GRC
HIPAA

HIPAA

HIPAA Basics

HIPAA stands for The Health Insurance Portability and Accountability Act of 1996.

The Act was established to require HHS (Health and Human Services) to develop regulations that protect health information from intentional and unintentional disclosure.

  • Developed primarily to protect PHI and PII
    • PHI = Protected Health Information
    • PII = Personally Identifiable Information

HIPAA Titles

  • Title I: Focus on Health Care Access, Portability, and Renewability
    • Protects a former employee from losing health insurance coverage when unemployed, or waiting for their new employer benefits to take effect.
    • Eliminates restrictions placed on pre-existing conditions
  • Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
    • Security and Privacy Rules
    • Protects electronic PHI
    • Covers penalties for fraud and abuse
  • Title III: Tax-related Health Provisions Governing Medical Savings Accounts
    • Pre-tax dollars deducted from gross pay before taxation
    • HSA: Medical savings/flex-spending accounts (Use it or lose it)
  • Title IV: Application and Enforcement of Group Health Insurance Requirements
    • Pre-existing coverage continuation
    • Allows departing employees to extend their medical coverage for a short term duration
    • Higher out-of-pocket costs
  • Title V: Revenue Offset Governing Tax Deductions for Employers
    • Company-owned life insurance provides for certain employer tax deductions
    • Citizenship: Prevents attempts to evade taxes by relinquishing citizenship (ex-citizens/expatriate)
    • Expatriates’ names are posted for public disclosure

HIPAA Privacy Rule

Establishes national standards to protect individuals' medical records and other personal health information, regulating how certain entities, like health care providers and insurance plans, handle and disclose this data.

PHI

  • Sets standards for the privacy of identifiable health information (PHI)
  • Covers general PHI information
  • Restricts access, except to covered entities
  • Disclosure of PHI must be approved/signed by the individual

Right to Access

  • Patients have the right to access their medical records
  • Access must be granted within 30 days of request, but there are exceptions to this rule
  • Doctors are allowed to charge an administrative fee for duplicating files
  • The amount of PHI shared between Entities should only be applicable/the minimal, to meet the medical need (sending the entire file should be avoided)
  • Requires patient approval
  • Patients can demand corrections to their medical records
  • Correct inaccurate information only
  • Changes are protected and must remain confidential
  • Requires document signatures from patients
  • Significant Harm to the patient allows HHS to investigate
  • Protection has changed to 50 years after death
  • For security, use an encrypted connection when communicating record request

HIPAA Security Rule

Focuses on electronic PHI (ePHI), which is information stored and transmitted in a digital format, covering penalties for fraud and abuse.

Administrative Safeguards

  • Written policies and procedures
  • Assigns classes of employees to determine who has access to certain information
  • Requires ongoing policy training
  • Requires data backup and disaster recovery
  • Establishes internal audits
  • Requires incident response planning
  • Privacy officer
  • Role is needed to implement HIPAA policy and internal procedures

Physical Safeguards

  • Protect physical access to PHI
  • Install locks
  • Hire security guards
  • Restrict and monitor equipment that stores ePHI
  • Position or conceal monitors that display ePHI information in a way that prevents their screens from being viewed by unapproved staff
  • Training to protect PHI and ePHI should include external resources such as contractors

Technical Safeguards

  • Protect data from a breach that could harm the CIA Triad (Confidentiality, Integrity, Availability)
  • Entities must make process documents available for Government/HHS review
  • Network diagrams and architectures must be documented
  • Document risks assessments and mitigation plans

HIPAA Issues and Violations

Common Issues related to HIPAA:

  • Misuse of PHI: This involves using Protected Health Information (PHI) for fraudulent activities such as opening bank accounts, stealing, or committing other fraudulent acts.
  • Lack of Protection: This occurs when there are no policies or technical safeguards in place to protect PHI.
  • Patient Access: This issue arises when it takes longer than the stipulated 30 days to provide patients with duplicates of their records, whether in paper or electronic format.
  • Minimum Necessary Violations: This involves entities disclosing more PHI than is necessary to other entities.
  • Lack of Safeguards for ePHI: This issue arises when encryption is not utilized when data is in transit or stored, leading to potential breaches of electronic PHI (ePHI).

Common Entities known for making HIPAA violations:

  • Private Practices
  • Hospitals
  • Outpatient Facilities
  • Group Insurance Plans
  • Pharmacies

HIPAA Violations

Civil Violations:

  • Fees per patient depend on the violation.
  • Applies to individuals as opposed to an Entity (a business).
  • Categories of violations:
  • Unknowingly/accidentally
  • Reasonable cause
  • Willful neglect and corrected
  • Willful neglect and not corrected

Criminal Violations:

  • Applies to entities and individuals. Penalties and jail sentences vary according to the violation.
  • Categories of violations:
  • Willful and knowingly
  • False pretenses
  • Intent to sell, transfer, or use PHI/PII for commercial advantage, personal gain, or malicious harm
  • HIPAA Violation Examples:

HIPAA Drawbacks:

  • Clinical Care: Older equipment takes more time, which is time taken away from patients.
  • Education/training: Requires too much time and cost.
  • Research: Requires too much paperwork.
  • Cost: Expensive to implement.

Cyber Attacks

Common Malware

Virus:

  • Requires a host to spread.
  • Attaches to files but is not self-replicating.
  • Types of viruses:
    • Boot sector
    • Ransomware
    • Shell virus
    • Polymorphic
    • Macro virus

Worms:

  • Consumes resources.
  • Self-replicating and self-propagating.
  • An example of a worm is WannaCry.

Trojans:

  • Performs hidden actions.
  • Provides remote access capabilities (RAT).
  • Commonly used ports: 407, 21544, 31337.
  • Well-known Trojans: Emotet, TrickBot.
  • Delivery methods:
    • Malvertising
    • Phishing - most applicable to healthcare (e.g., invoice attachment)
    • USB
    • Insider Threat

HIPAA Breach Notification Rule:

What is a breach?

A breach is defined as unauthorized access that threatens the security or privacy of Protected Health Information (PHI) and electronic PHI (ePHI).

To not consider an event as a breach, it must be proven that a breach did not occur. For example, an Entity’s use of end-to-end encryption can be evidence that a breach did not occur.

Individual Notification:

  • If an individual's PHI was breached, they must be notified.
  • Covered Entities are required to perform specific activities within 60 days of the breach.

Media Notification:

  • The media must be informed when a breach impacts 500 or more individuals.
  • Covered Entities are required to communicate a breach announcement to:
  • Local news outlets
  • The local HHS Secretary
NIST CSFCyber Threat Intelligence