Many security standards spell out exactly what you need to do to be compliant, but HIPAA is not one of them. According to Michael Fimin, CEO of Netwrix, “though all healthcare providers are required to implement security processes and controls, HIPAA rules are general in nature, and they don’t provide any exact solution to mitigate possible security risks.”
What HIPAA guidelines do make clear are the consequences of letting Protected Health Information (PHI) fall into the wrong hands. In general, a first-time violation can result in a fine of anywhere from $100-$50,000, and if the court finds that there was “willful neglect,” the minimum fine is $10,000. That means if hackers access an email with PHI, an electronic copy of patient records stored on the cloud, or test results on a stolen flash drive, you could quickly be in for a big penalty. Many of these attack vectors — especially cloud-based storage and email — are frequently overlooked by IT staff.
The only way to truly prevent a costly compliance violation from impacting your enterprise is by taking HIPAA email compliance seriously, as well as locking down any cloud storage your enterprise uses. The best — and easiest — way to achieve total compliance is to adopt widespread encryption in your enterprise.
Introduction to HIPAA: Who’s on the hook for compliance?
If your organization deals with PHI, you must be compliant. HIPAA defines health care providers, health plans, and healthcare clearinghouses as covered entities. Their broad definitions include pretty much any organization that works with PHI data. For example, if you bill health care and transmit the documents electronically, you’re considered a provider. If you take a doctor’s notes on patients and enter them in a standardized form, you’re a clearinghouse.
Being covered means you’re responsible for keeping PHI secured. Whether it’s emailing a patient to setup an appointment, billing for procedures, or transmitting lab results to a hospital, it is your duty to make sure third parties can’t see, get ahold of, or change the data. If an unwanted party gets a hold of an accidentally forwarded email, or if they willfully break into an employee’s inbox, that constitutes a violation. In order to prevent that from happening, you must make HIPAA email compliance is a priority.
Consequences of HIPAA violations
There are 4 tiers of penalties for HIPAA violations, based on how the violation happened. Tiers 1-3 have a maximum penalty of $50,000, but different minimum penalties. Tier 1 violations — where the employee responsible for the violation didn’t know they weren’t compliant and wasn’t being negligent — start at $100. If the violation had a “reasonable cause,” it’s Tier 2, and will cost at least $1,000. “Willful neglect” pushes the violation to Tier 3, provided it’s corrected within 30 days. If it isn’t corrected, it becomes Tier 4, and the organization can be forced to pay anywhere from $50,000 to $1.5 million dollars. Repeated violations can also stack up, to a total of up to $1.5 million in a year.
In practice, sometimes fees can be much higher. Cignet Health received a $4.3 million violation for a series of screw ups by one of their hospitals. First, they wouldn’t give patients their medical records, so those patients complained to the Office of Civil Rights (OCR), which handles HIPAA violations. Then, they repeatedly failed to turn the records over to OCR for more than a year, earning a $3 million fine. When they finally did provide the records, they delivered them with 4,500 other records that they weren’t supposed to disclose, earning another $1.3 million in fees, for a total of $4.3 million.
However, a simple data breach by a covered entity can still rack up huge penalties. In 2015, Anthem, a health insurance company, was fined $1.7 million dollars for a 2010 incident, where hackers stole patient records. At first, it appeared that the hackers had revealed the personal information of 612,000 current and former customers, which was bad enough, but later it was revealed that 78.8 million customers were exposed in the data breach. These customers had their names, birthdates, and social security numbers exposed — no health data, but that didn’t matter. Anthem’s inadequate security resulted in a big fine, and a bigger hit to their reputation.
HIPAA Administrative Safeguards are the basic security rules your organization creates to protect PHI. HIPAA compliant organizations need to have security officials responsible for analyzing risks, creating good security policies, training personnel to follow these policies, and periodically checking how well the security is working.
According to Mark Pastin, head of the Health Ethics Trust and Compliance Resource Group, Inc, administrative safeguards are especially tricky for hospitals, because they have to give PHI access to doctors who aren’t actually their employees and often don’t follow hospital HIPAA rules. These busy physicians typically don’t see HIPAA email compliance as a top priority, meaning that they are much more likely to send PHI using unsecured devices, or over unsecured networks.“These physicians may or may not buy into the privacy and security practices of the facilities where they admit patients.”
