Federal Agency to Update Guidelines for Healthcare Cybersecurity
Nine years ago, sweeping changes were made to HIPAA, the Health Insurance Portability and Accountability Act of 1996. These changes, implemented by the Department of Health & Human Services Office of Civil Rights in the 2013 Omnibus Rule, enhanced privacy and security regulations and beefed up the security around Protected Health Information (PHI).
For consumers, the 2013 Omnibus Rule ushered in a new era of data protection and personal privacy. For businesses in the health care industry, the changes to HIPAA opened up a Pandora’s box of new requirements, acronyms, and compliance confusion.
Consider this: the Omnibus Rule overhauled the Breach Notification Rule, which was included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). For small- to medium-sized businesses in North America, that can be incredibly confusing. But it’s not prudent to avoid the issue: failing to comply with the Breach Notification Rule when protected health care data is compromised can trigger civil and criminal penalties—including steep fines for each record lost.
Nearly 10 years after those changes to HIPAA, many companies still don’t understand the importance of compliance. But in an effort to help healthcare organizations better protect electronic patient PHI, the federal National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry.
The NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is designed to help healthcare companies enhance the confidentiality, integrity, and availability of PHI. After a decade of healthcare industry innovation, PHI now covers more than just medical histories, including prescription orders, lab results, vaccination records, and even the electronic messages sent between providers and patients.
Due to a recent increase in cyberattacks and ransomware infections, the US Department of Health and Human Services, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued frequent updates to cybersecurity recommendations for healthcare companies. Now, the NIST’s draft publication will provide HIPAA Security Rule compliance guidance that aligns with existing cybersecurity regulations and risk management protocols.
At CMIT Solutions, we’ve spent the last 10 years helping health care organizations across North America comply with HIPAA changes, decipher complex rule changes, and assess the state of regulatory risk. In line with the NIST’s new draft publication, we’ve collected the following 10 tips for data protection and compliance recommendations:
1. HIPAA compliance is not optional. If you manage Protected Health Information (PHI) or work with any Covered Entity (CE) as a Business Associate (BA), you must comply with federal regulations or face substantial civil and criminal penalties—no ifs, ands, or buts. If a business accepts Meaningful Use funding, which defines minimum government standards for electronic health records (EHR) and outlines how clinical patient data should be exchanged between health care providers, insurers, and patients, enhanced compliance documentation is also required.
2. Compliance rules cover more than just the healthcare practices that see patients. What are CEs and BAs, anyway? Covered Entities are defined as physician practices, clinics, and hospitals, while Business Associates can be classified as IT vendors or other subcontractors. Both types of businesses must maintain up-to-date HIPAA policies, procedures, forms, and Notices of Privacy Practices. And Covered Entities (CEs) are responsible for ensuring their BAs are compliant—a fine-print detail that many practices don’t follow up on.
3. Data protection and protocols are equally important. Way back in 2013, a small dermatology practice in Massachusetts learned this lesson the hard way. Not only were they slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a thumb drive that an IT vendor lost, but the practice was also fined an additional $150,000 “for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).” So that was one fine for the actual breach—and one for not having protocols in place to address it once it happened.
4. Data breaches and the fines accompanying them continue to increase. Since 2013, the Department of Health & Human Services Office for Civil Rights has received nearly 295,000 HIPAA complaints, investigating and resolving 25,525 cases and imposing overall penalties of more than $131 million for the loss, theft, exposure, or impermissible disclosure of 314,063,186 health care records.
5. Updated Breach Notification rules have widened the scope of what’s defined as a HIPAA violation. In the past, this only applied to major breaches of thousands or even millions of records. But only 4,500 of the aforementioned 25,525 healthcare data breaches have leaked the information of more than 500 individuals—the rest were smaller breaches, sometimes only involving a handful of records. The 2013 Omnibus Rule greatly expanded the definition of a breach and the consequences of failing to address it properly. Not providing proper notification of even a single record loss in a defined time window, for instance, can automatically trigger a long, drawn-out federal investigation.
6. Compliance requires ongoing attention. HIPAA compliance isn’t just a one-and-done situation. Back in 2013, all changes required by the new regulations had to be implemented immediately. But many companies didn’t know they were also required to update them regularly. This isn’t always easy for busy practices or growing contractors, who often assume that one signed agreement is enough for years to come. Instead, regular review and renewal of compliance are required to stay in line with HIPAA regulations—hence the NIST’s new draft guidelines for adherence to the Security Rule.
7. The HHS Office of Civil Rights continues to expand its Division of Health Information Privacy enforcement team. This arm of the federal bureau started small, but over the last five years, it has grown significantly. More and more cybersecurity professionals now focus on healthcare data, and HHS has recruited hundreds with experience in privacy and security compliance, enforcement, data policy, outreach, and systems management. If your business doesn’t have a knowledgeable cybersecurity partner by its side, you could be outgunned in the event an audit or investigation occurs.
8. It’s not just the feds you have to worry about. When federal agencies expanded the reach of new HIPAA rules in 2013, they also enlisted the help of state Attorneys General. The HITECH Act empowers state AGs to file actions and obtain damages on behalf of state residents, but initially, states were reluctant to exercise their enforcement powers. Between 2010 and 2015, only 11 enforcement actions were brought in three states. That increased significantly in 2017, when five states, including New York, each filed suit against HIPAA violators. In 2018, that total rose to nine states, followed in 2019 by a 30-state class-action suit. And in 2021, 41 state Attorneys General sued the American Medical Collections Agency (AMCA) after AMCA announced it was the victim of a massive data breach.
9. HIPAA compliance requires staff privacy and security training. Many large organizations and state institutions now mandate this ongoing education for all employees. But smaller practices often overlook the fact that clinicians and medical staff who access PHI must be trained annually on proper HIPAA procedures. Additionally, documentation of provided training must be kept for six years—and must be exhibited upon request.
10. Yes, there’s actually a HIPAA “Wall of Shame.” HHS maintains a regularly updated website called “Enforcement Highlights,” where they list every health care organization served with an enforcement action each month. The site also calls attention to particularly egregious violators, reporting major breaches and providing details that often drive mainstream news coverage. All of this info is widely available to the general public, making the consequences of a data breach reputational in addition to financial.
CMIT Solutions can help with all of this HIPAA confusion. We understand that healthcare businesses have to comply with strict rules and stringent regulations—and we know that failure to meet them can have a serious impact on your company’s bottom line. Given our depth of experience, we also understand that HIPAA compliance means different things for different companies—and we know how to leverage technology solutions and compliance expertise to meet those challenges.
If you need help with HIPAA compliance, data protection, or regulatory enforcement, CMIT Solutions is here to help. Contact us today.