The Health Insurance Portability and Accountability Act (HIPAA) was established by Congress in 1996. The legislation was passed to improve the efficiency of the United States healthcare system. It does so by standardizing best practices for maintaining the security and privacy of healthcare data. HIPAA required the United States Department of Health and Human Services (HHS) to create new regulations addressing this data. Thus far, the HHS has released two documents, the Privacy Rule and the Security Rule.
The Privacy and Security Rules define requirements for handling all electronic personal health information (e-PHI). Personal health information (PHI) represents any health data that includes identifying information (e.g., name, address, health conditions). Further, under HIPAA, healthcare organizations can no longer request Social Security numbers (SSN) as part of their data collection.
In 2009, the U.S. Congress also passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This legislation creates definitions for the meaningful use of electronic health records (EHR) that contain PHI. The HITECH Act requires healthcare organizations to report suspected breaches. Increasing awareness around healthcare-related data breaches also prompted Congress to pass the HIPAA Omnibus Rule in 2013. This rule defines required security controls. These controls aim to strengthen the original protections within the HIPAA Privacy and Security Rules.
Covered Entities. HIPAA defines rules for all healthcare organizations (also known as covered entities) that store or transmit PHI data. Covered entities can include health plans, healthcare providers, or individuals assisting with healthcare. HIPAA also acknowledges that covered entities occasionally need to disclose PHI to business associates that support health services.
With the passing of the HITECH Act and HIPAA Omnibus Rule, business associates must adhere to HIPAA requirements in the same fashion as a covered entity. As such, covered entities must get written assurances from business associates that appropriate controls are in place.
The HIPAA Security Rule defines controls that must be implemented to protect PHI. This requires the implementation and documentation of administrative, physical, and technical safeguards. The technical safeguards require appropriate access, audit, and encryption controls. Software handling PHI must have these controls in place and they must be documented.
Conducting tests to ensure an implementation is performed appropriately in software that stores or transmits e-PHI demonstrates that HIPAA-required controls are successfully in place. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.
Synopsys can help organizations meet the software security-related regulations set by HIPAA. We can assist in evaluating an organization's overall control environment to determine if the various HIPAA Security Rule requirements are met.
Any organization handling healthcare data or PHI must ensure that their security program and software controls address the requirements of the HIPAA Security and Privacy Rules. Covered entities that meet these rules are able to process, store, and transmit PHI without fear of civil or criminal penalties.
Note that HIPAA rules establish a minimum standard for the implementation of IT and software security controls. Without these rules, organizations processing PHI have no specific requirements protecting their healthcare data (i.e., for maintaining the confidentiality, integrity, and availability of the data).
The enforcement of HIPAA standards by the U.S. federal government ensures that organizations take the implementation of PHI controls seriously. It also ensures that consumers of healthcare in the U.S. have an outlet if their PHI is mishandled.
Get started by establishing whether or not your organization is a covered entity. Once PHI is identified within an organization’s software or systems, a review of the covered entity’s security policies and procedures is the next step to identify gaps and implement controls.
The Health Information Trust Alliance (HITRUST) offers a common security framework (CSF) to help organizations implement HIPAA-required controls necessary for compliance. The HITRUST CSF allows for self-assessment to implement appropriate controls. However, some organizations may require a validated assessment that is performed by a HITRUST assessor. This assessment must then be submitted to the HITRUST organization for review and approval. Failure to achieve a HITRUST certification may prevent certain HIPAA-regulated organizations from receiving PHI from organizations requiring HITRUST compliance in their documented security requirements for third parties.
If a violation is reported to the OCR, your organization must be responsive to requests for evidence of HIPAA-required controls. Perform external reviews of your security program and implement technical assessments to demonstrate adherence.
Implement at least the minimum required testing and controls defined by HIPAA. Risks to PHI and the covered entity extend beyond checking a compliance box. As threats to privacy and security evolve and expand, expectations for implementing reasonable controls required by HIPAA will also continue to expand. The easiest way to handle evolving expectations is to be one step ahead.
The Agile Security Manifesto