HIPAA-HITECH Act: End Point Data is Your Greatest Security Risk

Posted on November 11, 2015

Recent HIPAA-associated regulations now apply to organizations outside of the healthcare industry.

By David Turcotte, CEO

Since it was first enacted, the healthcare industry has been under constant pressure to keep personal healthcare information (PHI) secure and to remain compliant with the evolving rules and regulations promulgated via HIPAA and the HITECH acts.

The rules have expanded to impact organizations outside of what is strictly defined as “healthcare” to include organizations that touch or transmit patient data. To secure this data, new cloud-IT services have emerged that can help organizations exceed their legal or compliance requirements in order to achieve greater security.

Compliance and security are not synonymous. True cloud-IT services help organizations achieve the highest levels of security available to avoid potentially massive data and financial losses, loss to reputation and staff resources associated with meeting potentially crippling HIPAA-HITECH violations.

HIPAA-HITECH Background

HIPAA was enacted in 1996, but lacked enforcement. HITECH was enacted in 2009 to give teeth to HIPAA’s original framework, which prevented the unauthorized release of patient’s PHI data. HIPAA mandated that regulations regarding the privacy and security of PHI be promulgated by the U.S. Department of Health and Human Services (HHS). HITECH added a requirement that Breach Notification Rules should likewise be promulgated. HITECH also provided enforcement resources and enhanced penalties for violations. Another major phase in this evolution was HITECH’s requirement that an “Omnibus Final Rule” be created by HHS to generate additional regulations to ensure compliance with the Privacy, Secrecy and Breach Notification Rules of HIPAA-HITECH. The Omnibus Final Rule had to be complied with by Sept. 23, 2013.

What Information is Protected?

PHI is any information about a patient’s past, present or future medical or physical health, or any related billing or payment information that can be connected to a specific patient by any method. The HIPAA-HITECH Privacy Rule and Breach Notification Rule apply to PHI in any form whatsoever, while the the HIPAA-HITECH Security Rule only applies to electronic PHI (ePHI).

Expansion of Covered Entities Under HIPAA-HITECH Rules?

The extension of the HIPPA and HITECH rules to new organizations who may not be aware that they have compliance concerns is a real side effect of the enactment of the Omnibus Final Rule. Covered entities have always been the front-line providers of medical services: doctors, dentists, hospitals, health plan administrators, health plan employees, healthcare clinics and others but over time, many covered entities were attempting to avoid HIPAA-HITECH compliance by outsourcing as many services as possible.
That approach is simply no longer effective. Under today’s regulatory scheme, covered entities can be held responsible for HIPAA-HITECH violations committed by itself and anyone they have outsourced services to that deal with PHI including a business associate in an entity or person, who creates, maintains, receives, or transmits PHI.

A business associate’s functions can include “claims processing or administration; data analysis; processing or administration; utilization review; quality assurance; billing; benefits management; practice management; and repricing” and its service can be “legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”

When Does A HIPAA-HITECH Violation Occur?

A violation occurs when PHI is released in an unauthorized manner by a covered entity, a business associate or the subcontractor of a business associate. One form of authorized release is when the patient has given knowing consent to the PHI’s release. PHI can also be validly released without consent if the release pertains to the patient’s treatment, payment of fees or for the normal operation of the enterprise in question. Any other release of PHI is unauthorized.

Increased Enforcement

The HITECH Act, and the Omnibus Final Rule which followed, have dramatically increased the likelihood that unauthorized PHI releases will be discovered, for a variety of reasons. Firstly, the HITECH Act empowered certain federal and state agencies to pursue investigations. Secondly, HITECH further upset the applecart by changing who bears the onus of identifying PHI breaches. Thirdly, the Omnibus Final Rule increased the enforcement actions for HIPAA-HITECH violations by permitting HHS to develop regulations providing for the distribution of collected monies obtained from successful investigation to complainants, offering the means to reward whistleblowers for information provided to OCR. Furthermore, the Omnibus Final Rule has made it easier to enforce HIPAA’s Privacy Rule and Security Rule by changing the burden of proof when a breach occurs. The OCR completed its pilot program of 115 random audits of covered entities, business associates and the subcontractors at the end of 2012.

Increased Penalties and Consequences

Under HIPAA, the maximum civil penalty that could be imposed was $25,000 per violation. HITECH increased that to a maximum of $1.5 million. HITECH also permits HHS to impose fines of a minimum of $100 to a maximum of $50,000 per violation. HITECH also mandated the HHS Secretary to publicly publish the identity of all entities that suffered an unauthorized PHI release affecting at least 500 individuals. Meanwhile, the legal profession has discovered that there is money to be made by instituting class action lawsuits against entities that have been identified as having their medical records breached.
The HHS public listing of the breached entities makes them sitting ducks for class action suits. Typically requesting $1,000 per affected individual, these suits could become even more destructive than anything HHS or the state attorneys general can do.

Protect Sensitive Healthcare Data

Now is the time to act to ensure that all ePHI in the possession of your organization is secured and managed correctly. Every time an entity has a breach of at least 500 patients’ unprotected records, the entity’s name will be published on a public website, thereby making that entity an easy target for class action lawsuit. A cloud-IT services provider can help you eliminate the storage of data on end points like your computers, tablets, and smartphones and mandate operational procedures without compromising performance and end user experience.

There is a better way to manage healthcare records that doesn’t hamstring your healthcare business. When information is stored in the cloud, it is protected. For example, when devices go missing or are stolen, there are no security consequences since the data is not directly stored on the end point hard-drive, as it does not reside locally. When this approach is mandated and stored in the cloud, your organization, the safety of any patient data and your compliance with HIPAA-HITECH and other regional, state and federal regulations are at their best.