How and Why to Make Your Email Comply With the HIPAA Security Rule?
If you are working in the healthcare industry or are a patient, you'll likely encounter numerous security policies and procedures.
One of the most important pieces of legislation that benefits both healthcare organizations and patients is the HIPAA Security Rule.
What is HIPAA and why is it important that your emails comply with it? Let's find out.
What is HIPAA (Health Insurance Portability and Accountability Act)?
The HIPAA Security Rule was created by the US Department of Health and Human Services as a set of standards that serve to improve the security of ePHI and their confidentiality, integrity and availability both in rest and in transit.
ePHI stands for "Electronic Protected Health Information" and they cover anything that could potentially identify a patient, such as:
- Their name
- Phone number
- Email or IP
- SSID, medical account or another identifying number
- Photo, fingerprint or another physical identity information
HIPAA was first introduced back in 1996 with the idea to address the problem of insurance coverage for individuals between jobs, who would otherwise run the risk of losing insurance coverage when between jobs.
From there, HIPAA has expanded, but the standards have mostly been the same since they were first published in 2003, though they were updated in the HITECH Act of 2009 which was applied in the 2013 Omnibus Final Rule.
Physical, Technical and Administrative Safeguards
The HIPAA Security Rule main task is to implement three types of safeguards:
These three were developed to assist Covered Entities (CE) in identifying and protecting ePHI against reasonably anticipated threats and unauthorized disclosure.
It's very important to understand all three types in order to fully grasp HIPAA at all, so let's do that.
Physical safeguards deal with the physical security of the facility where the ePHI is stored.
These are split into four standards:
- Facility access controls - Who can access the facility?
- Workstation use - Who can use the workstation?
- Workstation security - How secure is the workstation from unauthorized access and other threats?
- Device and media controls - How the device is used and how ePHI is removed and destroyed once the device is no longer needed?
The next set of safeguards are technical.
These are concerned with placing audit controls and introducing measures to limit access to ePHI where that is necessary.
In addition, they deal with protecting ePHI in transit (email, SMS, IM).
As such, technical safeguards include these key elements:
- Access controls - Who is authorized to access ePHI or the systems used to create, store, maintain and transport them?
- Audit controls - These deal with mechanisms for recording ePHI activity and controlling who can access and monitor logs
- Integrity controls - Are necessary to prevent unauthorized change or destruction of ePHI
- Authentication - Verify the identity before allowing access to ePHI
- Transmission security - Prevent unauthorized access or changing ePHI while in transit
Finally, the third set of safeguards HIPAA is concerned with are administrative.
These ensure that ePHI are secure and in compliance with the HIPAA Security Rule.
In essence, administrative safeguards deal with:
- Establishing the security management processes to protect ePHI - Typically from data breaches and other security violations, as well as introducing risk analysis and management process, sanctions and reviewing information systems activity
- Appointing a HIPAA Privacy Officer - This is the person who will be responsible for HIPAA compliance
- Workforce security - These are the policies and procedures that ensure only authorized individuals can access ePHI
- Information access management - These policies and procedures are in place to ensure that only authorized personnel can access the information systems
- Security awareness and training - Train workforce members to better recognize security threats (for instance, an email-based phishing attack)
- Security incident procedures - Ensure a fast response in case of a security violation
- Contingency plan - Deal with security policies and procedures in case of natural disasters like earthquakes, fires and floods or other emergencies
- Evaluation - Routine evaluations of security (technical and non-technical)
Why is HIPAA Important to Protect Your Health Information?
HIPAA is not only important for patients, but healthcare providers as well.
For patients, HIPAA ensures that everyone from healthcare providers themselves to business associates of HIPAA-covered entities enforce the safeguards that will protect their individually identifiable health information.
In addition, HIPAA enables patients to obtain copies and records of their health information.
This is important for two reasons:
- First, patients can check their health records for mistakes and correct them
- Second, HIPAA allows patients to pass on this information to a new health care provider, who then can then make informed decisions about their patients based on their health history
On the other hand, HIPAA is also important for healthcare institutions, because it serves to improve their efficiency by moving from paper to electronic records and ensure that these records are safely shared.
Who is Responsible for Enforcing the HIPAA Security Rule?
As with any other legislation, someone must be responsible for HIPAA Compliance as well.
So who is responsible for enforcing the HIPAA security rule?
