There are currently 14,930,463 individual records in the United States with an open HIPAA data breach investigation. That’s up to 14 million humans that have had their Protected Health Information (PHI) exposed by hacking, IT incident, theft, loss, or unauthorized access/disclosure.
That’s just the unresolved case list. If we add the numbers from the resolved breach notifications, we end up with 162,599,642 records – over half of the current US population.
And that’s why we need HIPAA in the first place.
What is HIPAA Compliance?
The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to set standards for how US citizens’ PHI records are stored, secured, and used. Nowadays – along with the Health Information Technology for Economic and Clinical Health Act (HITECH) – this legislation governs how anyone with access to your PHI needs to manage and protect that data.
HIPAA doesn’t explicitly define PHI other than information that can “reasonably” be linked to an individual – it could include anything from your birth date to social security number to medical ID or more.
What is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule explains how companies need to handle HIPAA violations – and the process isn’t just a slap on the wrist.
Individuals or companies report HIPAA violations to the Office for Civil Rights (OCR), and the OCR is responsible for investigating and reviewing those violations. If the OCR finds the violators negligent, the violators must fix what caused the breach in the first place and deal with the affected individuals data to the satisfaction of the OCR. If the OCR does not find their response satisfactory or if they find the data breach egregious, the OCR will fine the violators based on the number of records involved.
In 2018 alone there have already been two different settlements costing the violators $3.5 million and $100,000, the latter of which came after the business had already shut down due to HIPAA violations. You can read all about these settlements and more – it’s public record!
What is The HIPAA Privacy Rule?
The HIPAA Privacy Rule is the nuts and bolts of the legislation: it explains how and when healthcare professionals, lawyers, or anyone who accesses your PHI can or can not use that data.
For example: If I want to allow my PHI to be available to my girlfriend, the law requires a signed HIPAA PHI Release form in order for the Doctor’s office to share my information with her. Those are the kinds of scenarios covered in the Privacy Rule.
What is The HIPAA Security Rule?
The HIPAA Security Rule sets the standards on the how Covered Entities (the humans who are governed by HIPAA) must protect PHI data. These standards include things like ‘lock the door to the server room’ and ‘only allow access to read PHI data to people who need to see it.’
That makes it paramount to protect person information that qualifies as PHI – whether online, on paper, or verbally.
What is The HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule says you have 60 days to notify an individual of improper access to their PHI. It’s important to remember that even if ePHI is encrypted by a ransomware attack, it’s considered a breach – and therefore falls under the HIPAA breach notification rule.
If there are more than 500 PHI records impacted, you must notify the Department of Health and Human Services (which in turn gets the OCR involved) – and you’re required to issue a press release about the breach.
If you are in the unfortunate (but not uncommon) situation of reporting a HIPAA violation, here is the information you must initially provide OCR:
- What PHI was available and how that data was made available? What personal identifiers were available during the breach?
- Who was the unauthorized person who saw or had access to the data?
- Did anyone actually view or acquire the ePHI?
- What have you done to fix the issue or mitigate the damage?
There is good news: if you don’t break that 500 record limit in a single event, you can report all of your smaller violations to HHS in a single batch once per year per the Breach Notification Rules.
HIPAA Standard Transactions
A HIPAA Standard Transaction is an exchange of PHI data between two entities. For example, your doctor sends your prescription to the pharmacy, which in turn requests coverage verification from the insurance company.
HIPAA governs all of these PHI transactions, including:
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Eligibility status
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payment
How to Become HIPAA Compliant
Becoming HIPAA compliant isn’t all that different from any of your other basic 21st-century data security plans. In fact, setting up a solid data security plan will help maintain HIPAA compliance.
Here is a HIPAA Compliance Checklist to get you started:
- Map your data and discover where your HIPAA protected files live on your network (including cloud storage)
- Determine who has access to HIPAA data, who should have access to HIPAA data, and implement a least privilege model.
- Monitor all file access to your data.
- Set up alerts to notify you if someone accesses HIPAA data, or if someone creates new HIPAA data in a non-compliant repository. Use data security analytics to differentiate between normal behaviors and potential HIPAA violations.
- Protect the perimeter with firewalls, endpoint security, locks on server rooms, two-factor authentication, strong passwords, and session timeouts.
- Monitor activity on the perimeter and add threat models to your data security analytics.
HIPAA compliance isn’t just the law – it will protect your customer’s data and ensure that your business prospers in the age of digital medical records.
Varonis has been working with our customers on HIPAA compliance since before the HITECH Act in 2009. The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy.