Every industry has a set of compliance standards to live up to, and many of these include cybersecurity components. Retail businesses maintain PCI DSS compliance; electric systems maintain NERC compliance, and so on. Generally, HIPAA applies to hospitals and other healthcare institutions. But as a recent HIPAA settlement at a university has proven, you may need to think about HIPAA compliance even if you don’t work in healthcare.
Some Background: Rules of HIPAA
HIPAA, the Health Insurance Portability and Accountability Act, is meant to protect patient data. It puts in place standards for physical, network, and process security. Included are two important rules:
The HIPAA Privacy rule, according to HHS.gov, “establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information…”
The HIPAA Security rule, again according to HHS.gov, “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Note that both rules explicitly address electronic health information—this means that, if HIPAA applies to your business, you must have an effective cybersecurity system in place. Otherwise, a cyber attack will leave you liable for any loss or exfiltration of private health information.
Penalties for Violations
There are tiers for civil penalties for HIPAA violations based on whether the organization in question knew about the violations and whether the violations, upon investigation, were corrected within a required time period (usually 30 days). The tiers are:
- Unknowing: Minimum penalty of $100 per violation
- Reasonable Cause: Minimum penalty of $1000 per violation
- Willful neglect but violation is corrected: Minimum penalty of $10,000 per violation
- Willful neglect and violation is not corrected: Minimum penalty of $50,000 per violation
Furthermore, the maximum penalty for each tier is $50,000 per violation.
Who Else HIPAA Applies To
It’s not just hospitals that handle healthcare information. Recently, the University of Massachusetts in Amherst was hit with a $650,000 HIPAA settlement. This was the result of an investigation into a small 2013 breach, when the campus’s speech and language center suffered a malware infection. The electronic protected health information of 1,670 individuals was impermissibly disclosed. The stolen information included Social Security numbers, health insurance information, and more.
The US Department of Health and Human Services’s Office for Civil Rights (OCR) stated that this happened because UMass did not have a firewall in place, and furthermore “did not conduct an accurate and thorough risk analysis until September 2015.”
UMass Amherst qualifies as a “hybrid entity” regarding HIPAA regulations. This term applies to organizations comprised of both HIPAA-covered and non-HIPAA-covered entities.
What’s particularly interesting is that, while UMass Amherst correctly identified its University Health Services as being HIPAA-covered, it is less obvious that the speech and language center would also be HIPAA-covered.
As always, information is everything. If you’re unsure whether HIPAA applies to your organization, read up on it. You can check out more information on different types of compliance here.