Many experts are eager to point out the what and the how of HIPAA compliance: What protected health information (PHI) is included, how it needs to be protected, and which companies are open to penalties and fines for HIPAA violations (i.e., are “covered entities”). Too often left out of the discussion is the why of HIPAA: Who, exactly, is supposed to be protected by these regulations? And how does the apparatus of HIPAA achieve this goal?
Naturally, most of us assume that HIPAA is meant to protect individuals and their private health data. This is true, and it happens in more ways than we standardly acknowledge. But HIPAA is also designed to protect healthcare providers and health insurance companies. Maintaining HIPAA compliance can help these companies avoid risk and, ultimately, help them to become more profitable.
HIPAA and Us: How HIPAA Rules Protect the Individual
The main idea behind HIPAA is to create a national standard for medical records. This very idea is already useful to both patients and healthcare providers, as it makes the sharing and transportation of medical records that much easier (and makes the understanding of those records easier, too).
The writers of that legislation realized, however, that by making medical records more transportable—especially in digital format—there was much more potential for that data to “leak,” and even fall into the wrong hands. Thus they put in regulatory requirements to keep medical data private and secure, setting clear restrictions on the use and release of health records.
This has a number of other beneficial effects:
- It establishes standards and best practices for maintaining the privacy of health records.
- It incentivizes organizations to prioritize security and privacy.
- It holds organizations accountable if they knowingly or inadvertently violate patients’ rights.
- It enables patients to find out how their information may be used, giving them more control over their personal health information and how it can be disclosed.
- It gives patients the right to access their own health records and, in some cases, request corrections or updates.
Note that what is considered protected health information (PHI) is broad, and includes things that we might not normally consider “medical” or “health” information. Think Social Security numbers, geographic locations, email addresses, and other things that could be used to identify or locate individuals. For this reason, it is helpful to think about who HIPAA protects, and not just what information is protected.
HIPAA Actually Helps Healthcare Providers and Other Companies, Too
All healthcare entities and organizations that use, store, maintain, or transmit patient health information are expected to be in compliance with HIPAA regulations. While this might seem to be an additional barrier to conducting business, there are actually some solid business reasons for adhering to the standards set forth in HIPAA. These reasons still stand even if there were no penalties for HIPAA violations.
First, HIPAA outlines various kinds of physical, technical, and administrative safeguards that need to be in place, and requires a risk assessment to assess how well a covered entity has implemented these safeguards. Such an audit is a good idea generally, and it is not uncommon for other, unrelated problems to be found in the process of doing a HIPAA audit. (For example, drilling down into employee access to files might reveal old user accounts that have been compromised—a general cybersecurity threat that goes well beyond data privacy!) Just as a regular check-up with a doctor or dentist can find potential problems before they become serious, HIPAA audits can be the impetus for addressing technical and administrative issues that might otherwise fly under the radar.
Second, HIPAA is important for keeping healthcare industry fraud contained. Fraud happens because bad actors try to “cheat” the system to gain an unfair advantage. Competitors engaging in fraudulent activity will thus have an unfair market advantage—unless there is something to stop them. HIPAA can thus play a huge role in creating a more fair market environment.
Third, HIPAA helps build trust with patients. If patients trust their healthcare providers, they will feel more comfortable using their services. They will also trust that, if records do need to be transferred, they will be transferred in a way that ensures privacy and accuracy. Think of the parallel with banking: You wouldn’t trust just any company to move large sums of money for you. But, knowing that a bank is highly regulated and closely monitored, you have many assurances that your money will be safe, and that it will end up in the right hands. HIPAA regulations do the same for data in the healthcare industry.
HIPAA Compliance and Your IT Team
A large chunk of HIPAA compliance requirements falls under the heading of “technical” requirements, so it is highly likely that your IT team (or IT vendors) will be heavily involved in ensuring HIPAA compliance and ultimately demonstrating it to the relevant regulatory bodies.
Unfortunately, many IT teams are under the impression that their job starts and stops with finding HIPAA-compliant cloud storage and cloud platforms. This is a misunderstanding of what HIPAA compliance is and how it affects IT teams.
Here are some additional considerations; the list is not exhaustive but should give you a flavor of the ways in which IT teams can be exposed when it comes to HIPAA violations:
Migration. Is your company moving data from one platform to another? Or perhaps moving data from an on-prem data center to a private or public cloud? Or vice versa? Whenever data with potential healthcare information is moved, HIPAA standards have to be met.
Cybersecurity threats. There already exists a vast array of cybersecurity threats to worry about: Phishing schemes, ransomware, keyloggers, and so on. What many IT teams are unaware of is the huge and growing black market of healthcare information being bought and sold on the dark web. Covered entities should always consider themselves doubly at-risk.
Training. So an employee is careless and opens a sketchy email, maybe even opens an attachment that isn’t safe. While the employee is technically at fault, blame will usually fall on the CIO/CTO for not properly training employees on common cybersecurity threats (see above).
Logging. HIPAA rules require logging and auditing of PHI data. This means that any firewalls or UTMs, whether on-premise or in the cloud, will need such logging enabled. Integrity monitoring controls also need to be in place to signal when changes to data are made, and to identify when unauthorized access has happened.
Ultimately, putting in place processes to ensure HIPAA compliance should just be a part of your overall cybersecurity plan. When implemented correctly, such a plan will actually be a huge benefit to your organization (and possibly a thorn in the side for unscrupulous competitors). HIPAA really is meant to protect everyone, providing a set of commonsense guidelines for maintaining and transporting healthcare records in the digital age.
To understand the full risk of HIPAA violations, see our article “You CAN’T Afford It – What HIPAA Violations Really Cost.”