Enterprise IT security news and advice

HIPAA Privacy Rules

First enacted in 2002, the HIPAA Privacy Rule protects patient confidentiality. Also known as the “Standards for Privacy of Individually Identifiable Health Information”, the rule maintains the integrity of information whilst still allowing its transfer to other parties when necessary.

Any party that is considered to be a “covered entity” (CE), such as health insurers or healthcare providers, along with their business associates, must abide by HIPAA. This is to ensure that any party that comes across a patient’s Protected Health Information (PHI) does their utmost to maintain its privacy.

The HIPAA Privacy Rule covers names, addresses, social security numbers etc. as well as registration plate numbers and card information. It even protects electronically-stored examples of patient handwriting. This is to ensure that third parties such as health insurers also have a duty to protect patient data. Any images or video footage from which the patient could be easily identified is also protected.

The “Minimum Information Necessary” Requirement

As well as stipulating the nature of the data to be protected, the Privacy Rule also dictates how the information is to be used and disclosed. Information may be disclosed if it is necessary for treatment or payment of healthcare bills. However, any other information regarding the patient’s medical history can only be disclosed if it is required by law, is in the patient’s interest or if the receiving body is a CE.

Nevertheless, whenever information is transferred, it must be the minimum amount of information necessary for adequate treatment or action. Any non-routine requests for information must be dealt with individually, regardless of whether or not a patient has given prior consent. This does not apply when a complete medical history is required by a healthcare provider.

Privacy Breaches

Mobile phones are now ubiquitous, so it is perhaps unsurprising that their use is one of the major threats to PHI security. Bring Your Own Device (BYOD) policies means that if a personal device is stolen, a HIPAA violation has occurred. The Health Information Trust Alliance estimates that around 41% of HIPAA violations are caused by such thefts.

However, PHI has value for those of criminal intent. Details from the data may be used in phishing scams, where unsuspecting victims may instructed to download malicious software. Such software may include surveillance malware, which records the input of any usernames and passwords.

Preventing Breaches

CEs and their associates can download secure messaging systems onto portable devices and computers to ensure that any PHI they carry is safe. These apps usually have in-built safety mechanisms that prevent patient data being transmitted outside of the CE’s private network. This also means that they cannot be saved to an external hard-drive.

Additionally, private messages may have a “lifespan”, meaning they are deleted after a certain period of time.

Any secure messaging service employed by CEs and their associates must comply with both the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act. This means that they must be encrypted so that if they are somehow accessed via public WiFi they cannot be read.

When a user requests to use a website, the request must first pass through a web filter. This checks a number of parameters regarding the request, providing access only if there are no red flags. System administrators have a “blacklist” of known, dangerous websites that could harbour information. If a user requests to go on those websites, they are denied access. This helps to prevent the unauthorised exposure of PHI.