[BreachExchange] HIPAA: It’s not as black and white as you first thought

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 23 19:03:58 EDT 2017


2016 was a record-breaking year for healthcare data breaches affecting 500
individuals or more, with the Office for Civil Rights (OCR) reporting a 22%
increase year-on-year. Compared with five years ago, this increase is more
significant still at 66%. It’s too early to tell whether 2017 will be
better or worse for data breaches, but it remains a fact that HIPAA
compliance issues will always be high on healthcare organizations’ agendas
– regardless of size or stature.

With OCR’s phase 2 audits currently in full swing, there’s no better time
for healthcare professionals to reassess their organization’s HIPAA
policies in accordance with its privacy and security rules. Maintaining a
HIPAA compliant organization is a challenge at the best of times –
particularly with the rapid growth of mobile and BYOD in recent years – but
as the following points demonstrate, there’s more to HIPAA than meets the

1. HIPAA goes beyond healthcare industry

The definition of a covered entity as defined by HIPAA is somewhat
ambiguous and therefore open to misinterpretation. It’s often assumed the
rules only apply to businesses that directly provide health services – such
as hospitals, physician practices, clearinghouses etc. – when in reality,
many other industries are affected too.

Complications are likely to arise if an organization believes it doesn’t
need to concern itself with HIPAA compliance, as illustrated in the 2015
Verizon Protected Health Information Data Breach Report. It  linked around
20 different industries to a protected health information (PHI) data
breach, including manufacturing, retail and education.

2. Business Associates and conduit exception rule

Any organization or individual that creates, receives, maintains or
transmits PHI on behalf of its service delivery to a covered entity is
classed as a Business Associate (BA). Covered entities should have a
Business Associate Agreement (BAA) in place with each of their BAs, and if
a BA uses subcontractors for their services, a BAA should be executed with
them, too.

Complications emerge when a BA claims to be a “conduit for information”,
citing the conduit exception rule, to get out of signing a BAA. It’s vital
covered entities understand the conduit exception rule only applies to a
few organizations, such as the United States Postal Service, internet
service providers (ISPS) and couriers. If any organization that creates,
receives, maintains or stores PHI won’t sign a BAA, questions should be
asked about their commitments to HIPAA compliance.

3. When PHI isn’t PHI

In a process known as de-identification, health information that has
particular identifiers removed in accordance with Section 164.514(a) of the
HIPAA Privacy Rule is no longer classed as PHI and can therefore be made
publically available. The National Center of Health Statistics is one such
example of a data source that publishes de-identified health information.

Complete de-identification of PHI is a mammoth task to carry out. Any
organization that wishes to make health information publically available
should appoint an expert to manage the process for them, as getting it
wrong would likely have grave consequences. Even if managed properly, there
is an overarching risk the data in question could be found to link back to
the individual it relates to.

4. Addressable isn’t the same as optional

To help ensure the confidentiality of patient information and prevent a
data breach, HIPAA outlines physical, administrative and technical
safeguards. The technical safeguards are broken down into six standards
focused on the technology that protects and controls access to PHI. Under
these six standards, there are nine key areas organizations are required to

However, the classification of these standards are split into two
categories “required” and “addressable”. Any covered entity or BA that
doesn’t pay attention to the addressable standards is opening itself up to
fines for noncompliance and an increased risk for breaches. To confirm,
addressable doesn’t mean optional.

5. HIPAA penalties

Failure to comply with HIPAA can result in both civil and criminal
penalties. Civil penalties are monetary, varying from $100 to $1.5 million,
and enforced by OCR. Criminal penalties can result in imprisonment for 10
years or more, as enforced by the U.S. Department of Justice.

With laws differing from state to state, there’s often confusion around the
criminal charges, fines and prison sentences an individual might be up
against for noncompliance. These discrepancies are heightened by the fact
some, but not all state and federal laws, allow individuals to sue in court
for privacy violations, which can lead to additional fines or damages

For covered entities and their BAs, particularly those who operate across
multiple states, understanding the rules of HIPAA is just the tip of the
iceberg. The consequences of noncompliance that lie below this surface can
be crippling.

6. Digital and electronic signatures

An electronic signature is the action of signing electronically during a
digital transaction, while a digital signature is the underlying technology
that helps verify the authenticity of the transaction.

Used correctly, the security benefits of these technologies can help
organizations to maintain compliance of the Security Rule through:

protecting the integrity of messages throughout their entire lifecycle,
through digital encryption
providing user authentication, helping to ensure sensitive information
doesn’t end up in the wrong hands, and
ensuring non-repudiation (assurances that a person who signs something
cannot later deny that they furnished the signature) by providing digital
audit trails.

However, OCR offers very little guidance on the topic of digital and
electronic signatures and their use certainly doesn’t ensure HIPAA
compliance. Organizations should assess every situation with caution, and
use digital signatures as an additional security measure where appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170523/b6435682/attachment.html>

More information about the BreachExchange mailing list