HIPAA and Penetration Testing – Part I

HIPAA stands for the Health Information Portability and Accountability Act of 1996 and it was enacted by the US Congress and signed by the then President Bill Clinton in the same year. The primary motives of this legislation include:

• Regulating and modernizing the flow of healthcare information of individuals
• Stipulating how PII (personally identifiable information) maintained by healthcare insurance providers and healthcare should be protected from theft and fraud
• Addressing the coverage limitations on health insurance

HIPAA is also sometimes referred to as the Kennedy-Kassebaum Act or the Kassebaum-Kennedy Act. It contains five titles:

• Title I: Health Care Access, Portability, and Renewability
• Title II: Preventive Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
• Title III: Tax-related Health Provisions
• Title IV: Application and Enforcement of Group Health Plan Requirements
• Title V: Revenue Offsets

For the purpose of our discussion, Title II is relevant.

Privacy and Security of Health Care Data under HIPAA

Specifically in the context of privacy and HIPAA security of health care data, Title II lays down various policies and procedures for maintaining privacy and security of protected health information (PHI) by the covered entities. These covered entities include health care providers, health plans, health care clearinghouses (for example, community health care information systems, billing service providers, etc.), medical service providers, hospitals and hospital chains, and any other entity which transmits health care data of individuals in a manner regulated by the provisions of HIPAA.

In addition, various offenses related to PHI have been identified along with criminal and civil penalties for violations under the Act. One of the most significant parts of Title II is Part C – Administrative Simplification. Under this part, HIPAA empowers the US Department of Human and Health Services (HHS) to create standards and rules for increasing the efficiency of health care systems while dealing with PHI. So far, HHS has promulgated five rules which are as follows:

• The Privacy Rule
• The Transactions and Code Sets Rule
• The Security Rule
• The Unique Identifiers Rule
• The Enforcement Rule

In this article, we will throw some light on the Privacy Rule while thoroughly discussing the Security Rule.

The Privacy Rule

This rule regulates the disclosure and use of PHI or ePHI (electronically stored PHI), as the case may be, by the covered entities under HIPAA. Over the years, HHS has brought regulations and amendments to define the scope of PHI. For example, PHI includes information related to health care service provided, health status, medical condition, health care payments, medical records, payment history, etc.

The Privacy Rule can be summarized into the following bullet points:

• The general rule for disclosure of PHI of an individual is only with a patient’s written authorization. The exceptions to this general rule are:
  • Disclosure to law enforcement agencies as required by law via court orders, subpoenas, warrants, etc., or to respond to administrative requests for locating or identifying a material witness, suspect, fugitive, or missing person.
  • Disclosure to state child welfare agencies in cases of child abuse.
  • Disclosure to certain parties for the facilitation of payment, treatment, or a health care operation.
• Responsibilities of a covered entity include:
  • Taking written authorization from a patient for disclosure of their PHI whenever necessary.
  • Ensuring that minimum information is disclosed when disclosing PHI.
  • Implementing appropriate technical and procedural safeguards to secure PHI.
  • Notifying individuals about the use of their PHI.
  • Keeping track of disclosures of an individual’s PHI made to any party.
  • Documenting appropriate privacy policies and procedures.
  • Appointing a Privacy Official and a contact person for handling complaints from individuals and training employees on dealing with PHI.
• Rights of an individual (or a patient) include:
  • Right to request correction of inaccurate PHI stored with a covered entity.
  • Right to ensure confidentiality of communications.
  • Right to access the PHI stored with a covered entity in either physical or electronic form.
  • Right to file a complaint for violation of HIPAA at HHS Office for Civil Rights (OCR).

The Security Rule

The Security Rule under HIPAA was issued on February 20, 2003, and came into effect on April 21, 2003. Entities covered under HIPAA were given a deadline of April 21, 2005, to show compliance with the law. It complements the Privacy Rule; however, there is a slight difference between the two. The Privacy Rule applies to PHI in any form, while the Security Rule specifically applies to ePHI. It prescribes three types of safeguards to protect ePHI – administrative, technical, and physical. For each of these safeguards, it prescribes certain security standards. Furthermore, for each security standard, it lays down required as well as addressable specifications with respect to implementation. Required specifications must be implemented as laid down by the Rule. However, covered entities have the flexibility to evaluate their organization-specific situation and determine the best possible way to implement these specifications.

Figure-HIPPA Security Rule

In the next article, we will elaborate on the safeguards under the HIPAA Security Rule along with discussing FAQs related to penetration testing under HIPAA.