- Several weeks have passed since the HHS Office for Civil Rights (OCR) announced the launch of phase two of its HIPAA audit program. No surprises, then, that HIPAA compliance is a topic that’s receiving a lot of attention right now.
To add fuel to the compliance fire, it seems barely a day passes without news of another large data breach hitting the headlines, or without a report being published that further highlights the problems we all know exist within the healthcare industry.
Only this month, a new cybersecurity report by Symantec revealed that more than half a billion personal information records were lost or stolen in 2015. And yes, you guessed it, the health industry was culpable for more of these breaches than any other.
While it is rare that findings from reports like this come as a huge shock nowadays, they do serve as a constant reminder that there is no room for complacency when it comes to cybersecurity.
These are nervy times for HIPAA covered entities, and now more than ever, it is essential that those responsible for safeguarding PHI to take time to understand the details of the HIPAA Privacy, Security and Breach Notification rules.
That is, of course, easier said than done. As the following points go some way to highlight, when it comes to HIPAA compliance, things are not always black and white.
HIPAA is not exclusively a healthcare problem
There is a common misconception that HIPAA rules apply only to entities that provide health services; doctors, hospitals, clearinghouses, etc.
However, just because an entity does not explicitly fall into one of the covered entity categories as defined by HIPAA, it doesn’t necessarily make it immune to a PHI data breach, or consequently any less responsible for the safeguarding that information.
For instance, any organization with an employee health plan would be a covered entity under HIPAA, because of the PHI they hold.
To highlight this point, the 2015 Protected Health Information Data Breach Report by Verizon linked around 20 industries, in addition to healthcare, to a PHI data breach. These industries consisted of everything from education to manufacturing.
Required vs. addressable security standards
The HIPAA Security rule contains sets of safeguards that must be in place to ensure appropriate protection of ePHI. These safeguards are categorized as physical, administrative, and technical.
Within these safeguards exist specific sets of standards that are classified as either required (R) or addressable (A). For example, under the technical Access Control standards, ‘Unique User Identification’ is a required standard, while ‘Automatic Logoff’ is an addressable standard.
Make no mistake though, addressable does not mean optional.
By ignoring standards classified as addressable, particularly around encryption (Encryption and Decryption is an addressable standard under the Security rule), covered entities and business associates leave themselves more vulnerable to data breaches. HHS provides more details about required and addressable standards here.
The conduit exception rule
Since coming into force in January 2013, the conduit exception rule has been a constant source of confusion for covered entities.
Problems arise when covered entities sign up to work with third party providers that falsely claim to be HIPAA compliant by way of the conduit exception rule, when in most cases they have no grounds to do so.
The conduit exception rule applies to very few organizations that come in contact with PHI, and is intended to include only organizations that temporarily transport or transmit PHI, including:
- United States Postal Service
- Couriers and their electronic equivalents, and
- Internet service providers (ISPs).
Any other organization or individual working in association with, or providing services to a covered entity that handles PHI - IT contractors, lawyers, data transmission companies etc. - qualifies as a Business Associate (BA) under HIPAA, and as such are subject to audits by the OCR, and can be held accountable for noncompliance.
Therefore, it is essential that a Business Associate Agreement (BAA) exists between covered entities and their business associates, as way of confirming in writing the business associate’s commitments to cybersecurity in accordance with HIPAA.
Put simply, if a company claims the conduit exception, do not assume they are HIPAA compliant. If they won’t sign a BAA, do not work with them.
When it comes to cybersecurity, there is no room for complacency, and understanding the HIPAA rules plays a significant part in preventing a data breach.
However, as the points above illustrate, this is often easier said than done.
Gene Fry is the compliance officer and vice president of technology at Scrypt. He joined Scrypt in October 2001 and has 25 years of IT experience, working in industries such as healthcare and for companies based in the U.S. and Latin America. He is a Certified HIPAA professional (CHP) through the Management and Strategy Institute.