When Congress passed the Health Insurance Portability and Accountability Act of 1996 – known as HIPAA, but officially titled “Standards for Privacy of Individually Identifiable Health Information” – it intended the Act to cover overall healthcare reform. Twenty years later, technology has evolved more rapidly than the legislation covering it. Keeping up with compliance mandates, particularly as they relate to mobile security, is a challenge for many covered entities. Let’s look at the issues and discuss what you need to know about them.
Title II: All About the Technology
Title II: HIPAA Administrative Simplification required the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic healthcare transactions, code sets, unique patient and provider identifiers, and security. Congress recognized that these measures would improve the efficiency of the nation’s healthcare system, allowing for ease of electronic data exchange and rapid technological development. They were also aware that the public was concerned about the privacy of personally identifiable information (PII), protected health information (PHI), and medical profiling. In an attempt to assuage public fears, Congress included provisions mandating the adoption of Federal privacy protections for individually identifiable health information.
HIPAA directed Congress to pass an additional law protecting patient privacy by August 1999. If not adopted by the deadline, the HHS was then required to write a privacy rule.
Congress proposed but did not pass a law by the deadline. HHS proposed a privacy rule, and from 1999 to 2013 as technology advanced, it created a privacy rule (2003), security rule (2005), and enforcement rule (2006). Modifications, updates, new rules, and additions are continuously being adopted and enforced, with hearings every two years.
In 2009, the president signed the HITECH Act into law; it was intended to increase the meaningful adoption of health technology, such as the electronic health record. Healthcare entities could be punished for failing to use electronic health records (EHRs), starting in 2015, which are designed to provide a more efficient continuum of care by giving all providers access to the same patient information. While successful in improving patient care, it also makes confidential information ripe for picking by hackers.
The Final Omnibus Rule of 2013 established that both covered entities and their business associates would become beholden to the rules outlined in the HIPAA and HITECH acts. The HHS Office for Civil Rights (OCR) will be conducting audits periodically to ensure that everyone remains compliant.
Technology Was Evolving at a Pace Faster Than Legislation
In 1996, when HIPAA was enacted, internet service providers were just starting to provide Internet services to the broader public. Most data was being exchanged by electronic data transfers (EDTs), which were the focus of the standards HIPAA was trying to implement.
More than ten years later, in 2007, Apple introduced the first iPhone. The compliance deadline for the security rule had been in effect for barely a year. When Congress was developing HIPAA to address the shifting healthcare landscape, the realities of our current technology were the stuff of science fiction. Real-time data exchange, smartphones, tablets, custom applications for user access to provider information – these weren’t even on the radar for lawmakers or tech firms. No one envisioned how swiftly people would adopt the use of mobile devices, or how these devices and the apps that run on them, would create new vulnerabilities for organizations responsible for protecting health information and financial data.
The Spirit of the Law, Not the Letter
Today, it’s obvious that a decades-old piece of legislation cannot cope with today’s healthcare infrastructure, technology, and accessibility. Our technology infrastructure long ago surpassed what Congress envisioned in the late 1990s.
The privacy, security, and breach notification rules were designed to ensure that a lack of foresight would not result in exposure or theft of PII or PHI. They also meant to prevent critical data breaches from hurting patients. Penalties for noncompliance are significant, and HIPAA sets the standard for compliance high.
Compliance: The Holy Grail
HIPAA compliance hinges on four essential elements:
- Maintain privacy: Patient information must remain confidential and may be disclosed only to previously approved parties.
- Enhance security: Electronic medical records, and the technologies that underpin them, must adhere to a national standard of security.
- Notify the HHS of any breaches: In the event of a security breach, parties must inform the federal authorities (in this case, the OCR) within an appropriate time (usually 60 days).
- Defend protected health information: PHI must be protected at all times.
In today’s mobile-enabled world, compliance is tricky. The use of self-owned laptops, tablets, and mobile devices in and outside of the workplace is pervasive. But using these tools freely, and without bounds can present problems. Some organizations don’t understand the nuances of compliance, and/or don’t have the robust security systems that support a true Bring Your Own Device (BYOD) model, which is absolutely necessary to protect patient health information in today’s age.
Security Is Essential, Not Optional
According to the 2015 KPMG Healthcare Cybersecurity Survey, “Eighty-one percent of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks.” Healthcare is a growing target for external attacks, not just accidental data leaks. And traditional methods of providing perimeter-based security are no longer enough, especially as you consider the increasing expanse that perimeter must account for, with each new device accessing the network.
Also, the OCR reported for the first time in 2014 that “technical safeguards” made the Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year. Healthcare entities are woefully underprepared when it comes to protecting patient information, yet they cannot afford the stiff penalties associated with noncompliance.
