First enacted in 2002, the HIPAA Privacy Rule (also known as the “Standards for Privacy of Individually Identifiable Health Information”) regulates who can access patient health data. Such data, termed Protected Health Information (PHI), must only be disclosed to necessary individuals without interrupting its processing.
HIPAA applies to any party that is deemed a “covered entity” (CEs). Such CEs have access to PHI that, should it be accessed by a harmful third party, could post a risk to the patient. Examples of CEs include healthcare clearing houses, health insurers and employers that offer health plans to their employees. Any business associate that provides a service to the CEs – such as accountants or lawyers – must also be HIPAA compliant.
What the Privacy Rule Protects
Any data that can be used to identify a patient is considered to be “Individually Identifiable Health Information” and is protected by HIPAA. The nature of this information is extensive – PHI may be accessed by a variety of employees, from doctors to accountants and must be protected in every instance. Thus, PHI includes names, addresses, birthdays, Social Security Numbers, banking details and even digital copies of patients’ e-signatures.
Additionally, any images or videos containing footage that could be used to identify a patient is protected under the HIPAA Privacy Rule.
Minimum Necessary Rule
As well as determining what should be protected, HIPAA stipulates how and when that information will be distributed. Data that must be disclosed for the purpose of treatment or payment of treatment does not need the patient’s express consent. However, anything that relates to the patient’s past or current medical requirements with the written consent of a patient or their representative. There are some exceptions to this rule. If the PHI is required by law, or the acquisition of PHI is in the patient’s interest, consent is not needed.
Whenever PHI is being transferred, it must follow the “Minimum Necessary Rule”. This means that when the information is being communicated, no more should be communicated than what is absolutely necessary. Any non-routine disclosure requests must be treated individually, even if the patient has given their authorisation.
Threats to HIPAA Compliance
With the rise of “Bring Your Own Device” policies, it is not surprising that internal threats now pose the most risk to the integrity of PHI. Around 80% of healthcare employees now use their own devices at work. According to the Health Information Trust Alliance, around 40% of HIPAA violations last year due the theft of mobile storage technology or personal devices.
That does not mean that external threats from hackers and cybercriminals should be taken any less seriously. A common ploy is to encourage health employees or even patients to download software that turns out to be ransomware or surveillance malware. The Department of Health and Human Services estimates that over half of PHI breaches are due cybercriminals.
Resolving Internal Threats
Many CEs, along with their business associates, will choose to use a secure messaging service. These can be downloaded onto any personal device, irrespective of operating system, and allow access to messages, patient data and billing information. Messages are encrypted, so that if they are intercepted they are unreadable by the hacker.
This type of software often have mechanisms to prevent the transfer of PHI outside the CE’s private network. Those managing the software within the company may choose to assign lifespans to each message such that they delete after a certain period of time. They can also remotely delete any data if the device is stolen.
“Web filters” may be installed to help protect CEs against external threats. When a user makes a request to visit a website, a web filer will analyse the request and decide whether or not to permit access. Administrators can also set up a “blacklist”, websites where any requests are automatically marked as unsafe. This can help prevent the incidence of downloading malware.