Implications of HIPPA Legislations for Business

The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has various implications for the field of business continuity. Although the act more directly impacts Healthcare Organizations, most employers must also navigate through the highly complex regulations, striving for compliance. Health care reform, specifically portability of health insurance and accompanying patient information, was the catalyst for the bill. Patient privacy and the security of electronic records have proven the most direct and significant challenge for the business continuity profession.




Health care reform advocates during the mid 1990’s, expressed concern over the large numbers of uninsured employees and the lack of coverage for certain medical conditions. Prior to that time, if an employee changed employment, the insurance company at the new place of employment was not required to cover pre-existing conditions or health issues which existed prior to taking the new job. The gaps in coverage for selected chronic medical conditions created severe hardships on the working poor. Congress passed HIPAA to address portability of health insurance and, at the same time, added administrative requirements for efficiency improvements in the existing system, which improved the probability of the legislation’s success. HIPAA legislation has far reaching implications for disparate functions of many organizations. HIPAA provisions impact healthcare organizations, Federal and State agencies, private health plans, healthcare providers, and other companies who store or process healthcare data.



Concerns over the electronic storage of confidential medical records prompted Congress to add security provisions to the HIPPA legislation. The United States Department for Health and Human Services (HHS) proposed the security rule in 1998 which requires covered organizations to secure the integrity, confidentiality, and availability of medical records. Organizations storing healthcare data were given responsibility for developing security standards for medical records stored and transmitted electronically.



In an effort to ensure compliance, HHS suggested an internal control structure over information systems including technical, administrative, and physical controls. Also, organizations must perform an effective threat assessment and identify key vulnerabilities to the integrity and security of medical data, ensuring that an adequate disaster recovery plan is in place. Organizations must also provide adequate safeguards against unauthorized access and usage of medical records. Finally, organizations must establish compliance programs for their staff. Business continuity and disaster recovery professionals are uniquely qualified to assist with the development, maintenance and testing of HIPAA compliance programs related to the privacy and security rules.



Recognizing the potential for loss of confidential information, Congress incorporated provisions for individuals into HIPAA. HHS developed regulations and issued the final privacy rule provisions in 2004. The regulation covers all types of medical data associated specifically with individual patients, including past and present physical and mental health records and any personal information which would identify the patient or employee including social security numbers. The privacy rule defines situations in which medical information may be accessed within the organization or released to third parties. Patients must sign an authorization form detailing who will use the information and how it will be used before healthcare organizations may release their information.



The consequences of HIPAA non-compliance can be substantial, potentially resulting in large fines (up to $250,000) civil litigation, and as much as a ten year prison term for negligent or intentional violations of the HIPAA legislation. However, organizations should be more concerned about other losses, which are difficult to calculate, such as erosion of patient trust if confidentiality or security breaches occur. Some organizations, especially healthcare organizations, rely on trust as the driver for brand equity with patients or customers. Damage to brand equity, although sometimes difficult to measure, could be another side effect of privacy or security failures.



An organization developing a HIPAA privacy and security program should first develop a policy defining the scope, objectives and roles for all participants in the program. Executive management participation and sponsorship are vital for the success of the program and should specifically be defined in the policy. Management should target the policy to the users in order to achieve understanding and accountability for responsibilities included in the policy.



Organizations developing or maintaining a HIPAA compliant information technology security program should next perform a risk assessment, consistent with business continuity practices, to determine areas of vulnerability. Demands for access to information from a variety of sources including patients, doctors, healthcare providers and employees has created the need for an holistic strategy for data security which can be easily adapted as new technologies emerge. The threat to the organization could come from unauthorized access from inside or outside the organization. The risks are use of medical records by unapproved users possible resulting in fines, civil litigation, or negative publicity.



When performing a risk assessment for HIPAA compliance with privacy and security rules, the organization should identify the confidential records included in the population. Next, specific threats to the assets should be identified and, finally, the probability of the threats occurring should be evaluated. Management should also perform a cost-benefit analysis based on the information derived from the risk assessment and make decisions on risk mitigation strategies.



