Ordinary American businesses are legally obligated to tell consumers when there has been a data breach but are not obligated to have cybersecurity protection in place. However, healthcare organizations are not ordinary businesses. Because they deal with protected health information (PHI), healthcare organizations are subject to special cybersecurity and data privacy rules pertaining only to their sector.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the main piece of legislation dealing with protected health information. This federal law mandated the creation of national standards to protect PHI from being disclosed without patients’ consent or knowledge.
The U.S. Department of Health and Human Services (HHS) has created a number of rules in order to implement the requirements of HIPAA, with the most important being the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Breach Notification Rule. These rules apply to the following covered entities:
- Healthcare providers of all sizes;
- Health, dental, vision, and prescription drug insurers;
- Health maintenance organizations;
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers;
- Long-term care insurers (excluding nursing home fixed-indemnity policies);
- Employer-, government, and church-sponsored health plans;
- Healthcare clearinghouses; and
- Any other person or organization using or disclosing individually identifiable health information to perform activities for a covered entity.
HIPAA Privacy Rule
The Privacy Rule mandates that covered entities may only use or disclose an individual’s PHI when (1) it falls under the rule’s permitted uses and disclosures; or (2) the individual (or a personal representative of the individual) authorizes in writing.
The six permitted uses and disclosures are:
- Disclosure to the individual;
- Disclosure for the covered entity’s own treatment, payment, and health care operations activities;
- Disclosure after the individual is given the opportunity to agree, acquiesce, or object;
- Incidental use and disclosure, i.e. use or disclosure of PHI that occurs as a result of an otherwise permitted use or disclosure;
- Public interest and benefit activities in which information is disclosed for one of 12 national priority purposes (e.g. law enforcement purposes, judicial and administrative proceeding, disclosure to government authorities regarding victims of abuse, neglect, or domestic violence); or
- Limited data set for use in research, healthcare operations, or public health purposes.
HIPAA Security Rule
The HIPAA Privacy Rule protects all individually identifiable health information a covered healthcare entity creates, receives, maintains, or transmits in electronic form, otherwise known as ‘electronic protected health information’ or e-PHI.
Under this rule, all covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information;
- Detect and safeguard against anticipated threats to the security of the information;
- Protect against anticipated impermissible uses or disclosures; and
- Certify compliance by their workforce.
HIPAA Health Breach Notification Rule
Ordinary businesses must comply with state-specific laws requiring notification of security breaches. However, HIPAA-covered entities are subject to a separate notification rule known as the HIPAA Health Breach Notification Rule. This rule defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Covered entities must only provide notification if the breach involves “unsecured protected health information,” defined as health information that is usable, readable, or decipherable to unauthorized persons. Notification must go to the affected individual, the Secretary of Health and Human Services, and in some cases the media.
- The individual notice must be in written form by first-class mail or by e-mail if the affected individual has agreed to receive notices electronically. Notices must be provided without unreasonable delay and no later than 60 days following the discovery of the breach.
- The notice to the Secretary can be sent by visiting the HHS website and electronic submitting a breach report form. If the breach affects 500 or more individuals, the notice must be submitted without unreasonable delay and no later than 60 days following the breach. If a breach affects fewer than 500 individuals, notice of such breach may be submitted on an annual basis.
- A notice to prominent media outlets serving a state or jurisdiction must be submitted for any breach affecting more than 500 residents of that state or jurisdiction.
Vendors of personal health records and their third-party service providers are covered by a similar breach notification rule implemented and enforced by the Federal Trade Commission (FTC). In the event of a security breach, an entity covered by the rule must notify each affected person who is a citizen or resident of the United States, the FTC, and in some cases the media.
Cleaning up a data breach can be a drain on resources for any business, and doubly so for healthcare organizations. Fortunately, you can reduce (but not eliminate) the odds of suffering a data breach by hiring the services of a managed Security Operation Center (SOC) provider. A well-managed SOC platform should provide threat hunting and monitoring to defend against attacks, along with digital forensic and incident response tools to ensure a swift response in the event that a data breach does occur.