Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
To fulfil this requirement, HHS published what is commonly known as the

• HIPAA Privacy Rules
• HIPAA Security Rules

Who needs to be HIPAA Compliant?

HIPAA regulation identifies two types of organizations that must be HIPAA compliant.

• Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
• Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include billing companies, practise management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more

The HIPAA Privacy and HIPAA Security Rules

Introduction of HIPAA Privacy Rules

• Privacy Rule standards address the use and disclosure of individuals’ health information — called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.

Who is Covered by the Privacy Rule

• The Privacy Rule, as well as all the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.

What Information is Protected

• The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information.

General Principle for Uses and Disclosures

• Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
• Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.

Introduction of HIPAA Security Rules

• The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information

Who is Covered by the Security Rule

• The Security Rule applies to health plans, health care clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.

What Information is Protected

• Electronic Protected Health Information: The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule calls this information “electronically protected health information” (e-PHI).3 The Security Rule does not apply to PHI transmitted orally or in writing.
• General Rules: The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce.

What is required for HIPAA Compliance?

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

• Self-Audits — HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
• Remediation Plans — Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
• Policies, Procedures, Employee Training — Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
• Documentation — HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
• Business Associate Management — Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
• Incident Management — If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rules.

What are common HIPAA violations?

Some common causes of HIPAA violations and fines are listed here:

• Stolen laptop
• Stolen phone
• Stolen USB device
• Malware incident
• Ransomware attack
• Hacking
• Business associate breach
• EHR breach
• Office break-in
• Sending PHI to the wrong patient/contact
• Discussing PHI outside of the office
• Social media posts

These HIPAA violations commonly fall into several categories:

• Use and disclosure
• Improper security safeguards
• The Minimum Necessary Rule
• Access controls
• Notice of Privacy Practices

HIPAA Compliance On Microsoft Azure

HIPAA Business Associate Agreement (BAA) with Microsoft Azure users that covers in-scope services. A BAA is a written contract between a covered entity and a business associate that describes how the business associate adheres to HIPAA along with the responsibilities and risks they take on. A BAA is required by law for HIPAA compliance.

While having a BAA in place is necessary for HIPAA compliance, it does not ensure compliance. As discussed previously, cloud HIPAA compliance ultimately depends on how cloud services are used, so the covered entity must still maintain responsibility for ensuring its cloud instances are configured correctly.

There is currently no certification standard that is approved by the Department of Health and Human Services to demonstrate compliance with HIPAA or the HITECH Act by a business associate. However, Microsoft enables customers their comply with HIPAA and the HITECH Act and adheres to the Security Rule requirements of HIPAA in its capacity as a business associate. Moreover, Microsoft enters into Business Associate Agreements with its covered entity and business associate customers to support their compliance with HIPAA obligations.

Third-Party Certifications

Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification and the HITRUST CSF certification.

Microsoft enterprise cloud services are also covered by FedRAMP assessments. Microsoft Azure and Microsoft Azure Government received a Provisional Authority to Operate from the FedRAMP Joint Authorization Board; Microsoft Dynamics 365 U.S. Government received an Agency Authority to Operate from the US Department of Housing and Urban Development, as did Microsoft Office 365 U.S. Government from the U.S. Department of Health and Human Services.

Microsoft in-scope cloud platforms & services

• Azure and Azure Government
• Azure DevOps Services
• Dynamics 365 and Dynamics 365 U.S. Government
• Intune
• Microsoft Defender for Cloud Apps
• Microsoft Healthcare Bot Service
• Microsoft Managed Desktop
• Microsoft Professional Services: Premier and On-Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Microsoft 365 for business
• Office 365, Office 365 U.S. Government
• Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
• PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
• Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
• Windows 365

Cloud Security Checklist for HIPAA Compliance

Access Control Requirements

• Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
• Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
• Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
• Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.

Transmission Security

• Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
• Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate

Audit and Integrity

https://docs.google.com/document/d/18ubThwCQAaiPPIpVVLdceHcLqELR9wmDm7_2rRjudAw/edit#heading=h.rad648dy2879

• Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
• Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Measures for an app to be HIPAA Compliant

The first security rule of thumb is to check who can access PHI. Make sure that only authorized users (and third-party HIPAA-compliant software) have access control over the app’s data:

• Bio authentication
• 2-factor authentication
• Automatic log-off when the user is inactive

Data Storage & Minimization

• If data includes ePHI, it must be hosted on a server (on-premise or remote) with a signed Business Associate Agreement (BAA). Most of the large Cloud storage servers such as AWS, Google Cloud Platform, or Microsoft Azure are familiar with HIPAA.

Encryption

• Encryption remains one of the ways that covered entities and business associates can potentially avoid a data breach notification. Healthcare software and mHealth apps can adhere to the HIPAA Security Rule which requires that ePHI be encrypted with “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption).

Data backup & Disaster Recovery

• The HIPAA Security Rule sets forth the need for robust backup and disaster recovery plans. In order for a healthcare app to meet these requirements, it must have a policy for when and where to back up PHI and other essential data. Data is ideally stored in an offsite or mirrored Cloud facility to maintain uptime. Regularly monitor storage logs.

Right to be Forgotten: Data Disposal

• Although the term “right to be forgotten” is most often associated with the EU GDPR (a different regulation), HIPAA does require adequate disposal of PHI. In the case of ePHI, healthcare software must have a way to completely overwrite (clear) or purge (degauss) data or destroy (physically) the data or data device in all its forms (including back-up).

Access Controls

HIPAA requires that not only do you store the least amount of information but that you implement controls around Access Management to limit access of PHI to only those authorized to see or use it. When the mHealth app stores data between patient and physician, or between different users in a healthcare setting, these practices should apply.

• Healthcare apps should include the following:
• Unique user identification (one login per user)
• Automatic log-off
• Emergency access to data (if ePHI needs to be accessed by a health provider, known as Emergency Mode)
• Encryption
• Strong authentication (see below)
• Access monitoring

Remediation Plan

• In the event of a data breach, there must be a plan in place to identify who was affected and to notify those users of a breach.

If you end up here, I want to say, thank you for reading this article! 🎉

Please follow me on Medium and LinkedIn for more updates.