An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
HIPAA compliance questions come up a fair amount on Experts Exchange. And while I am not yet an expert in HIPAA, I do know customer data privacy regulations for banking/finance and retail e-commerce. This article just covers the basics of what you (web developer, IT/network admin, or project consultant) need to be aware of with regard to HIPAA and your sphere of influence.
HIPAA is the Health Information Privacy and Portability Act of 1996. It covers three main areas...privacy, security, and electronic data exchange of protected health information (PHI)
Privacy Rule - Effective as of April 14, 2003
Refers to the protection of an individual's healthcare data, defines how patient information is used, and discloses and outlines ways to safeguard Protected Health Information. It also gives patients privacy rights and more control over their health information.
Security Rule - Effective as of April 21, 2005
Security means controlling confidentiality of ePHI (electronic protected health information), storage of ePHI, and access to electronic information
Electronic Data Exchange
- Defines transfer format of electronic information (i.e., coding, billing, insurance verification) between providers and payers to carry out financial or administrative activities related to healthcare.
HIPAA provides a framework for the establishment of nationwide protection of patient confidentiality, security of electronic systems, and standards and requirements for electronic transmission of health information. In addition to federal laws regarding health data privacy, each US state also has its own rules regarding the acquisition, retrieval, storage, and disposal of medical records. You can view this link for more information about the HIPAA Privacy Rule (https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
). It outlines ways to prevent accidental and intentional misuse of PHI.
PHI data includes information in the health record such as visit documentation, lab results, appointment dates/times, or invoices. PHI information includes information by which the identity of the patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.
Examples of patient identifiers:
names, medical record numbers, social security numbers, account numbers, license/certification numbers, vehicle identifiers/serial numbers/license plate numbers, IP address, URLs, any dates related to the individual (i.e., birth date), telephone numbers, fax numbers, email addresses, biometric identifiers (i.e., fingerprints, voice prints)
Compliance is not an option, it's required. What's at risk? Penalties and sanctions on you and/or your organization, financial risk and damage to your reputation in the industry.
HIPAA regulations requires that patient PHI in all media, including and not limited to, PHI created, stored, or transmitted in or on the following media: verbal discussions (phone or in person), written on paper (chart, progress notes, forms, prescriptions, x-ray orders, referral forms, etc.), computer applications and systems (i.e., electronic health records, practice management, lab and x-ray), or computer hardware (i.e., PCs, laptops, pagers, fax machines, servers, cell phones).
The US Department of Health and Human Services (HHS) is responsible for developing and enforcing the rules and regulations regarding HIPAA and HITECH. While there are no governing bodies concerning HIPAA hosting requirements, many providers use a best practices approach to hosting, storing, and retrieving patient data. The rules and regulations don't specify how an entity should implement the methods for data security and protection. The burden of proof falls onto the entity being audited. The entity that could get fined depends on where along the chain of custody the breach happened.
For example, let's say a doctor's office has downloadable forms on its website. The forms aren't breaking any HIPAA compliance rules since there's no exchange of protected health information. However, if patients send in their completed forms by fax or email and not through a secured hosted environment, the physician may be culpable. If the forms are completed and submitted online through an unsecured website, the hosting provider, the physician, or the entities responsible for building the website may be liable. While the patient bringing in the completed forms to the doctor's office might be the safest way of exchanging PHI with a doctor's office, the physician is still responsible for storage of the PHI forms. Also, if you are providing secure email hosting and/or storage, you may be liable if a breach occurs and PHI security is compromised by malware, negligence, or whatever. From OCR's press releases, most of the settlement fines read as though the entities audited are the healthcare provider institution (and not the individual physicians).
Federal Government protects PHI through HIPAA regulations
up to $1,500,000/year for identical types of violations.
$50,000 fine and 1-year in prison for knowingly obtaining and wrongfully sharing information.
$100,000 fine and 5 years in prison for obtaining and disclosing through false pretenses.
$250,000 fine and 10 years in prison for obtaining and disclosing for commercial advantage, personal gain, or malicious harm.
Here are some settlement examples from the Office of Civil Rights (OCR):
HIPAA Certified Training.
- November 22, 2016 - UMass settles potential HIPAA violations following malware infection for $650,000 with a corrective action plan
- October 17, 2016 - St. Joseph Health pays $2.14 million settlement with a comprehensive corrective action plan - due to files containing protected health information PHI were publicly accessible through internet search engines from 2011 until 2012
- August 4, 2016 - Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI)
- July 21, 2016 - $2.75 million settlement with the University of Mississippi Medical Center for an unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals
- And the list goes on, see more at https://www.hhs.gov/ocr/newsroom/index.html
Healthcare providers are the ones that endorse whether or not a training course is HIPAA certified, not the federal government. The HHS does not recognize any institution or program as a certifying authority.
And as for using WordPress as the foundation of an HIPAA-compliant website, it's not recommended and mostly this is due to the flexible nature of WordPress itself. And, there is only one plug-in that matches the HIPAA keyword in the WordPress plugin directory, Jituzu Tools for online scheduling of clients and patients. https://wordpress.org/plugins/tags/hipaa
For further reading on HIPAA:
HIPAA HITECH Act
HIPAA Compliance Checklist
HIPAA Compliance Checklist For Small Medical Practices
The Seven Fundamental Elements of an Effective Compliance Program
The Full List of HIPAA Compliant Hosting Providers
HHS Guidance on Cloud Computing
Free Security Risk Assessment Tool
And here are a couple examples of healthcare providers and their approach to dealing with HIPAA:
John Hopkins Medicine
Fred Hutchinson Cancer Research Center
If you work within and to support the healthcare industry, it's everyone's responsibilities to ensure the security and privacy of protected health information (PHI).
p.s. This is my first article. If you like it, give it a vote.