HIPAA Basics and The Role of DLP in Meeting Compliance

Health-related data is moving more and more from paper to electronic records, determining changes in how healthcare organizations or other industries processing healthcare records are managing and protecting their data today. Businesses that are involved in any way with the use or management of PHI (personal health information) of individuals, need to ensure that they secure their sensitive data against loss or leakage, by following security guidelines, like HIPAA, in order to avoid penalties.

What is HIPAA

Health Insurance Portability and Accountability Act of 1996, HIPAA, provides data privacy and security measures for protecting medical information. The legislation is designed to protect the ePHI (electronic protected health information) of individuals, like Social Security Numbers, medical ID numbers, credit card numbers, drivers’ license numbers, home address, telephone numbers, medical records, and other critical data.
In 2009, the legislation was updated with HITECH (Health Information Technology for Economic and Clinical Health), that brings additional compliance standards to businesses linked to healthcare.

What organizations are affected by HIPAA

The organizations affected by HIPAA are those that create, store, process, transmit or touch protected health information of individuals.
This legislation does not only apply to healthcare companies, but also to businesses that are associated with them, like attorney firms, IT companies, accounting firms, billing companies, health insurance companies, community health management information systems, etc.

Read our Case Study on a healthcare provider that managed to meet the strict HIPAA laws for protecting patient data with Endpoint Protector DLP.

The HIPAA key points

The three rules of HIPAA: Privacy, Security, and Breach Notification are meant to protect the privacy and security of health information and provide individuals with certain rights to their health records.

According to cms.gov:

The Privacy Rule

It sets national standards for when protected health information (PHI) may be used and disclosed.
PHI includes information related to:

• The individual’s past, present, or future physical or mental health or condition
• The provision of healthcare to the individual
• The past, present or future payment for the provision of healthcare to the individual
• PHI includes many common identifiers, such as name, address, birth date, and Social Security number.

The Security Rule

It specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Covered entities must:

• Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit
• Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI
• Protect against reasonably anticipated, impermissible uses or disclosures
• Ensure compliance by their workforce

The Breach Notification Rule

It requires covered entities to notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI.
Most notifications must be provided no later than 60 days after the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually.

Data Breaches and Penalties

A recent study shows that 2016 was the year with the all-time highest number of HIPAA violation cases, since 2009. The most causes of the data breaches were bad security policies or the lack of interest in data security issues. Phishing e-mails, credit card data breach, stolen laptops, patient data leakage, etc., are just a few examples of last year’s main causes of data breaches in healthcare.
Penalties for HIPAA non-compliance can reach from $50K to $1.5 million per year.

How DLP helps meeting HIPAA compliance

In the healthcare industry, it’s absolutely necessary to ensure that the information is secured and it can only be accessed on a “need to know” basis. Healthcare and personal records mustn’t leave the health provider’s or associated companies’ premises unless it is encrypted or transmitted to secure, authorized channels. Data Loss Prevention solutions are a big help in that direction.

DLP allows organizations to monitor and control data movement. It can scan documents before they are being transferred and block them in case they contain sensitive information, such as Health Insurance Numbers, Social Security Numbers, Addresses, etc.
With a DLP solution, IT Administrators can detect and prevent users from sending e-mails that could contain PHI, detect and prevent from copying PHI on portable storage devices, get reports with detected incidents, and many other actions.

Here’s a breakdown of policies performed by Endpoint Protector DLP with regards to healthcare sensitive data:

• Tracking and blocking of transfers of documents containing FDA recognized drugs, pharmaceutical firms, ICD-10 and ICD-9 codes and diagnosis lexicon
• Monitoring and blocking transfers of information containing Personally Identifiable Information: e-mail, address, phone number, Social Security Number (SSN), driver license, tax ID, passport number, and others
• Detecting and blocking HIPAA protected information in e-mail body (Outlook, Mozilla Thunderbird, IBM Lotus Notes) and attachment (Outlook, Mozilla Thunderbird, IBM Lotus, Windows Live Mail, Opera Mail, and other e-mail clients)
• Scanning documents and content for specific healthcare keywords added by IT Administrators in dictionaries and stopping transfers in case confidential data is found
• Using report-only policies to monitor users’ activity related to data transfers and restrict transfers based on discovered information
• Creating whitelists based on file, file location, network share, e-mail domain and URL name so employees can conduct their daily tasks without interruptions
• Including in HIPAA policies other exit channels besides e-mail such as: web-browsers, cloud file sharing, instant messaging, social media, portable storage devices, network shares, copy/paste, printers or print screens

Besides Data Loss Prevention solutions, organizations in the healthcare industry, but not limited to this, must have a layered protection, using multiple security tools, starting from antivirus software, firewalls, to encryption, Mobile Device Management, and others. Above all these, periodical risk assessments and audits (preferably with external auditors) must be performed, not only to assess the level of compliance, but also the efficiency of implemented security solutions.