In part two of our series on how to CYA* from penalties, we’re focusing on HIPAA and HITECH compliance and penalties. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is probably what most people are familiar with when they think of laws governing privacy. More recently, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) has been implemented and often is supporting what HIPAA began as America’s health records get digitized.
If you’re reading this blog to learn about how to make your business completely HIPAA and HITECH, this is not the place. We are not the experts on these laws, please contact your legal counsel instead. But we do know how to help with one little piece! Get your HIPAA Privacy Official in on this – we want to make their job easier too [45 CFR § 164.530].
Section 164.312 covers the technical safeguards that HIPAA-compliant organizations should meet – access control, unique user identification, emergency access procedure, automatic logoff, encryption and decryption, audit controls, authentication to corroborate PHI (protected health information) hasn’t been tampered with or destroyed incorrectly, protection with integrity, person/entity authentication, and transmission (“in motion”) security.
A few are policy-based – audits and emergency access procedures – while others are now built easily into so many systems like automatic log-off systems and individual logins. With a competent IT person, legal counsel, and the HIPAA Privacy Official, the rest aren’t hard to do either.
The Health & Human Services website summarizes that “covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.” [HHS] Notification is only required if the data is unsecured. For physical data, there are many proper ways to destroy it but for digital data, it requires encryption.
Our little slice of the pie is to help with meeting the National Institute of Standards and Technology’s (NIST) requirements for encryption of PHI, both when stored (“at-rest”) and when being sent over the internet (“in motion”). Active Cypher Cloud Fortress uses Active Directory’s Security Groups to easily set what files get encrypted. It’s each individual file, everything in every folder, not just the big server in the closet.
It used to be simpler – civil violations of HIPAA could be up to $25,000 at $100 per violation but since HITECH’s implementation in 2009, it has changed with penalties now tiered based on what sort of non-compliance it is – unknowing, reasonable cause, willful neglect but corrected within a required time period, or willful neglect and not corrected within a required time period – each with an annual limit of $1.5 million. In April 2019, these were again reviewed and annual limits adjusted as the table below explains:
Criminal penalties are separately handled by the Department of Justice and can be monetary fines and/or prison time. Individuals, like hackers or an employee, can be prosecuted if they are (1) those who knowingly obtain or disclose individually private health information (PHI), (2) commit an offense under false pretenses, or (3) commit an offense with the intent to sell, transfer, or use individually identifiable PHI for commercial, personal gain, or malicious harm.
So CYA, easily. Encrypt each file and make it harder for hackers, lax IT policies, or disgruntled employees to cause your business to deal with HIPAA and HITECH penalties. Active Cypher Cloud Fortress, our quantum-resistant encryption, can render your files unreadable to those trying the do your business and patients harm. With penalties like these, detection is too late.
*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.