Can the healthcare industry protect itself from cyberattacks without HIPAA compliance?
With over 2550 cyberattacks in the last decade, criminals have devastated the US healthcare industry. In fact, in 2019, about 764 care providers suffered attacks via ransomware. Criminals broke into healthcare networks, stalled essential services, and stole precious data.
Such statistics raise many important questions –
- Were the affected businesses taking all necessary precautions?
- What mistakes did they make?
- What can they do differently to avoid such attacks in near future?
We add one more question to this list – Were the affected businesses following the standards set by HIPAA?
The Importance of HIPAA Compliance
As per the OCR Audit report released last week, most healthcare providers who were audited for HIPAA compliance in 2016-2017 were found lacking on the risk analysis and risk management plan required under the HIPAA security rule.
Unfortunately, a lot of healthcare businesses fail to meet the HIPAA standards. A mistake that brings with it tremendous losses. In fact, the healthcare industry may end up losing $6 trillion by the end of 2020 because of cyberattacks.
HIPAA rules and regulations
The HHS has defined three rules for implementing HIPAA.
- Privacy rule
- Security rule
- Breach notification rule
These three HIPAA rules apply to healthcare plans, clearinghouses and providers. The rules apply to their business associates as well. The thumb rule is, if you handle health records, then you need to follow HIPAA.
The HIPAA rules cover several critical issues
- Protecting the privacy of patients’ health information
- Ensuring the security and availability of the records. This includes digital records as well.
- Patients’ right to access their own records
- Usage, sharing, and disclosure of patient records.
- Notifying patients and authorities of a data breach
You need to follow the standards set by these rules. Particularly, you must have policies and procedures in place to meet the standards. These standards cover the issue of protecting the privacy and security of the records, as well as how a provider uses, shares, or discloses patient records.
Moreover, you need to ensure the availability, confidentiality, and integrity of the PHI as well. The law applies to your business associates as well.
The HIPAA rules also dictate how you should act in case of a data breach.
Healthcare providers have received severe penalties for failing to follow the HIPAA rules. For instance, in 2020 alone, five such providers have paid more than $1 million as penalty for violating HIPAA. Similarly, twelve more were penalized for failing to share PHI when requested by the patient. The highest penalty in 2020 was $6.85 million. It was slapped on Premera Blue Cross, the largest health plan in the pacific north-west.
The Privacy Rule
The privacy rule addresses sensitive issues such as the usage and disclosure of an individual’s PHI by the covered entities.
It also covers patient’s rights over their health records, such as the right to understand and control how their records are used and shared.
Moreover, it defines general principles of usage and disclosure of the PHI. This includes permitted use, and authorized use as well. The rule also defines the minimum necessary rule to limit the usage and disclosure of patient records.
The Security Rule
The security rule sets the standards for protecting the PHI that’s stored, transmitted, or used in the digital format. It also promotes the use of technology, but the provider needs to ensure the security of the records. To be precise, protect the availability, confidentiality, and integrity of patient records.
Under the security rule, covered entities need to –
- Conduct risk analysis of their systems
- Put in place a plan to manage the identified risks
- Put in place policies and procedures to ensure that the PHI is used, stored, and shared securely.
- Develop systems that safeguard the PHI
- Train employees
In 2014, PBC systems were hacked by cybercriminals. The attackers stole the PHI of more than 10.4 million people. The HHS investigators pinned the blame over the plan’s systemic non-compliance with the security rule.
To put it another way, you need to put in place administrative, technical and physical measures to protect the ePHI.
The Breach notification rule
To comply with the breach notification rule, covered entities need to notify patients and the HHS of a data breach. The rule applies to cases where the breach compromises the security and privacy of the health records.
This includes breaches resulting from cyberattacks, data theft and unapproved disclosures. Even if it’s a case of improper use of the PHI by an authorized user, covered entities need to send out notifications.
In case of a breach, you need to notify all affected patients, inform the media outlets, and inform the HHS about the breach. Business associates would also need to notify the business they work for.
The HIPAA rules play a two-fold purpose. Firstly, they promote the use of technology tools in healthcare. Secondly, they protect the patients’ rights over the use and disclosure of their health records. Moreover, the three rules enforce patients’ right to access their health records as well.
Non-compliance with HIPAA can have grave consequences, not just HHS enforcement actions, but they can result in legal liabilities as well. For instance, Aetna Life insurance has paid more than $20 million in litigation apart from the million-dollar penalty paid to the HHS.
The HHS has repeatedly repudiated businesses for not conducting proper risk analysis. With this in mind, risk analysis and putting in place a risk management plan should be your top priority. Similarly, training employees shouldn’t take a backseat, either.