Cybersecurity in Healthcare Laws and Regulations

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is a federal requirement in the U.S. which applies to covered entities and business associates. HIPAA consists of the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.

Examples of covered entities include physician practices, ambulatory surgical centers, hospitals, long-term care facilities, health plans, healthcare clearinghouses, among others. Business associates perform functions or services on behalf of covered entities. Business associates may create, receive, transmit, or maintain protected health information on behalf of the covered entity. Examples of business associates include accountants, attorneys, cloud service providers, document storage companies, third party billing services and others.

The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164 , sets forth permitted and required uses and disclosures of protected health information. The protected health information may exist in any form, including on paper, film and in electronic form. Protected health information is a form of individually identifiable health information.

The HIPAA Security Rule, 45 CFR Part 160 and Part 164, Subparts A and C, sets forth requirements for electronic protected health information. In other words, the confidentiality, integrity and availability of electronic protected health information must be maintained by covered entities and their business associates.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

• The extent to which the risk to the protected health information has been mitigated
• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
• The unauthorized person who used the protected health information or to whom the disclosure was made
• Whether the protected health information was actually acquired or viewed

Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of breach:

1. The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
2. The inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
3. The unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.

Similar to a covered entity, a business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. Additionally, covered entities must establish business associate agreements with their business associates.

A business associate agreement is a written contract between a covered entity and a business associate which must address the following:

1. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract
2. Establish the permitted and required uses and disclosures of protected health information by the business associate
3. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law
4. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information
5. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information
6. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings
7. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, rRequire the business associate to comply with the requirements applicable to the obligation to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule
8. Require the business associate to make available to HHS its internal practices, books and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule
9. Require, at termination of contract if feasible, the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity
10. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information
11. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.

HIPAA is enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR has the authority to interpret and enforce HIPAA. Accordingly, it is best for to keep up with guidance from OCR as it relates to the interpretation and enforcement of HIPAA.