NATIONAL HARBOR, Md. -- The Health Insurance Portability and Accountability Act went into effect in 2006, but increasingly large penalties for HIPAA violations in recent years, combined with a greater risk of audits, are forcing enterprises
Five years ago, this room would not have been full, but now they're actually auditing [against HIPAA] and people are worried about it.
VP and distinguished analyst,
In a presentation at the 2013 Gartner Security and Risk Management Summit, Wes Rishel and Paul Proctor, both vice presidents and distinguished analysts with the Stamford, Conn.-based IT research giant, walked attendees through an increasingly harsh HIPAA landscape. Approximately 60,000 "small" breaches have been reported, with more than 500 of those ending up on the U.S. Centers for Medicare and Medicaid Services' Office for Civil Rights' "wall of shame," the federally mandated list of HIPAA violation incidents that involve the health information records of 500 or more individuals.
Rishel described initial early penalties for HIPAA violations as a "joke," with most enterprises unmoved by the risk of paying out potential settlements. However, the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 completely altered this attitude, with HIPAA penalties now reaching millions of dollars. Cases in point: Cignet's $4.3 million fine in 2011 for denying patients access to medical records, and a $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop.
HITECH both increased the dollar amount that an organization could be fined for failing to comply with HIPAA, and broadened the sources that could induce an audit: State attorneys general may now bring forth civil actions on behalf of state residents affected by HIPAA violations.
Organizations responsible for HIPAA-covered data now face one-in-20 odds of facing a HIPAA audit, the analysts said. To glean the most obvious effect of the HITECH Act, one only had to look at the packed room full of conference attendees interested in the session. "Five years ago, this room would not have been full," Proctor joked. "But now they're actually auditing [against HIPAA] and people are worried about it."
Allaying HIPAA encryption fears
Though many organizations consider achieving HIPAA compliance to be an onerous task, Rishel and Proctor attempted to educate attendees on the broad nature of the regulation and how, unlike other compliance mandates like the Payment Card Industry Data Security Standard, enterprises have plenty of wiggle room to please auditors.
The Gartner duo pointed to encryption as a specific area of confusion, with many organizations believing that encryption is a fundamental requirement of the regulation. Proctor repeatedly hammered home the point that HIPAA "does not require encryption."
However, even though there is no specific requirement for encryption in HIPAA, it doesn't necessarily mean that an enterprise can get away without using it. For example, Rishel provided recommendations on when data at rest should be encrypted: rarely for internal data centers, always for mobile devices and cloud services. Ultimately, before an organization decides to invest in, implement and manage a data encryption effort, it must assess how likely it is that its data will be stolen.
HIPAA compliance management best practices
Instead of utilizing HIPAA as a checklist, organizations should use the regulation as a starting point to determine what they can and cannot do, Rishel said. Once enterprises understand how little HIPAA actually requires, they can do a better job of assessing what data really needs to be defended, and how to go about it.
According to Proctor, organizations should focus their efforts on performing a thorough HIPAA risk assessment that clearly shows how security controls that have been put in place reduce the threat scenarios deemed most likely. Above all else, organizations need to provide details about their security programs that show that thought and care have gone into defending HIPAA-related data. "Documenting your decisions is in the [HITECH Final] Rule," he said. "You can't just make it up on the fly."
Proctor relayed a story concerning one of his clients that was questioned by a HIPAA auditor regarding a specific security control. The client explained why it was in place, and the auditor agreed with the client's reasoning, but because the client had failed to fully document the security control, the auditor still levied a fine against the client for lacking proper documentation.
"The single most important thing I want you all to take away from this … is when you get back to your office, find out where your risk assessment is that you would show auditors," Proctor said. "Is it defensible? Would auditors be able to page through it and get the impression that you care about this stuff?"