"While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules."

That's what Jocelyn Samuels, Director of the Office of Civil Rights (OCR), U.S. Department of Health and Human Services, said in February 2016.

There is enough evidence that the OCR is dead serious about enforcing HIPAA. In 2015, the Phonix Cardiac Surgery paid a fine of US$100,000 for non-compliance with HIPAA.

HIPAA Non-Compliance: A Snapshot

Until February 29, 2020, the OCR had levied more than US$116 million as civil penalties for HIPAA violations, informs the HIPAA enforcement highlights page of the HHS.

The number of cases that the OCR had investigated and resolved for HIPAA non-compliance until that date was 27, 829.

Civil monetary fines do not constitute the only penalty for failing to comply with HIPAA. A criminal penalty through sentencing by the U.S. Department of Justice is also possible.

In October 2016, a federal judge sentenced a former respiratory therapist to two years on probation, a fine of US$500, and one day in prison. The offender had illegally accessed patient data in the hospital where she was then employed.

That is a case of criminal conviction and prosecution for HIPAA violation.

What This Snapshot Tells Us

There is an important narrative in the snapshot we have presented above. The date to ensure HIPAA Security Rule compliance was April 20, 2005. Only small health plans had an extension up to April 20, 2006.

Yet, the U.S. healthcare industry does not seem to have fully grasped the significance of HIPAA and the criticality of complying with it. The number of cases the OCR has investigated and settled tells us that.

So do the two cases of penalty mentioned. A full understanding of HIPAA and the adverse impacts non-compliance may cause seem to be eluding U.S. healthcare organizations and professionals.

This article presents in a clear, easy-to-understand language everything you need to know about the HIPAA Security Rule. The simplicity does not indicate any lack of thoroughness or any degree of incomplete information.

However, there is another part to HIPAA: the HIPAA Privacy Rule. We have discussed that in a different article.

HIPAA In Brief

Health Insurance Portability and Accountability Act: that is what HIPAA is. It is a 1996 law that has last been amended in 2003. The main aim of HIPAA is to increase individual access to and control over personal health information.

The natural corollary of that is to reduce the way the health industry can use individual health information. The concept of protected health information (PHI) is central to HIPAA. Any health information that can identify an individual is protected.

The Scope Of PHI

Any individually identifiable health-related information falls within the scope of PHI. Below is a ready checklist:

• All demographic details
• Other common identifiers like address, date of birth, social security number, etc.
• A person's physical and mental health history, covering past, present, and future
• The healthcare provision applicable to an individual
• The payment for all healthcare provisions of past, present, and future for an individual

However, it is possible to de-identify some health information by removing the individual identifiers in them. De-identified information is not within the purview of PHI.

The HIPAA Security Rule applies to PHI in electronic format (e-PHI).

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information: that is the formal name of the document that contains the national standards issued by the Secretary, HHS. It is popularly known as the HIPAA Security Rule.

The aim of these standards is to ensure the security of individual health data as the healthcare industry becomes increasingly more technology-dependent. The HIPAA Security Rule elucidates the measures necessary to implement the HIPAA Privacy Rule.

HIPAA grants individuals the right to retain their privacy and control over health-related data. The HIPAA Privacy Rule articulates those rights. The Security Rule informs the healthcare industry in the U.S. what to do to comply with the Privacy Rule.

Integration of information technology (IT) and artificial intelligence (AI) is necessary for healthcare service delivery to be more efficient and effective. Yet, such integration leads to the emergence of data breach threats.

Breached health data compromises the individual right to the privacy of individually identifiable health information. HIPAA Security Rule aims to prevent such a situation.

It simultaneously promotes the adoption of new technologies by the healthcare industry for delivering quality healthcare to patients. In recognition of the diversity of healthcare providers and professionals, the Security Rule has both flexibility and scalability.

Healthcare providing organizations and individual healthcare practitioners can adapt the Security Rule as per the size of their practice and the services they offer.

Who Does The Security Rule Apply To?

Organizations and individuals in the healthcare industry covered by the HIPAA Security Rule are called "covered entities." Business associates of covered entities under the HIPAA Privacy Rule are covered entities under the Security Rule.

Below is a list of covered entities under the HIPAA Privacy Rule:

• Health Plans, which include health insurance companies, health maintenance organizations (HMOs), health plans sponsored by employers, and government-supported healthcare payment plans.
• Healthcare Clearing houses that transform nonstandard health information to the necessary standards or vice versa.
• Healthcare providers:
  • Physicians
  • Dentists
  • Psychologists
  • Chiropractors
  • Clinics
  • Nursing Homes
  • Pharmacies
• Business Associates of any of the above.

Who Are Business Associates?

A business associate in this context is an agency or individual who performs certain actions on behalf of any of the covered entities. Such functions need to involve access to e-PHI.