The job of the HIPAA PO is to:
- Set up, manage and enforce the Security Rule measures
- Organize and incorporate HIPAA Compliance with the organization's business strategies and requirements
- Deal with ePHI access control, incident response and disaster recovery
- Address and promote security awareness within the company, including education of workforce members
- Execute security audits and risk analyses
- Investigate data breaches and implement actions to prevent or mitigate them
The primary enforcer of HIPPA is the Department of Health and Human Services' Office for Civil Rights (OCR).
Other entities that have some (albeit smaller) powers in enforcing HIPAA Rules are the state attorneys general, the Food and Drug Commission (FDA), the Federal Communication Commission (FCC) and the Center for Medicare and Medicaid Services (CMS).
The OCR is primarily responsible for investigating data breaches that covered entities and business associates report. Normally, this happens when the breach impacts over 500 people, though the OCR can also investigate smaller breaches.
Furthermore, OCR also investigates patient and employee complaints of HIPAA infringements by covered entities and determines whether the CE has violated the HIPAA Privacy, Security and Breach Notification Rules.
What happens when the OCR finds that the CE has violated HIPAA Rules?
If this happens, the OCR can take several actions, depending on the severity of the offense.
For minor HIPAA offenses, perhaps caused by misinterpreting the HIPAA Rules, the OCR might give the covered entity "a pass", so to speak, as long as it's their first infraction.
However, if the CE continues to make the same transgressions or the violation is particularly grievous and the CE failed to "reasonably" address it, then the OCR can impose certain financial penalties for failing HIPAA Compliance.
HIPAA Violation Penalties have four tiers:
- Tier 1: The covered entity was not aware of the violation and would not have been aware of it by putting reasonable efforts - The covered entity must pay $100-$50,000 per violation (maximum $25,000/year)
- Tier 2: There is a reasonable belief that the CE knew/should have known about the violation with proper due diligence - $1,000-$50,000 per violation (maximum $100,000/year)
- Tier 3: The covered entity has willfully neglected the HIPAA Rules, but has corrected this within 30 days of violation discovery - $10,000-$50,000 per violation (maximum $250,000/year)
- Tier 4: The covered entity has willfully neglected the rules and has not corrected the violation within 30 days of discovery - $50,000 for violation (maximum $1.5 million/year)
HIPAA security requirements are vague (this is intentional), but every CE and BA with access to ePHI must make sure that they put the physical, technical and administrative safeguards in place, have protected the ePHI integrity by following the HIPAA Privacy Rule and have followed the HIPAA Breach Notification Rule in case of a PHI breach.
As you can see, depending on the violation, whether the CE knew/should have known about it, or if it has made a reasonable effort to address it, the covered entity must pay anywhere from $100 to $1.5 million.
Naturally, this is not the type of money that you want to throw away just like that, so it's important to perform the following checklist first to determine if your organization is subject to the HIPAA compliance guidelines:
- Which of the required audits and assessments apply to your organization?
- Perform these audits and risk assessments and analyze and document the results
- Document and put plans to address the issues in action and review and update at least once per year
- Appoint a HIPAA Privacy Officer (also called a "Security Officer) and make sure that they perform regular HIPAA training for all workforce members
- Assess whether Business Associates' HIPAA Compliance and review BAAs (Business Associate's Agreement) annually
- Review processes to report breaches as well as how the breaches are reported to the OCR.
The HIPAA security rule, as we said, contains three sets of safeguards: administrative, physical and technical. Each, in turn, contains several implementation specifications that could either be required or addressable.
"Required" ones must be implemented, while covered entities can use an alternative or even not introduce the "alternative" ones.
We won't go into the specifics of the implementation specifications (you can find the full explanation for each at the HIPAA Journal), so we're just going to list them here.
- Facility access controls must be implemented - Addressable
- Policies for the use/positioning of workstations - Required
- Policies and procedures for mobile devices - Required
- Inventory of hardware - Addressable
- Conducting a security risk assessment - Required
- Introducing a risk management policy - Required
- Training employees to be secure - Addressable
- Developing a contingency plan - Required
- Testing a contingency plan - Addressable
- Restricting 3rd party access- Required
- Reporting security incidents - Addressable
- Implement a means of access control - Required
- Introduce a mechanism to authenticate ePHI - Addressable
- Implement tools for encryption and decryption - Addressable
- Introduce activity logs and audit controls - Required
- Facilitate automatic log-off of computer systems- Addressable
With healthcare information selling for as much as $1,000 on the dark web, it's vital to protect it against thieves and data breaches. Luckily, HIPAA was introduced as a measure to make health organizations more liable to keep their patient records safe from these.
Hopefully, this article has given you a better understanding of the HIPAA Security Rule and its importance.