As cyber security professionals, a large portion of our services include educating our customers on terminology and requirements for the ever-evolving changes to the requirements of HIPAA. An often overlooked component is businesses that access or transmit PHI (Protected Health Information) – which include the following three types of entities within the “business associate” definition:
- Entities that both transmit and routinely access PHI on behalf of a covered entity (e.g., health information organizations, e-prescribing gateways, etc.)
- Personal health record vendors serving covered entities
- Business associate subcontractors[space height=”20″]
Of these three groups, the extension of HIPAA to subcontractors is likely to prove the most challenging to attorneys from a compliance perspective. For instance, attorneys who maintain and transmit PHI on behalf of their business associate clients would be required to comply with all applicable HIPAA provisions, despite the fact that the client itself is not an actual covered entity.
Quite simply – if a law form or attorney makes regular contact with PHI, which would be commonplace for personal injury law, then the law firm would be required to take the same level of security compliance (as outlined by HIPAA) as required by a hospital or other healthcare organization.
Non-Compliance Can Cost You – Even After the Hack
The average cost of a hack is high – roughly $3.8M in 2015 according to Ponemon – but the separate cost of non-compliance is also high. Under the act’s tiered penalty structure, the amount of fines increases with the level of culpability, with a maximum of $1.5 million per year for the same violation. The different levels are:
- Violation due to reasonable cause and not due to willful neglect
- Violation due to willful neglect but is corrected within the required time frame
- Uncorrected violation due to willful neglect[space height=”20″]
The HIPAA Security Rule contains the standards that must be applied to protect ePHI when it is both at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. Access includes having the means necessary to read, write, modify or communicate ePHI or personal identifiers that can reveal the identity of an individual. There are three parts to the HIPAA Security Rule:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards[space height=”20″]
The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located on the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access.
The Administrative Safeguards are the policies and procedures that tie together Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
Looking for a comprehensive checklist for HIPAA Security? We have you covered with the official IHS check list.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000[space height=”20″]
Fines are imposed per violation category, reflect the number of records exposed in a breach and risk posed by the exposure of that data. Penalties can easily reach the maximum fine of $1.5m per year, per violation category. It doesn’t end there – the penalties for willful neglect can also lead to criminal charges being filed, while civil lawsuits for damages can also be filed by victims of a breach.
Build Your Network to Protect Your Data & Your Business
CyberGRC designs your network not only to meet NIST Standards, but security policies and procedures to handle your data in the event a breach was to occur. Our Zero Trust Network assumes no data is safe and no network unbreakable. With multiple layers of safeguards, your business is in the best position to prevent catastrophic damage and prevent losses.
Ready to Build a Zero Trust Network? CyberGRC’s team of cyber security and compliance expert’s sole mission is supporting your team, keeping your data safe and your company’s name out of the press. Contact Us today to start your network evaluation.