HIPAA is More Important Than Ever
When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted almost 28 years ago, it was intended to secure healthcare information and more specifically, Protected Health Information (PHI) created, transmitted, stored and maintained by health providers and other “covered entities.” With the exponential growth of AI and related emerging technology affecting healthcare, concerns about security and theft of PHI continue unabated. In fact, the stakes are now higher than ever, given the spate of cyberattacks that have struck the healthcare community with significant force. The Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA, has long warned that healthcare companies were prime cyberattack targets. The February 2024 ransomware attack against UnitedHealth Group (UHG) subsidiary Change Healthcare reinforces the importance and reality of this threat. With respect to Change Healthcare, cybercriminals were able to gain unauthorized access because multi-factor authentication was not enabled on the organization’s most critical systems.
The HIPAA Privacy and Security Rules
The two most significant regulatory principles of HIPAA are the Privacy Rule and Security Rule. The Privacy Rule establishes parameters for the use and disclosure of PHI by covered entities and their business associates, as well as standards to enable individuals understand and access their own health information and control how it is disseminated. The Security Rule is designed to provide adequate protection for PHI through the use of administrative, physical and technical safeguards to ensure confidentiality, access, and integrity of the information.
As technology has broadened and the use of AI is becoming ubiquitous, efforts to protect PHI have become more imperative. However, partially due to the delay between HIPAA’s enactment and its enforcement, and partially due to the misperception that HIPAA is a “toothless” regulatory framework, many organizations—from solo practices to large organizations (like Change Healthcare)—are operating out of technical compliance with HIPAA, often without knowing, and are unprepared for prevalent threats.
Safeguards for Compliance
Managing HIPAA compliance is multifaceted and must include comprehensive policies, procedures and regular internal “checkups” or risk assessments. From a technical perspective, mitigating risk of breach can be as basic as maintaining password protection and multifactor authentication—both of which are typically, standard offerings from EMR providers. However, the most impactful measure toward mitigating risk is training. Providing staff with a thorough understanding of HIPAA and its purpose, requirements and penalties will go a long way toward buy-in for risk management and compliance. An educated staff is less susceptible to phishing and the social engineering attempts of cyber criminals, and can likewise educate patients regarding recommended safeguards, and mistakes that can be avoided. Managing communications containing PHI is one area of compliance that may frequently be overlooked. For example, an e-mail or text sent without the encryption can, in some situations, cause a HIPAA breach. As it is quite common for healthcare providers to use e-mail and texting to communicate with patients, this gives rise to a plethora of legal issues.
Emails & SMS
Many HIPAA breaches result from sending an email or SMS message to a patient and it being received by the wrong individual. The Department of Health and Human Services (HHS) has issued guidance indicating that HIPAA “allows covered healthcare providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.” For example, HHS recommends taking precautions, such as confirming the email address of the patient prior to transmitting a message. Additionally, individuals have the right under HIPAA’s Privacy Rule to request and have a covered entity communicate with him or her by the means the individual chooses. Thus, if an individual approves electronic communications, such as email or SMS, this is a permissible method of communication.
However, mere acceptance of electronic communications by the patient is not where a compliance analysis ends. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key. Encrypting messages using methods approved by HHS can mitigate the risk of a breach. However, encryption is an addressable standard of HIPAA, rather than a requirement.
The Security Rule differentiates between provisions of the rule which are required, and those that are addressable. A required provision must be implemented by a covered entity. An addressable provision allows flexibility in applying the applicable security measure and enables the covered entity to take into account whether the provision is reasonable and appropriate for that entity when determining how the measure should apply. To determine how an addressable provision of HIPAA applies, a covered entity or business associate must consider: (i) the size, complexity, and capabilities of the Covered Entity; (ii) the Covered Entity’s technical infrastructure, hardware, and software security capabilities; (iii) the costs of security measures; and (iv) the probability and criticality of potential risks to electronic protected health information. A covered entity may apply this “Four-Factor Test” to its particular circumstances to determine how and whether to apply an addressable component of the Security Rule.
For example, if technology is available to encrypt PHI but it is commercially unreasonable for the covered entity to procure such technology, it may be reasonable for the covered entity not to use encryption. Conversely, if a technology to encrypt an SMS or email is readily available at a minimal or reasonable cost, then application of Four-Factor Test may yield a different result and require that the covered entity send the SMS or email in an encrypted format. The type of information to be transmitted via SMS or email will also affect this “reasonableness” determination. In either event, the covered entity must consider the totality of the circumstances and the applicable safeguards available before it proceeds without implementation of a security measure like encryption.
Security is the Priority
A HIPAA breach can bring calamity upon a medical practice and its providers, potentially resulting in significant fines, corrective action plans and regulatory actions. It is essential that medical providers ensure full HIPAA compliance, especially when texting or emailing PHI, or otherwise communicating PHI to and from mobile devices.
How Frier Levitt Can Help
Contact Frier Levitt to speak to an experienced data privacy attorney who can assist in evaluating your organization’s current data practices for deficiencies and compliance, as well as prepare and assist you in the event of security incidents and data breaches.
