HALOCK is deep in the regulatory compliance and security field, so we sometimes take for granted that words common to us, like “HIPAA,” are still not clearly understood. So let’s take a moment to lay out the basics of HIPAA.
The Health Insurance Portability and Accountability Act (“HIPAA”) is a regulation that dates back to Bill Clinton’s presidency in the 1990’s when the administration and Congress were trying to solve a number of problems with health care. One of these problems was the difficulty that many people had maintaining insurance coverage when they moved from one employer to another. The “Health Insurance Portability” portion covers Part I of the regulation. This portion of the regulation placed requirements on health plans to make room for new members who transferred in from previous plans. This was to solve the problem of people who move into new jobs, only to discover that their new employers’ plans didn’t cover “pre-existing conditions.”
Part II covers privacy, security and administrative simplification of managing health records.
The Privacy Rule
The Privacy Rule pertains to protecting people’s health information from being marketed or shared without their permission. This was meant to address the privacy of individuals who may not want their information shared with health researchers, or marketers of health products and services. After all, nobody wants to see their doctor about an embarrassing odor only to have their name appear on a “people who smell bad” mailing list. The Privacy Rule allows patients to opt-in to that kind of openness, but reminds care providers and insurers that they must default to no-sharing.
The Security Rule
The Security Rule is the HIPAA requirement that HALOCK addresses most often with clients. The Security Rule is a list of what they call “specifications” – or types of controls – that organizations should address when they handle protected health information commonly called “PHI.” The Security Rule specifications are stated generically, but they are meant to be fodder for a risk assessment, not an audit. Organizations are not expected to do exactly what the Security Rule says (especially since the Security Rule specifications are generically stated, and half of them are “addressable” and the other half are “required”). Assessing risk means that an organization needs to think through the potential harm of a threat against the burden of the safeguards.
HIPAA is about Evaluating Risk
Organizations are actually expected to model foreseeable risks that are related to each specification. For example, while evaluating specifications for encryption of data in storage, you must ask what threats could compromise data if encryption is not in place. You would then analyze the likelihood and impact of those threats. If the likelihood and impact are not “reasonable and appropriate,” then encryption should be applied so that the likelihood and impact of the threat can be analyzed as reasonably low. But the kind of encryption and where it should be used needs to be considered as well. If the burden of encryption at certain places and over certain data is too burdensome – even too burdensome against the organization’s mission or objectives – then the safeguard is not reasonable. You will need to consider another way to safeguard the data. See how that works? It’s a little more complicated than an audit, but the payoff can be huge.
How do I know what’s considered “reasonable and appropriate?”
This is a standard for compliance with the Security Rule, and is not well understood. But a solid, defensible definition that is understandable to technicians, business managers, clinicians, auditors, and attorneys is possible and a great tool to have in your tool chest. Reasonable and appropriate is different for each organization, but would generally require a demonstration that safeguards are in balance with the risks that they protect against. Tip: HALOCK helps organizations define what reasonable and appropriate means to their organization.
HIPAA remains a mystery to much of the public, even while it is probably the most discussed security requirement. Keeping in mind that HIPAA’s Security Rule focuses on balancing risk with the burden of safeguards is a critical point of leverage as you move from being a HIPAA newbie to an expert.