Pastin points out that “Bring Your Own Device issues” are a major source of HIPAA vulnerability. Doctors and other Business Associates may store PHI on their own computers without using appropriate measures to protect the data, even if you require your employees to do so. In practice, you may not be able to monitor them for compliance. If a doctor accidentally leaves their computer on the subway, it could put everyone at risk of a HIPAA violation. Likewise, by not using an approved device, doctors sending messages away from the hospital are likely breaking HIPAA email compliance rules.
Another problem that “BYOD” brings in is the ever-present nature of cloud storage. Most modern apps, like DropBox, aren’t actually storing content on the device itself. Instead, these apps are storing all information in the cloud. Making matters worse, cloud storage is often a default feature of many phone operating systems, meaning that unless doctors have the foresight to turn off off-device storage features, all PHI will be replicated on a server that the hospital (nor your IT staff) will have any control over.
If you want to protect yourself from HIPAA violations, you need to set limits for your employees. While they might not like it, you need to do your best from preventing them from using unauthorized cloud storage services.
Jay Hodes, of HIPAA compliance firm Colington Consulting, says it’s crucial for organizations to protect themselves by signing Business Associate Agreements (BAAs) with partners — particularly if they outsource IT:
One of the biggest challenges I see is making sure all parties in these relationships understand the requirements of having a Business Associate Agreement (BAA) in place. It will provide a clear understand of both parties’ roles and responsibilities. Educating providers and IT companies about BAA requirements is always a goal of mine.
Physical safeguards are security practices that protect PHI from physical threats, such as break-ins and thefts. It covers everything from locks, alarms, and guards to control building access; to maintenance logs; to making sure you clear PHI from the hard drives of old computers before you get rid of them.
One often-overlooked aspect of physical safeguards is protecting printed documents, tests and charts. Morgan O’Mara (@morganomara), content coordinator at document destruction company, Shred Nations, says her company often works with healthcare industry clients:
One of the best ways to stay in compliance with HIPAA is to have a regularly scheduled shredding program. This means keeping a chain-of-custody of all documents from creation to destruction. By having an on-going shredding service set up healthcare professionals can be sure that their documents are always securely destroyed in compliance with HIPAA.
Additionally, physical safeguards extend to where your data is stored. If your enterprise is using cloud storage (or any off-site storage whatsoever), it is crucial that you are aware of the security practices of the company in charge of the hardware. Are the premises secure? Is their physical security in place? What kind of deterrents do they have to prevent unwanted actors from entering their building? While asking these questions might make you feel paranoid, it’s important that your cloud services provider understands that PHI is being stored on their hardware.
HIPAA and Disaster Recovery
No matter how good your security policies are, you’ll probably run into stubborn partners who refuse to take adequate precautions. This story from Dr. Tim Lynch of Psychosoftpc shows why a disaster recovery plan is so important:
I had one client who got a new medical billing software package. the software company trainer, who should have known better, insisted on having just one login name and password for the entire staff, making the entire office not HIPAA compliant. this was done over my strong objections to make it “easier on the staff”. this person is still working for the company and still making every dermatology medical office she visits non-compliant.
Whether your system is hacked due to lax security, a natural disaster destroys your records, or your computers is stolen, you need a Disaster Recovery Plan (DRP) to minimize data leaks and loss, and get up and running as quickly as possible. According to Ray Lucchesi, president of Silverton Consulting, your DRP should include five elements:
1. Disaster declaration: A process your team will use to decide whether you need to put in place the DRP. You should assign a permanent team to make these decisions, including senior management people from your IT department.
2. Disaster list: A list of events likely to require you to put the DRP into place. This can help you plan ahead so that you’re ready for anything.
3. Data backup: You’ll need to backup your data using a secure, offsite service that can restore all your PHI quickly in an emergency. It should be far enough away that it won’t be damaged by a local natural disaster. Your plan should state where the data is backed up, what type of system it is stored in, and how frequently it needs to be backed up. You should also have contact information for the offsite facility, and information about how long it will take to restore the data
4. Alternate site: You’ll need a secondary site where you can access, update, and process your data. The DRP should explain what’s available at the facilities, list the contacts, and explain all the steps required to access the site.
