Does HIPAA Affect Healthcare Cybersecurity?
Pivotal Legislation Safeguards Private Healthcare Information
The Health Insurance Portability and Accountability Act of 1996 — better known as HIPAA — is a federal law that was primarily created to address healthcare insurance coverage limitations, particularly for individuals between jobs. It’s probably more widely recognized for leading to the development of regulations to safeguard the privacy and security of protected health information (PHI). HIPAA came about just as the Internet was expanding and allowed for the flow of healthcare information to be modernized while preventing fraud and theft. HIPAA has many parts to it that affect other private and public sectors, but the HIPAA Privacy Rule and the HIPAA Security Rule are probably the most significant and well-known related directly to the field of cybersecurity in healthcare.
The HIPAA Privacy Rule and the HIPAA Security Rule were established by the U.S. Department of Health and Human Services. While the HIPAA Privacy Rule safeguards protected health information (PHI) including information communicated in verbally and in writing, the HIPAA Security Rule, protects health information of patients in electronic form (ePHI).
What information is protected by HIPAA?
The HIPAA protected health information definition is relatively broad. It encompasses any healthcare information that “relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual”, even in casual conversations.
Examples of HIPAA protected health information include:
- Demographic data, such as a patient’s age, gender and location
- Clinical information, such as a patient’s medical diagnosis or prescription meds
- Medical histories and records, such as a pre-existing condition or past surgical procedure
- Lab and test results, such as x-rays or blood work
- Insurance information, such as a patient’s health insurance claims and coverage
HIPAA cybersecurity requirements
HIPAA impacts just about everyone, from patients and doctors to administrative staff and network administrators. This also includes health providers, business associates and healthcare workers. Basically, anyone who might come in contact with or handles protected health information is subject to HIPAA.
In particular, health providers and organizations that collect, store, maintain or transmit HIPAA protected health information must adhere to HIPAA cybersecurity requirements. This includes rules for HIPAA computer and technology compliance meant to prevent unintentional, or malicious, access to HIPAA protected health information. For example, health providers and organizations are required to have security policies in place that define how they conduct risk assessments and vulnerability assessments to look for weaknesses, enact risk mediation plans and respond to cyber incidents.
HIPAA technology requirements ensure the confidentiality, integrity and availability of electronic protected health information (ePHI). Health providers and organizations must use reasonable and appropriate healthcare cybersecurity measures to implement the necessary standards for keeping HIPAA protected health information private. How to implement them is left up to individual organizations and the healthcare cybersecurity personnel they employ.
Strong access control is one of the key safeguards for securing HIPAA protected health information. Access control grants rights or privileges to specified users working in information systems, applications, programs or files, so they can perform job-related functions. Access control methods include:
- Unique user identification, from biometric fingerprint readings to eye scans
- Emergency access procedures that document instructions and processes for gaining access to ePHI during a time of crisis
- Automatic logoff that terminates a user session after a certain period of inactivity
- Encryption to convert data into unreadable form and decryption to decode data back to its original form
These measures also ensure different people in different roles have different levels of access to data. For example, doctors may have access to everything, nurses may have access to 90% of a system and billing or insurance may have very limited access.
The benefits and challenges of HIPAA
As the healthcare sector has transitioned from paper files to digitizing healthcare information, HIPAA cybersecurity requirements have resulted in many benefits. Electronic health records (EHRs), in particular, have helped streamline administration and management, improve efficiencies and security of HIPAA protected health information and ensure patient privacy. At the same time, HIPAA has saved the healthcare industry billions of dollars annually.
On the other hand, the extensive provisions of HIPAA make it expensive to comply with, and many organizations don’t have the necessary budget to allocate to the effort. Another challenge is HIPAA’s age. HIPAA was first put in place over 20 years ago. A lot has changed — and continues to change rapidly — in healthcare and technology. For example, hospitals have become increasingly web connected, using automation to update electronic health records with real-time feeds from sensors and other medical systems. Advancements like this didn’t exist when HIPAA was written.
In response, HIPAA continues to evolve, which means healthcare providers and organizations must keep up to date on the latest HIPAA cybersecurity requirements to remain in compliance.
“The complexity of HIPAA makes compliance with the law difficult. Very few organizations are able to do it properly,” said Joe Giordano, Founding Director of Cybersecurity and Data Analytics at Touro College Illinois. “The best way to balance HIPAA compliance with protection is to do your due diligence. Create a secure network architecture, run tests and conduct assessments, continually monitor for threats, and develop and implement a sound response plan.”
Health providers and organizations are subject to heavy penalties if they’re not in HIPAA computer and technology compliance. This ranges from monetary fines to corrective actions.
While it is expensive to comply with HIPAA’s security measures, it can be more expensive not to. The impact of weak health cybersecurity is extremely costly. These recent cybersecurity issues and attacks in healthcare provide a cautionary tale for health providers and organizations.
Learn more about HIPAA protected health information with Touro’s healthcare cybersecurity certificate
Touro’s online certification program in healthcare cybersecurity arms you with advanced technical skills and knowledge for HIPAA technology and computer compliance. The six-course, 18-credit certification program curriculum combines hands-on, technical work with coursework that addresses policy, legal and ethical issues. Topics include:
- Healthcare cybersecurity policy and procedures
- What information is protected by HIPAA
- Health cybersecurity laws
- General Data Protection Regulation (GDPR)
- Data privacy and the protection of health cybersecurity networks
Two of the courses in the program are specifically designed around HIPAA, directly addressing the environment and technology in the medical field. For example, the online program course in HIPAA and Cybersecurity focuses on how healthcare information is kept safe by applying HIPAA privacy rules, security rules and technology safeguards.
Find out more about how Touro’s cybersecurity certificate in healthcare can prepare you for an exciting career in the technology and healthcare fields.
