More and more companies are handling personally identifiable information (pii) that needs to be protected in accordance with the Health Insurance Portability and Accountability Act (HIPAA). As covered entities (health plans, healthcare clearing houses, healthcare providers) rely more on technology to meet the needs of remote workers or to provide new services such as telemedicine, the risk of non-compliance with HIPAA privacy rules regarding protected health information increases. With so much sensitive patient data careening over the wires, chances are high that pii (personal data or protected health information) will be mishandled, misplaced, or breached. Here’s what your company needs to know about HIPAA and how technology can help you maintain regulatory compliance.
The Health Insurance Portability and Accountability Act (HIPAA) is a set of US Federal laws that are constantly evolving. According to HHS.gov, compliance means adhering to several rules:
The Privacy Rule - Requires that individuals’ health information and medical data is properly protected while allowing for that information to flow, as needed, to provide and promote high quality healthcare and to protect the public’s health and well-being.
The Security Rule - Operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations subject to HIPAA must put in place to secure individuals’ electronic medical data or pii.
The Breach Notification Rule - Requires that affected individuals, the Health and Human Services Secretary, and in some circumstances, the media are notified within 60 days of a breach.
The Omnibus Rule - Provides guidelines for how medical businesses should access and communicate pii, and strengthens patient-protections by extending controls on all entities that come into contact with personal data or personally identifiable information.
It is far too easy for an application to write to a poorly secured NAS share, or for someone to have forgotten that they copied content containing pii somewhere to make it easier for them to access. In general, people don’t deliberately expose healthcare records, but accidents and data leaks happen. An authorized administrator might grant permissions too widely. A developer could be working with an improperly deidentified data set. A wrong click or misconfiguration is all it takes for sensitive data to be exposed. And of course, there is the constant and evolving threat of ransomware. The worst part is that exposed pii data can remain undetected for a long time. No organization wants sensitive medical data or protected health information exposed. And certainly, no organization wants to discover exposed pii data when integrating IT services after a merger or acquisition. Keep in mind that any disclosure of exposed data could result in an audit, and an audit could turn up more exposed data.
HIPAA violations are costly. The Office for Civil Rights (OCR) can issue fines for non-compliance. In fact, the financial penalties for regulatory non-compliance totaled more than $128 million as of September 30, 2020. But the true cost of a HIPAA violation far exceeds any fine the OCR might impose. Organizations also need to consider costs associated with:
Issuing breach notification letters
Offering credit monitoring services
Lawsuits filed by attorneys general
Lawsuits filed by victims of data breaches
Damage to your reputation
The key to HIPAA compliance is vigilance, but manual tagging, auditing, and periodic clean ups can yield inconsistent classifications, take too much time, and eat up budgets. Thankfully, advances in technology are helping organizations to:
Find personally identifiable information and classify sensitive data automatically
Automate scanning to reduce risk without impacting production workloads
Maintain availability to medical data with instant recovery and ransomware detection