insufficient security protocols, but then suffers the endless lawsuits by individuals impacted by that breach (5 & 6). The HHS OCR takes violations,and the allegations of violations, very seriously. So, with all that said, the natural evolution of this conversation would lead one to questions such as; “How do I protect myself, my employees and my organization?”, or “How do I know that I’m being compliant?”.
What does it mean to be HIPAA compliant?
Although we couldn’t possibly cover in this post all of the key elements of being HIPAA compliant, we do want to touch upon a few that often go overlooked. Being HIPAA compliant doesn’t just mean that you do not discuss protected information with an unauthorized individual. Yes, that is part of compliance but it isn’t nearly everything. Understand that being HIPAA compliant is an ongoing endeavor. It isn’t like you become compliant one day and you’re done. No. Being HIPAA compliant involves continual internal assessments of your policies and procedures. Don’t have policies and procedures on paper? You should consider having some drafted ASAP. HIPAA compliance requires you to have such internal documents annually assessed and modified as needed. Furthermore, deficiencies anywhere that may affect the integrity of PHI must be remedied upon discovery. Annual internal audits must also be conducted. Employee training must be performed and documented annually. Software, hosts, antivirus and firewalls must be monitored and updated continually. Access controls must be reviewed, monitored and strictly enforced which means you must have the proper physical, administrative and technical safeguards in place. Do you have a Notice of Privacy Practices in place? HIPAA requires it.
We can go on and on but we think you see our point. Being HIPAA compliant is a complicated matter. It takes time and effort to ensure that your organization is safe, secure and compliant.
In conclusion, we’ll leave you with some food for thought. When it comes to our own personal health, we seek a professional for the skill set we require. Skill sets we are not trained to practice. Unless we were a medical professional such as yourself, one who has spent decades honing their craft, never would we rely on our own personal and unrelated skill set to treat a cavity or perform a medical procedure. So then, what do we do? We turn to those who are capable. Medical professionals who are trained in the field and up to date to the most current and relevant information. The same argument can be made for effective cybersecurity and HIPAA compliance. Why rely on your own personal skill set to ensure you are HIPAA compliant? Is that the right decision? Particularly when we know the consequences for being wrong are just too high. Just as it would be for ourselves had we practiced our own medicine.
So, contact us to start your journey towards compliance and leave the guidance and skill set, to Quantum Vigilance.
1. 4 recent HIPAA enforcement Actions
2. UCLA Hospitals Receives $865K HIPAA Fine for Failing to Protect Celebrity Medical Records
3. ‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
4. Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million
5. Logan Health Facing Class Action Lawsuit Over Data Breach