This article explains the security and privacy rules under HIPAA.
- HIPAA (The Health Insurance Portability and Accountability Act ) is an official law, which is required to be followed by all covered entities (health plans, health care clearing houses, healthcare providers) who are transmitting/handling PHI (protected health information). The same law applies for all of the business associates to these covered entities: Cloud Providers, SaaS companies, contractors, lawyers, etc.
- Not following the HIPAA law is punished by both monetary penalties as well subject to prison time depending on the severity of the violation
- Business associates are required to sign a BAA (business associates agreement/addendum) with the covered entity in which they are ensuring that they are following HIPAA compliance, and taking the necessary measures to secure their environment in order to satisfy the 3 main principals for HIPAA:
Ensuring Confidentiality, Integrity and Availability of Protected Health Information ( and electronically Protected Health Information – ePHI)
- HIPAA requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement.
- There is no official government issued compliance certificate (like ISO 27001, or SOC 2 certification) that will ensure that a company is HIPAA compliant, however implementing certification/audit such as ISO 27001, SOC 2 will satisfy most HIPPA security rule compliant requirements
- HITRUST CSF which is based on ISO 27001 compliance framework (with additional privacy related controls) can be used to ensure that an organization (covered entity or business associate) meets all HIPAA requirements
- NIST 800-53 and FedRamp compliance are with higher security requirements than HIPAA and therefore most larger corporations and Cloud providers like AWS do not hold specific HIPAA based certifications.
A business associate agreement needs to be signed between the covered entity and the provider of Cloud/SaaS/etc services in order for the covered entity to be compliant with HIPAA
- Audit logs and audit trails (application audit logs, authentication logs, user login logs, etc), as well as policies (revisions, etc), documentation and any other supporting materials used to ensure HIPAA compliance needs to be maintained for 6 years (on federal level). Additional requirements extending the 6 years rule may apply depending on the state as well
- Communication of ePHI needs to take place via secure channels – using secure Direct Message systems, secure text messaging or email providers which employee additional measures for encryption, retention of messages, as well as extra anti-malware/phishing protection
- Most free email providers (like gmail) are not HIPAA compliant. Additional premium services ensuring encryption, as well as meeting the retention time for messages need to be obtained in order to make services such as Google mail or Office 365 HIPAA compliant.
If a covered entity/business associate is using secure email for exchange of ePHI, a signed Business Associate Agreement need to be signed between the entity and the email provider
- Breach notifications as per HITECH (2009), covered entities and business associates, must be reported to all impacted individuals within 60 days, as well as disclosed to prominent media outlet in the state they serve (if 500+ residents are impacted) as well as the Secretary for the state. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- Two Main Principles of governing the HIPAA privacy are:
* Need to know
* Minimum Necessary
- Privacy Rule Basic Principle:
Covered entity to not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
- Privacy Rule Required Disclosure:
Covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation, compliance review, or an enforcement action.
- Privacy Rule Permitted Uses and Disclosures:
Covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.