'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on May 29, 2020 AUTHOR Mike Sloan
In 2009 fewer than 46% of all medical providers in the United States used electronic records, with the majority still using paper patient records, faxes, and handwritten charts. The Patient Protection and Affordable Care Act (PPACA) went into effect in 2014 mandating healthcare organizations to convert paper records into electronic medical records (EMR or EHR) and while now, nearly all health care organizations have made the conversion, most have not controlled which systems and employees have access to the data.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) created an electronic data interchange that health plans, health-care clearinghouses, and certain health-care providers, including pharmacists, are required to use for electronic transactions. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
However, with the transition to electronic records and a data exchange for healthcare providers, a patient’s data was likely to be entered and maintained on a number and disparate set of systems, scanned and databased on other systems and handled by a variety of medical professionals.
New to the digital market and lagging financial, consumer products, and tech sectors, health care providers are still struggling to obtain the technology or the information technology expertise to handle the massive compliance challenge. As an example, as late as last year in the annual Thales Data Threat Report, the organization revealed that 70% of U.S. healthcare organizations surveyed experienced a data breach, with a third reporting one in the last year alone. This is the greatest rate of any industry studied by Thales.
Security incidents and breaches where PHI falls into the wrong hands is a clear indication that healthcare organizations do not have control of their patient’s data. In this blog post, we’ll discuss the obstacles to complying with HIPAA and other privacy regulations as well as the comprehensive solutions that are empowering healthcare providers to manage and secure patient data simply and cost effectively.
HIPAA protected health information (PHI) is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them. Just like PII or personally identifiable information, PHI is any data that could potentially be used to identify a person. Examples include a full name, Social Security number, driver's license number, bank account number, passport number, and email address. However, PHI typically includes additional pieces of data.
The meaning of PHI includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing. The Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) include 18 types of information that qualify as HIPAA protected health information (PHI) identifiers.
Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received electronically. The HIPAA “Security Rule” has specific guidelines in place that dictate the means involved in assessing ePHI.
PHI or ePHI needs to be accessed by doctor’s, nurses, administrators and other health care professionals over the course of the health care provider's relationship with a patient. Thus, patient data is likely to be found on a variety of servers, databases, laptops and other technology. Understanding where this data is stored in the organization and how to manage and secure it is difficult.
Organizations should start preparing for an Office for Civil Rights (OCR) HIPAA audit long before they are notified that they have been chosen for a random audit. Further, for organizations that are not chosen for a random HIPAA audit, they may still face penalties for noncompliance if they have a patient complaint or experience a breach.
To be clear, the Department of Health and Human Services (HHS) oversees the OCR, which uses the HIPAA audit program to assess the compliance of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
Since 2003, the OCR has discovered 55 Privacy Rule violations and handed out close to $80 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.
In 2018, OCR settled 10 cases totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Last year, OCR reached an all-time record year in HIPAA enforcement activity suggesting that their standards will continue to rise.
Further, the majority of the complaints and fines were because of the health care provider’s inability to protect patient data. Lastly, once the OCR has made up its mind to audit a health care provider, they have just 10 days to respond.
In the wake of scrambling to comply with HIPAA and the increasing enforcement activity and compliance requirements health care providers have been hit with a rash of breaches and ransomware attacks. To make things even more complicated, over the past 3 years new privacy legislation, GDPR and CCPA have been introduced to protect a “citizen’s” rights. We add the term “citizen” because for healthcare providers it expands their privacy responsibilities beyond just patients to anyone from whom they have collected and currently store PII.
A difficult provision of GDPR for health care organizations to deal with for example is the “right to forget.” This means that patients could ask a clinic or hospital to erase all the data it has collected on them. This obviously goes against the practice of healthcare organizations to retain medical records to provide a patient history for continuity of care.
The CCPA is modeled around the GDPR and similar in that it applies any data on California residents, even if it is stored in another state. The “Do Not Sell” provision of CCPA will force health care providers to have processes and procedures in place to respond to requests from both patients and consumers.
HIPAA regulations treat data storage companies as Business Associates (BAs). Thus, as an example, the regulation accounts for the storage of physical and digital data, meaning that cloud storage services qualify as BAs even if the organization rarely, randomly, or never accesses or views the ePHI that they store.
When dealing with data and cloud storage services, BAs must have Business Associate Agreements (BAAs) in place. A good BAA should include provisions that clearly delineate liability in the event of a data breach, in addition to the technical, administrative, and physical safeguards that will be put in place to maintain the integrity of PHI.
For any vendors handling PHI, a business associate agreement (BAA) is essential. This helps ensure that both parties are held accountable for creating, receiving or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from Health and Human Services. Cloud providers and other organizations that handle PHI sign BAA’s unfortunately they don’t have the protocols in place to responsibly handle PHI.
As we suggested previously, one factor linked to the rise in healthcare cyber-attacks is the digitization of health records. These digital records are a treasure trove of information for attackers. They not only contain insurance information, which is used for fraudulent billing and prescriptions, but also social security numbers, driver’s licenses and credit card numbers.
Many medical providers had operated with paper, faxes, and handwritten charts until Obamacare mandated electronic records; healthcare providers have struggled ever since to secure their new digital records. In 2009, prior to the Affordable Care Act, only 12% of hospitals had transitioned to electronic health records. The ACA’s HITECH provisions provided tens of billions of dollars in incentives for healthcare providers to implement electronic health records; these digital records now are in use by 96% of hospitals across the country.
However, medical records are now the top selling personal record on the dark web and black market. Research firm Cynerio found that malicious attackers are using these records for delivery of prescription drugs, fraudulent claims to online provider websites, and tax fraud. Researcher James Scott, in a report prepared for the U.S. Senate, found that electronic health records with complete long-form documentation on all the intricacies of a person’s health history, known by hackers as “fullz,” are often combined with fake passports, drivers’ licenses, and social security numbers as an identity kit which often sell for $1,500 to $2,000.
Cybercriminals use these records to buy medical equipment or drugs and file fictional claims with insurers. Health records also contain addresses and employer details, meaning hackers can use them to file fake tax returns. While a stolen credit card number can be easily cancelled and reported to a bank, there is no easy solution for stolen medical records.
Data management, privacy and security have become a primary concern for healthcare facilities as it is one of the most pressing requirements from HIPAA. It is also connected directly to the secure adoption of electronic health records. As we stated earlier, the HIPAA rules imply that any company that deals with protected health information (PHI) must have in place physical, network, and process security measures and follow them in order to ensure HIPAA compliance.
Healthcare organizations and providers must have access to patient data in order to deliver quality care, but complying with regulations and requirements for protecting patient health information requires a combination of robust data management strategies as well as the appropriate solutions and sufficient IT resources to implement them.
HIPAA privacy management software and solutions help organizations comply with HIPAA policies, including security regulations by automating processes. Automating policies by locating, protecting, and managing PHI reduces risks of human error and non-compliance, brings efficiencies, and reduces the costs of compliance.
Further, privacy management software not only aids in the identification and management of PHI, but also, privilege escalation, cross-system visibility to identify insider threats, and is able to determine the severity of a data breach by identifying which systems and data were breached.
Finally, while privacy and security are core benefits of privacy management software, automation including PHI inventory tracking, HIPAA compliance reporting, BAA management, and monitor and track changes to HIPAA and other privacy and compliance laws.
Implementing manual compliance processes and combining systems and databases for PHI has been more costly than expected for most healthcare providers focused on the needs of their patients. Automating manual tasks and processes is the only cure for organizations whose mission is life or death.