Below is a list of typical business associated who are covered entities under the HIPAA Security Rule:

• Any third party administrator that assists a health plan in processing claims.
• Any individual consultant or a consulting organization that conducts utilization reviews for a hospital.
• Healthcare clearinghouses that process healthcare providers' nonstandardized claims data of providers into standardized formats and forwards for claims to be reimbursed.
• Independent medical transcriptionists who provide transcription services to any covered entity

The HITECH Act of 2009 has broadened the responsibilities of business associates under the HIPAA Security Rule. The Secretary, HHS, has developed regulations that incorporate these changes.

Your Action Points As A Business Associate Of A Covered Entity

Are you a business associate of a healthcare delivery organization or an individual healthcare provider? There are measures that you must implement in order to be HIPAA compliant.

Basic measures require having administrative, physical, and technical safeguards to protect e-PHI. The typical action points are to:

• Ensure the availability, confidentiality, and integrity of all e-PHI that you handle. That includes all e-PHI that you create, receive, maintain, and transmit.
• Implement measures to protect the integrity and security of e-PHI from threats that you can reasonably anticipate.
• Prevent the use and disclosure of e-PHI not permitted by HIPAA.
• Ensure that your workforce is compliant.

As per the HIPAA Security Rule, "availability" means that e-PHI must remain accessible for use by an authorized person. "Confidentiality" in this context implies that e-PHI is not accessible to any unauthorized person. "Integrity" implies that e-PHI must not be changed or destroyed in an unauthorized manner.

The Security Rule does not specify the measures necessary to ascertain the above. That is because the relevant measures depend upon the size of the covered entity, as also on the nature of the hardware and software they use.

Every covered entity must decide on the measures necessary for them. Such adaptation needs risk analysis for identifying and managing potential security threats to e-PHI.

What Is Risk Analysis?

A risk analysis process helps a covered entity to determine what specific measures it must implement for HIPAA Security Rule compliance. Such a process includes the following:

• Assess the probability of security threats to e-PHI and evaluate the impact of a security breach.
• Put in place measures appropriate to guard against the potential security risks identified through the above process.
• Document what security measures have been implemented and why.
• 'Maintain security measures that are appropriate and reasonable on a continuous basis.

Administrative Safeguards

• Administrative safeguards need a covered entity to designate a person in its workforce as responsible for maintaining and monitoring the appropriate safeguards identified through the risk assessment process.
• A covered entity must have a policy and procedures in place that access of e-PHI is strictly to authorized persons only.
• The workforce of a covered entity must be trained in order to be compliant.
• A covered entity must undertake a periodic evaluation of how robust its security measures are.

Physical Safeguard

• A covered entity must limit physical access to e-PHI without compromising authorized access.
• A covered entity must implement policies and procedures necessary to ensure the proper use of and access to workstations and electronic media so that e-PHI does not remain physically accessible to unauthorized persons.

Technical Safeguards

• A covered entity must implement technical policies and procedures that prevent unauthorized access to e-PHI.
• A covered entity must conduct periodic audits of the adequacy of its technical measures.
• A covered entity must implement electronic safeguards to prevent unauthorized alteration or destruction of e-PHI.
• A covered entity must implement technical measures to prevent unauthorized access to e-PHI during electronic transmission.

Penalty For HIPAA Security Rule Non-Compliance

The Office for Civil Rights (OCR), HHS, is responsible for investigating and determining complaints of HIPAA violations. Security Rule violation penalties are tied to the compliance needs of the HIPAA Privacy Rule.

Broadly speaking, the OCR looks at violations from a tiered approach and levy penalties accordingly.

When a covered entity is unaware of a violation, and could not have avoided it even after exercising reasonable care for HIPAA compliance, it is considered a tier 1 violation. That can attract a minimum fine of US$100 per violation, with a cap of US$25,000 in a calendar year.

A tier 2 violation is one that a covered entity should have been aware of, but could not have avoided with reasonable care. The penalty is a minimum of US$1000 per violation, with a calendar year cap of US$100,000.

A violation that happens because of deliberate neglect of HIPAA rules, but corrective measures have since been taken, is a tier 3 violation. A minimum amount of US$10,000 per violation is the penalty, but the total fines in a calendar year cannot exceed US$250,000.

Wilful neglect of HIPAA rules with no corrective measures being taken is a tier 4 offense. The penalty for it is a minimum of US$50,000 per violation. The maximum limit in a calendar year is US$1.5 million.

In limited cases, there can be criminal procedures for HIPAA non-compliance, which are determined by the US Department of Justice. Up to 10 years in prison is a possibility.

It Makes Good Business Sense To Take HIPAA Compliance Seriously

As we've mentioned at the outset, the U.S. healthcare industry seems to be lagging behind in ensuring HIPAA compliance. That is a poor business decision. Implementing the action points detailed in this article will help you be HIPAA compliant.