Staying HIPAA Compliant and Protecting the Privacy of Healthcare Data
Updated October 6, 2023
For any Internet user, data breaches have become a fact of life. While only the major breaches make the headlines, breaches are happening much more frequently, averaging multiple breaches a day.
As a result, both consumers and regulators have been clamoring for a stronger approach to data security. Regulations like the European Union’s General Data Protection Regulation (GDPR) is designed to provide EU citizens with privacy protections across the board. By classifying a large amount of data as “sensitive” and imposing significant penalties on organizations that fail to meet the required protection standards, the GDPR has taken significant steps toward making the Internet safer for EU citizens.
Unlike the EU, the United States does not have a comprehensive data protection regulation. Instead, there is a patchwork of different regulations that organizations need to comply with in order to operate in certain industries. One of these regulations is the Health Information Portability and Accessibility Act (HIPAA), which is designed to protect the privacy of healthcare data within the United States.
What is HIPAA?
Protected Health Information (PHI) is an extremely valuable type of personally identifiable information (PII) for hackers. When most people think about stolen personal information, they focus on credit card information, home address and phone number, email addresses and passwords, and maybe government-issued identification numbers like Social Security, passports, and drivers’ licenses.
What most people don’t consider is that healthcare records have control of most of that information and more. While personal details like a certain medical condition that you may have might not be useful for performing identity theft, your medical record probably has the answer to many of your password recovery questions (mother’s maiden name, street you grew up on, etc.) and also a lot of information that can be used to design a very personalized spear phishing attack against you.
Would you really question if someone claiming to be from your doctor’s office and referencing a medical procedure that you recently had wanted to update your patient file before sending the claim to insurance? The value of PHI is the main reason that the United States government has taken special steps in protecting it by creating the HIPAA privacy laws. HIPAA explicitly lays out what is considered PHI (some of it may surprise you), who is responsible for protecting it, and the steps that they have to take in order to maintain compliance and in the event that a breach has occurred.
Why Should I Care?
If you use healthcare services within the US, knowing about the protections provided by HIPAA is a good idea from a consumer standpoint. An appalling number of data breaches are within the healthcare industry, and, as we’ve said here, the value of the data breached is significant both from a personal security standpoint (potential for identity theft, spear phishing, etc.) and from a privacy perspective (do you really want your medical record posted online?). Knowing what an organization should be doing to protect your information could be an important consideration when choosing a healthcare provider.
From a professional perspective, it’s useful to know the basics of HIPAA in case it ever applies to your organization. HIPAA defines the terms “Covered Entities” and “Business Associates” when discussing the people that the regulations applies to.
Covered entities are the people that you’d normally think of when discussing HIPAA and healthcare. They’re everyone that works in the healthcare field, including healthcare providers (doctors, nurses, etc.), health plans (insurers, etc.), and health care clearinghouses (data analysis exchange between the other two). Obviously, HIPAA applies to these groups and they’re required and expected to protect the data under their control.
Business associates are the less obvious organizations that HIPAA applies to. This is anyone with a vendor or subcontractor relationship with a covered entity and has access to PHI. If you provide billing services to a healthcare provider or send out mailers on their behalf, you may be considered a business associate and therefore need to comply with HIPAA.
Simple Ways to Avoid Breaches
When dealing with breach reporting of any type (HIPAA included), the simplest way to manage it is not to do anything that would make you need to file a report. This sounds a lot like “don’t get breached”, which isn’t very helpful, however, there are some simple steps that organizations can take to minimize the probability of having to report a breach.
HIPAA’s breach notification guidance includes a safe harbor clause that exempts an organization from reporting requirements if all PHI revealed in a breach is encrypted and the attacker does not have access to the decryption key. Achieving the requirements for safe harbor essentially boils down to protecting data at rest, in transit, and in use.
While data at rest and in transit can easily be protected using full-disk encryption and encrypted communications like VPNs and HTTPS (along with a strong key management system), encryption while in use isn’t as feasible. To solve that problem, a data security appliance capable of managing role-based access control and monitoring for unusual data access or usage is your best bet for minimizing the probability of breaching unencrypted data.
Staying HIPAA Compliant
The Health Information Portability and Accessibility Act is designed to protect the privacy of consumers of healthcare services within the US. The regulation lays out the data security requirements for an organization processing protected healthcare information and includes a safe harbor clause that exempts organizations from reporting breaches of encrypted data. By deploying the necessary data security appliances, an organization can minimize the probability of an accident or malicious intruder causing a reportable breach.