5. ePHI recovery: This will explain the steps for recovering the data, and the applications you use to access it. It should include what order your personnel should restore programs and data in, and have contact info for people who can help you restore your system.
Technical Safeguards: The Importance of HIPAA Email Compliance
Technical safeguards are security procedures put in place to protect electronic PHI. While it’s important to have good administrative protections, and it’s important not to overlook the physical security of your data, ultimately, unless proper technical safeguards are in place, users will ignore HIPAA compliance protocols.
Proper technical safeguards will only allow those with access to see PHI, likewise, they will also prevent lazy (or forgetful) employees from bypassing rules that might otherwise be important for HIPAA compliance. Technical safeguards could be anything from access controls that prevent users from storing certain kinds of files (or using certain applications), to enterprise-level encryption software that prevents users from sending or storing any unencrypted information.
Nick Espinosa, HIPAA certified CIO of BSSi2 LLC says that people often disregard HIPAA rules or aren’t aware of them, making technical safeguards mandatory. He recommends “putting technology policies in place that the user cannot undo or work around” to reduce the risks of human error:
In the Windows environment, Group Policy is the IT department’s best friend. Restricting access to the Control Panel, enforcing the correct password policy, enforcing screen timeout, file audit and tracking, restricting logins, filtering mobile access and many other user-centric configurations are easily centralized and administered through Group Policy.
The importance of data encryption and HIPAA compliance
HIPAA basically requires data encryption. Technically, you can choose not to do it and document your reasons in writing. However, if you have a data breach and your reasons for not encrypting aren’t good enough for the OCR, it won’t protect you from major fines!
Laptops and other mobile devices are lost or stolen all the time. If they’re encrypted, the thief won’t be able to read PHI stored on the hard drive, which will prevent a HIPAA breach. On an unencrypted device, however, anyone with some basic knowhow can gain access to confidential records, even without your Windows or iOS password.
Your organization’s data center should also use encryption. Although fewer HIPAA breaches are caused by hacked data centers than stolen laptops, the data center breaches are often much more serious, compromising thousands or even millions of records. Encrypting data stored on your onsite servers and offsite backup servers will minimize the risks of compromising the data. Likewise, any data stored via the cloud needs to be encrypted as well — and you should check with your cloud provider to make sure all necessary precautions are being taken to isolate your data from other servers.
Finally, you have to encrypt data in motion. Data sent over the Internet can be snooped on as it goes between servers. If it contains PHI, it should never be sent in a plain text format — it should always be encrypted, even if it is being sent over a local network.
The importance of email encryption and HIPAA compliance
HIPAA compliant email for healthcare providers needs to be encrypted, so that communications involving PHI — such as messages between doctors and patients — remain confidential. Many medical facilities use healthcare portals instead of email, as a way to protect communication between patients and doctors. The email is sent to a portal which encrypts it and sends the secured message to the recipient.
The problem is, no one likes portals. They often have clunky interfaces, and require patients to create a separate username and password. They also don’t do anything for large enterprises whose employees may have to send dozens of emails back and forth every day, and can’t count on all their business associates using the same portal as they do. In addition, portals don’t do a great job of protecting data; the data is encrypted once it gets to the portal, but is still vulnerable to snooping and hacking while it travels to the portal.
To get really secure communication, you need to use client-side encryption. Virtru Pro’s HIPAA compliant email encryption protects data along its entire route, meaning no one can spy on your message while it transits the Internet. It also works with your normal email address, which allows you to send and receive encrypted email without logging in to a separate system.
When it comes to HIPAA compliance, the biggest challenge is getting everyone to follow the rules. Physicians and other business associates are used to doing things their own way, and may not be willing to use a complex portal just because you ask them to.
Virtru Pro provides the simplest solution for HIPAA email compliance, because it integrates seamlessly into existing email services. It will let you and your business partners read encrypted emails with no extra effort, and send them with the push of a single button. And if an associate’s computer is stolen, you can revoke confidential emails you sent them, preventing the bad guy from reading PHI. In the case of a serious breach, that could save your company millions.