HIPAA, or the Health Insurance Portability and Accountability Act, is a piece of legislation that was enacted by the US Congress and signed into law by Bill Clinton in 1996. It amended the existing Internal Revenue Code and was designed to make it easier for Americans to have continuity of their health insurance if they lose or change jobs.
It also added security standards that came into effect in the years following the act coming into law. It requires companies to have a set of digital and physical procedures in place, outlined in clear policies and procedures to protect the privacy of patient’s sensitive health data.
The rules were split into three separate areas:
- Administrative safeguards: Clearly documenting the security controls it uses, appointing a “privacy officer” who has overall responsibility, providing training on data protection, establishing a disaster recovery protocol, and conducting internal audits.
- Physical safeguards: These are the physical security measures that an organization must have in place to prevent unauthorized access, copying, alteration, or deletion of data. This could be through locked doors and filing cabinets, building access control, and not positioning screens in a way that faces high traffic areas where people could read over someone’s shoulder.
- Technical safeguards: These are the digital security measures in place that prevent unauthorized access to computer systems that store and transmit sensitive information. This includes data encryption and user account authentication through password protection and other secure methods. Data must also be corroborated by using digital signatures, checksums, and audit trails to prevent corruption and tampering.
Not the Only Legislation to Consider
HIPAA is not the only piece of legislation that regulates data protection. In Europe, the General Data Protection Regulations require companies to protect all personal information that could be used to identify a person. Companies are also required to register with a national regulatory body like the UK’s Information Commissioner’s Office and to report any data breaches to them.
Even if a company is in the United States, it must adhere to GDPR if it stores or processes any personal information of even just one EU citizen. Even if a company doesn’t need to comply with GDPR, new legislation in the US, such as the California Consumer Privacy Act (CCPA), has many of the same requirements.
Since companies have many different responsibilities placed on them by HIPAA, it’s very easy for them to be in violation of the law. The most common of these violations are:
- Unauthorized employees snooping on health records: by not having correct physical and technical security in place, nosy or vengeful employees can go snooping on the health records of other employees or patients. This breaches the privacy elements of the law.
- Not conducting an organization-wide risk assessment: it is not possible to ensure total protection of data if you are not aware of all the potential risks to it. Therefore, a full organization-wide risk assessment is required. Many fail to carry this out because it is time-consuming and complicated.
- Lack of risk management: performing a risk assessment and filing it away without carrying out any of its actions is pointless, so your organization will be in violation of HIPPA if it doesn’t have stringent risk management processes in place.
- Not using encryption on devices that store HIPAA data: as part of the technical safeguards, data must be stored and transmitted in an encrypted form. Simply having a password on your Windows PC does not encrypt the data, so you’ll be in violation.
- Not reporting breaches on time: the HIPAA Breach Notification Rule specifies that any data breaches should be reported “without unnecessary delay” and places a maximum of 60-days for an organization to do this. Taking longer usually results in fines.
- Not disposing of data properly: when data no longer needs to be stored it must be disposed of properly. Simply “deleting” it from your computer isn’t enough, as it can be recovered with special software and with forensic techniques. Therefore, data needs to be securely erased using dedicated digital shredding software that overwrites the data.
It is quite easy to violate the rules in these ways by accident, particularly if you don’t have the correct technical expertise in your organization. This is why it’s important to work with experienced HIPAA compliance management solution providers that can not only prevent unauthorized access to private data but also simplify the whole compliance process by reducing administrative burden.