Health-related apps, web sites, digital devices, and social media provide exciting opportunities to support better health. And many employers and health plans are looking to integrate these options into wellness and population health management programs. But much of the health-related data they collect, and many of the organizations that collect it, are not covered by current HIPAA privacy regulations.
A Brief History of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. At this time, HIPAA applied only to covered entities, including medical service providers, healthcare clearinghouses, employer sponsored health plans, and health insurers.
HIPAA included two provisions, the Privacy Rule (effective in 2003) and the Security Rule (effective in 2005), related to the use, disclosure, and protection of individually identifiable health information, or protected health information (PHI).
The Enforcement Rule, setting civil money penalties for HIPAA violations became effective in 2006, but for many years there were few prosecutions. In recent years there have been more aggressive investigations, fines, and publication of breaches affecting 500 or more individuals on the “Wall of Shame”.
The initial legislation failed to consider electronic PHI that is frequently stored and processed by vendors on behalf of covered entities. So in January 2013, HIPAA was updated via the Final Omnibus Rule, to extend security and privacy requirements to these vendors, termed business associates.
But organizations handling PHI that are not a covered entity, or a vendor working directly for a covered entity, are still not subject to these rules. A recent report from the California Healthcare Foundation: Here’s Looking at You: How Personal Health Information is Being Tracked and Used provides a revealing look at the challenges and opportunities provided by new technology within a fragmented regulatory environment that has not kept pace.
Protecting Your PHI
Here are some simple steps you can take to protect your data:
Maintain a list of all the vendors that handle individually identifiable health information related to your health and wellness program. This might include companies involved in screening, coaching, incentive management, worksite challenges, and health risk assessments.
Insist on adherence to the same standards for all the vendors that handle your PHI, regardless of their status under HIPAA.
Require each vendor to enter into an agreement, called a Business Associate Agreement under HIPAA, that states how data is to be protected and what to do in the event of a suspected breach. Be sure that the requirements in this agreement extend to any vendors or subcontractors that your vendor may use.
Understand who owns your data and who has rights to access it. And be sure to find out if your data can be sold or distributed in any way without your prior approval.
Determine if each vendor has completed an independent security audit. Examples include Health Information Trust Alliance (HITRUST) Certification or SOC SSAE 16 Reporting. Such audits provide a comprehensive review of the physical, technical, and administrator controls in place at an organization to protect data. If your vendor has not received external certification, conduct your own assessment. Here are some questions to ask:
- How is data collected? And where is it stored? What physical and technical safeguards are in place? Many HIPAA breaches have occurred because of lost or stolen laptops or other mobile devices that contained unsecured (unencrypted) data.
- How is data transferred? Are secure methods such as HTTPS or FTPS used for all Internet access and file transfer?
- What technical safeguards are used to protect against unauthorized access? Examples include password policies, two-factor authentication, and firewalls.
- Who has access to the data? How is this controlled? HIPAA requires that this is on a “need to know” basis and the “minimum necessary” for performance of job responsibilities.
- Have vendor personnel been trained in security and privacy best practices? Does the company have HR policies and procedures in place to ensure that these practices are followed?
- Who within the organization is responsible for the security and privacy of data?
- How often are the physical, technical, and administrative safeguards used to secure data reviewed and updated?