An appropriate set of internal controls are part of the risk mitigation strategy resulting from the risk assessment process. Generally accepted standards for implementing internal controls over information systems surrounding the HIPAA process, include the following:



Access Controls-Personnel may access a system only with authorized privileges.

Integrity-Health data may be revised only by users granted access by system

administrators.

Privacy Controls-Protection from intentional or unintentional disclosure of

medical information.

Accountability-Information systems provide an audit trail of users’ activity

within the system.

Authentication-Users are properly identified through use of a user ID and

password.



Information technology management, in cooperation with the internal audit department, should identify gaps between controls that are in place and controls that should be in place. Management should then develop action plans to address internal control gaps.



The strategy for information technology security has changed recently from perimeter based strategies to inside intrusion based strategies. Data security professionals, in the past, have focused on creating robust protections from external attack while assuming that once users are authenticated inside the network, they are within the “circle of trust”. However, research recently conducted by Federal Bureau of Investigation indicates otherwise, citing 50% of attacks as originating from within the organization.



An additional challenge is increased usage of wireless devices, creating the ability to connect to the network at virtually anyplace at any time with a variety of devices. The definition of what is actually inside or outside the network has transformed due to sophisticated hackers. Gaining access through a wireless access point, a hacker can establish a decoy site and lure users to log in. The hacker can then gain access to the computer and steal passwords needed to access the corporate network.



Best practices for security professionals indicate a variety of measures which can be undertaken to secure the inner network. The data security department should define user groups and define the relationships between these groups. The data security department should enforce the defined roles and perform regular audits to ensure compliance is maintained. As business operations change, the data security department should re-evaluate the defined security roles and relationships.



In addition to developing internal controls over information systems, organizations covered by HIPAA are required to develop business continuity and disaster recovery plans covering health care data. High availability of information is a primary consideration when developing recovery strategies for medical information. During a disaster situation, medical personnel and patients are more likely to require immediate access to healthcare data than at any other time. System downtimes in the healthcare environment also require quick recovery times. Additionally, companies managing healthcare data are required to guarantee continuous operations while performing scheduled maintenance to healthcare systems.



Continuity strategies for healthcare data will likely include more sophisticated continuity solutions than other less mission critical applications. Organizations often deploy offsite data centers with identical configurations designed to mirror critical healthcare data. If network system outages occur, the users are automatically rerouted to the offsite data center. Network clustering can also be used by HIPAA organizations to provide failover and load balancing technology, also improving network availability statistics. A group of physically connected computers, running a common set of applications is available to users. If one node of the system is unavailable due to system downtime, another node takes over, eliminating critical points of failure for the system.



The business continuity and disaster recovery plans covering the HIPAA privacy and security rules should also include the standard elements of all BCP plans including identification of critical functions, crisis teams, vendor information, communications information, equipment information, vital records information and any other information necessary to recover operations. Crisis management plans along with incident response plans and plans for crisis communications should also be included. The business continuity and disaster recovery plans developed for the HIPAA privacy and security rules should be tested on at least an annual basis. Action plans should be developed for any gaps identified during the audit process.



Countries outside the United States, including those in Europe, consider health care data along with all other personal information when addressing privacy regulations. The regulations in European countries regarding privacy of personal information are more stringent than the HIPAA requirements, creating legal issues for some international companies. The European Union forbids transfer of personal data to non-compliant countries such as the United States and enforces the prohibition through the blocking of all data and through civil and criminal sanctions. The United States Department of Commerce and the European Union have developed “safe harbor principles” to address differences in data protection rules. Companies may become certified under the safe harbor rules and avoid disruption in data flow between the United States and European countries.



HIPAA privacy and security rules offer innumerable opportunities for business continuity and information technology professionals to enhance existing information technology security structures and business continuity and disaster recovery plans. Additional investment in technology to ensure security and privacy over medical records not only serves a purpose for compliance, but also protects the brand equity of the business by avoiding costly public relations disasters. HIPAA compliance is actually part of a best practices information technology environment and most of the technologies and procedures should already be in place for other business reasons. Rapidly advancing information technologies will require continuous adjustments to data security and business continuity strategies to guarantee continued compliance with HIPAA privacy and security rules.