The CISO's Guide to HIPAA’s Information Protection Requirements

Modern Medical Technology is governed by HIPAA
Photograph by Kirill Ivanov

The HIPAA statute consists of several regulations, including the Privacy, Security, and Breach Notification Rules. In addition to these Rules, organizations need to pay attention to recent enforcement actions and case law to understand today's HIPAA information protection requirements.

The Office of Civil Rights (OCR) in the Department of Health and Human Services enforces HIPAA compliance and investigates reported violations. From April 2003 to March 2021, over 256,086 cases have been processed and resolved by OCR. A total of 28,752 instances required corrective action plans. In addition, the average total dollar amount from settled cases and civil monetary penalties was $1,366,651.

Here are 3 Enforcement Actions through which we can better understand HIPAA compliance.

Understanding HIPAA, Enforcement Action 1: An HMO Revisits Process to Obtain Valid Authorizations of Information Release

Source: Case #25

Summary: The form the HMO relied on to make protected health information (PHI) disclosures was not a valid authorization under the Privacy Rule.

Corrective Action: The HMO created a new information disclosure authorization form that met HIPAA requirements and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form.

HIPAA Interpretation: Information disclosures that are not explicitly consented to in writing by a valid HIPAA-compliant authorization form are inappropriate disclosures.

Understanding HIPAA, Enforcement Action 2: Large Medicaid Plan Corrects Vulnerability that Resulted in Disclosure

Source: Case #14

Summary: A municipal social service agency inappropriately disclosed PHI while processing Medicaid applications.

Corrective Action: Several corrective actions were required, including only disclosing PHI to authorized recipients or system components.

HIPAA Interpretation: A system itself can not be HIPAA Compliant. However, the behaviors of a system or staff can comply with HIPAA. Even unintended or accidental PHI disclosures may result in Enforcement Action.

Understanding HIPAA, Enforcement Action 3: Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety

Source: Case #22

Summary: A hospital released information to local media of an odd sporting accident, including an x-ray of the injury, time, and location of a sporting accident, to deter future similar accidents.

Corrective Action: The disclosures did not meet the Privacy Rule's standard for such actions. The investigation also indicated that the disclosures did not satisfy the Rule's de-identification standard and therefore were not permissible without the individual's authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to severe threats to health and safety and train all hospital staff members on the new policy.

HIPAA Interpretation: Intentions are irrelevant to PHI disclosures. All disclosure actions (intended or not) must abide by HIPAA Privacy Rule requirements.

Cybersecurity Insurance Is Not Protection

Underwriters of cybersecurity insurance almost always carve out provisions for willful neglect or corporate negligence, which is when you know you could have implemented a mitigation or control mechanism and chose instead to accept the risk.

As a result of increased cybercriminal activity, the rates for directly impacted verticals such as healthcare are also rising.

Finally, cybersecurity insurance does not prevent your company from ending up as a headline on national news and causing irreparable damage to your reputation.

An Ounce of Prevention is Worth a Pound of Cure

Proven data security techniques exist today to protect data from unauthorized and unintended use and disclosures. Peacemakr's End-to-End Encryption gives you the controls needed to enforce access and reduce the likelihood of it escalating to a reportable data breach when a security event does occur. Peacemakr ensures data is protected, even if it falls into the wrong hands.

Cost-of-Risk vs. Cost-of-Mitigation

In 2015, fewer cybersecurity hacks were successful than today. Building E2E-Encryption into a product would have required an expert team and cost about $4M and two years to build, which was not a financially viable solution for encrypting PHI.

Today, cybercriminal activities are on the rise, especially in healthcare. The costs associated with building E2E-Encryption have plummeted, with Peacemakr E2E-Encryption-as-a-Service starting at $499. While it depends on how many health records are at risk, the economics are tipping the scale towards "an ounce of prevention" as the only economically viable approach today. For example,

Number of Records containing PHI: 1,000,000

Average Cost per HIPAA Enforcement Fine: $1,300,000

Approximate risk of HIPAA non-compliant security event per year: 0.1%

Average Cost per data breach per record: $150

Amortized Cost of risk per year:

(0.001 * 1,300,000) + (0.001 * 1,000,000 * 150) = $151,300 / year

Amortized cost of mitigation per year: $6,000 / year ($499 / month )

Summary: It's economically viable and prudent to spend $6,000 / year on healthcare information protection mechanisms as long as you have at least 32,000 healthcare records within your system, or $60,000 / year if you have 320,000 records.

How Peacemakr Optimizes ROI for HIPAA Information Protection Compliance

Peacemakr is a drop-in solution for HIPAA Information Protection's encryption requirements, which takes no more than a couple of hours to integrate. Unlike most technology vendors, Peacemakr will provide a BAA without paying for a particular pricing tier, and the technology itself integrates into your tech stack through Open-Source SDKs, so there are no GTM delays.

At the $499/month tier, professional data security engineers are on standby to care for all your HIPAA information protection encryption needs, so you and your teams can focus on your business.

Ready to protect your data?

Learn the most common data protection opportunities and how Peacemakr works with your infrastructure and products to stop data breaches.