Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) is a law within the United States that protects individuals’ privacy rights in relation to their sensitive health data. This law is enforced by regulating how organizations within the healthcare industry store and transmit patient data and information. The primary HIPAA regulation that governs this function is known as the Privacy Rule. This rule provides guidance on the proper storage, transmission and disclosure of what is known as Protected Health Information (PHI) for individuals. This law attempts to limit the disclosure of individuals’ PHI to only those who have a ‘need to know’. HIPAA guidelines provide an extensive framework for healthcare professionals to follow when dealing with patient PHI. These guidelines are strictly enforced and failure to comply with HIPAA can result in penalization to a healthcare organization or professional. (U.S. Center for Disease Control).
HIPAA and Data Security
The burden of responsibility for the privacy of individuals’ PHI falls on the healthcare organization. HIPAA sets the standard for what types of information must be protected and to what extent. From here healthcare organizations must develop the proper security infrastructure to comply with HIPAA guidelines. This means that various types of security controls must be deployed to protect PHI at each level of the organization. This includes technical controls for electronic data, operational controls for daily handling of PHI, physical security controls for safeguarding documents and administrative controls for training staff.
HIPAA and Cyber Crime
Over the years much of the modern world has adopted technological solutions to perform daily operations such as accounting, billing, document storage, etc. This has lead to a transition of digital storage and transmission of data to be the primary method for information sharing. This applies to the healthcare industry as much as any other which means that HIPAA and cyber incidents are inextricably related. Individuals’ Protected Health Information (PHI) and other sensitive data is a valuable resource for cyber criminals who can sell this information or use it for nefarious purposes such as identity theft.
The healthcare industry serves as a large repository for PHI and other sensitive information which makes it one of the most targeted industries for cyber criminals. (American Institute of Healthcare Compliance). Reports indicate that there have been around 4,000 cyber attacks directed at healthcare organizations. Many of these attacks have used ransomware and other forms of malware. HIPAA compliance measures are designed to prevent these types of data breaches from occurring and to mitigate the damage when an attack occurs. (U.S. Department of Health & Human Services). HIPAA requires organizations to develop a robust security structure with layered control mechanisms designed to detect, deter and prevent cyber intrusions.