The Mounting Costs of Noncompliance
Enterprise mobility not only causes concern for IT security, it also translates to a company’s ability to maintain compliance – which in some cases can cause far greater issues for the livelihood of a business. The HITECH Act of 2009 sets forth a civil penalty structure, depending on the nature and extent of the violation. The effects of a noncompliance penalty can be devastating: Look at the table below to see what your company can expect to pay for a HIPAA violation:
|Extent of Violation||Minimum Penalty||Maximum Penalty|
|Party did not know that they violated HIPAA and by exercising diligence still would not know||$100 per violation, with a maximum not to exceed $25,000 for repeat violations annually||$50,000 per violation, $1.5 million maximum annually|
|Party violates HIPAA for reasonable causes, not due to willful neglect||$1,000 per violation, annual maximum $100,000 for repeat violations||$50,000 per violation, $1.5 million maximum annually|
|Party violates HIPAA with willful neglect, but corrects it within appropriate time||$10,000 per violation, annual maximum $250,000 for repeat violations||$50,000 per violation, $1.5 million maximum annually|
|Party violates HIPAA due to willful neglect; does not correct||$50,000 per violation, annual maximum $1.5 million for repeat violations||$50,000 per violation, $1.5 million maximum annually|
A company caught in these crosshairs may even be liable for criminal charges stacked on top of civil penalties. The U.S. Department of Justice declared in 2005 that “covered entities” that knowingly dispense or obtain identifiable health information could face up to $50,000 fines and prison time of up to one year. Offenses that are committed under false pretenses may be fined up to $100,000, coupled with up to five years’ incarceration. Finally, those who commit offenses with the intent to sell PHI for commercial advantage may face fines up to $250,000 and a prison term of up to 10 years.
What Is a “Covered Entity?”
In the eyes of the OCR, a covered entity is anyone who handles PHI, which may include health plans, providers, prescription sponsors, and their employees. Their business associates – including third-party vendors – are also required to adhere to the standards outlined in the law. Even when a party is not directly liable under HIPAA, he or she may still face charges of aiding and abetting or conspiracy.
Healthcare entities, operating on strict budgets, just cannot afford to pay penalties associated with breaches. With the increasing popularity of the EHRs and medical devices becoming “smart” by connecting directly to mobile devices, achieving maximum security should be a top priority.
Set Your Security Bar Higher Than the Regulators’
Regulatory bodies continually lag behind both the current healthcare technology infrastructure and the sophistication of today’s cybercriminals, who profit from the theft of PII and PHI.
To protect themselves and the clients with whom they work, Covered Entities and Business Associates must evaluate the impact of enterprise mobility on their efforts to uphold a strong security posture. Developing BYOD policies guiding the proper use of technology for business-related functions and going as far to establish fail safes in the form of software, or by other means, should be explored.
With tight IT budgets, this can be a challenge. IT professionals must understand the consequences of noncompliance and fight for the resources they need to monitor enterprise mobile usage proactively, rather than face the prospect of remedying a situation after the fact. A little more upfront capital will be worth avoiding costly penalties later.
Take the Time, Do it Right
A robust approach to your security will only benefit your company in the long haul. While server-side security is usually a priority for most IT departments, mobile device, and the apps that run on these devices, extends the number and range of vulnerable access points—and hackers know it.
According to a recent IBM/Ponemon Institute study, entities allocate only 5.5%, or $2 million, to mobile app security. Less than 50% of organizations scan their apps for security vulnerabilities.
Even scarier, only 40% of organizations follow guidance from the Open Web Application Security Project (OWASP) with regard to the top 10 mobile app security risks. Healthcare applications are particularly at risk; according to the 2016 State of Application Security Report, 84% of Federal Drug Administration-approved apps showed vulnerability in at least two of OWASP’s top mobile security risks. Given these figures, it’s no surprise that ePHI has become a popular hacker target.
Protecting Your Customer PHI from Breaches and Hackers
PHI represents a lucrative market; according to a report done by NPR, a complete EHR can sell for $500 underground. Protecting your client information, and keeping hackers from an easy paycheck, requires a multilayered approach—including enterprise mobility security strategies and policies.
OnRamp helps covered entities remain compliant by using a range of custom solutions and services. When regulatory bodies, such as the OCR, set forth strict HIPAA guidelines, OnRamp maximizes security with an idiosyncratic approach. OnRamp’s compliant hosting solutions require streamlined processes, state-of-the-art technology, and experts in HIPAA-compliant IT design and execution. We go beyond regulatory minimums to deliver maximum security to you.
Massive data breaches are on the rise, affecting millions of users each year. Now is the time to get ahead of the curve and implement robust security measures to support your organization. Consider using a HIPAA-compliant hosting provider who offers private cloud services run on dedicated servers. Also, add managed security services like AlertLogic, which help businesses identify threats and stop them in their tracks.
HIPAA and HITECH have not yet addressed mobile security directly, but it’s only a matter of time before these laws are amended to include such provisions. In the meantime, they will continue to address breaches swiftly and penalize those who have not diligently taken steps to ensure user privacy. Are you certain your enterprise mobility security strategy and policies provide a compliant level of safety for your company? Contact OnRamp to get the help you need with HIPAA-compliant services.