After almost 20 years in IT, people still tell me I’m crazy when I say that I sincerely enjoy compliance. I enjoy dealing with lawyers, love audit and compliance teams, and writing service provider security requirements documents. Having been on the enterprise financial side of tech for the first 15 years of my career in IT, and one managed services provider (MSP) or another ever since, I have a deep appreciation for regulations.
For one, it’s because I’ll (theoretically) never NOT be in demand. Second, I have a propensity for over-documentation (if such a thing exists) and will go to the ends of the earth to protect both my company and my customer.
Sarbanes-Oxley (hair on the back of my neck standing up) was my first foray into the compliance world back in 1998. Then came PCI. Which I promise you, isn’t actually that bad. Yes it’s long, arduous and manual, but at least it’s fairly straightforward. From there I dove into HIPAA, thinking it might have the same straightforwardness you get with PCI. I began my research over a weekend (one that was soon lost to several glasses of bourbon and the deep rabbit hole that is HIPAA), and after countless hours of research my conclusion was HIPAA is a fluid vague beast of a regulatory system that I had less than a 50% grasp on.
Lucky for you, I’ve already done a brunt of the research. And if you are in the position I was in a few year’s ago and need beef up your HIPAA knowledge, consider this post the springboard that starts your journey.
Let’s define the regulation
The Health Information Portability and Accountability Act, or HIPAA, was first enacted in 1996 in order to safeguard medical information and provide data privacy and security. It was updated in 2009 with the HITECH amendment – Health Information Technology for Economic and Clinical Health Act, which was enacted as part of the ARRA (American Reinvestment and Recovery Act of 2009), which promoted adoption and meaningful use of health IT. All three of these acts are in place to enforce regulations and monetary penalties on those organizations in charge of protecting patient privacy.
In 2013, the Omnibus Rule was introduced and it really tightened things up. Several changes were made to strengthen the privacy and security of an individual’s’ health information, and enforcement strategies were expanded upon. With these added regulations, organizations must be even more vigilant with the safeguarding of information, both protecting the user and themselves in the process.
The penalties for a breach under the HIPAA Omnibus Rule (by cause) include:
1 – Did not know – $100 to $50k per violation (determined by HHS OCR)
2 – Reasonable cause – $1k – $50k per violation
3 – Willful neglect, corrected – $10k – $50k per violation
4 – Willful neglect, uncorrected – $50k per violation
Who is at risk of being fined and why?
Regardless of the resources they may have, nearly every organization that handles medical data must comply with HIPAA. The exception being folks who use personal health portals, which are regulated by the Federal Trade Commision, not the Department of Health and Human Services, and of course fitness tracking devices like FitBit. This is notably important because more and more larger hospital groups are absorbing small and medium sized practices across the country, so there are massive amounts of data that need to be aggregated, with enormous investments being made in infrastructure, privacy, and security.
And considering the fact that the data owner is ultimately responsible for any breach, there is a huge concern around targeted breaches and the basic mishandling of data.
What can you do to protect your organization?
Do your research!
There are several tools and vendors out there that promise to help solve your compliance issues. But unless that tool is automated, lightweight, and integrated within the rest of your organization’s security practices, it’s unlikely that they will truly help you reduce your compliance headache. And when it comes to something like HIPAA, automation is key. Your scans should be continuous, your room for human error should be minor, and you should be gathering data all year for your annual compliance audit (rather than having to pull it at the last-minute).
What will HIPAA look like in the future?
As I stated earlier, HIPAA regulations are fluid and vague, and will likely continue to be this way as more controls are added, and organizations continue to adjust to new platforms and cybercrime tactics.
Along with that, each new administration also means that a change in regulation could be ushered in.
It’s important to be aware of the fluidity of the industry and the very serious (and expensive) risks it brings with it. Arming yourself with a security partner who understands these regulations, and can help you define and adjust to any changes will be key.
And lastly, the best way to stay on top of regulations and eliminate as much human error as possible, is to automate your compliance scans and integrate the data captured into all of the different platforms your organization utilizes. When it comes to compliance, don’t be late to your own party.