HIPAA and Penetration Testing – Part I

HIPAA stands for the Health Information Portability and Accountability Act of 1996, and it was enacted by the US Congress and signed by the then President Bill Clinton in the same year. The primary motives of this legislation include – 

• Regulating and modernizing the flow of healthcare information of individuals, 
• Stipulating how PII (personally identifiable information) maintained by the healthcare insurance providers and the healthcare should be protected from theft and fraud, and 
• Addressing the coverage limitations on health insurance 

HIPAA is also sometimes referred to as the Kennedy-Kassebaum Act or the Kassebaum-Kennedy Act. It contains five titles – Title I (Health Care Access, Portability, and Renewability), Title II (Preventive Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform), Title III (Tax-related Health Provisions), Title IV (Application and Enforcement of Group Health Plan Requirements), and Title V (Revenue Offsets). For the purpose of our discussion, Title II is relevant. 

Privacy and Security of Health Care Data under HIPAA

Specifically, in the context of privacy and HIPPA security of health care data, Title II lays down various policies and procedures for maintaining privacy and security of protected health information (PHI) by the covered entities. Here, the covered entities include health care providers, health plans, health care clearinghouses (for example, community health care information systems, billing service providers, etc.), medical service providers, hospitals and hospital chains, and any other entity which transmits health care data of individuals in a manner regulated by the provisions of HIPAA. In addition, various offenses related to PHI have been identified along with criminal and civil penalties for violations under the Act. 
One of the most significant parts of Title II is Part C – Administrative Simplification. Under this part, HIPAA empowers the US Department of Human and Health Services, or HHS, to create standards and rules for increasing the efficiency of health care systems while dealing with PHI. So far, HHS has promulgated 5 rules which are as follows – 

• The Privacy Rule 
• The Transactions and Code Sets Rule 
• The Security Rule
•  The Unique Identifiers Rule 
• The Enforcement Rule 

In this article, we will throw some light on the privacy rule while thoroughly discussing the security rule. 

The Privacy Rule

This rule regulates the disclosure and use of PHI, or ePHI (electronically stored PHI), as the case may be, by the covered entities under HIPAA. Over the years, HHS has brought into regulations and amendments to define the scope of PHI. For example, PHI includes information related to health care service provided, health status, medical condition, health care payments, medical records, payment history, etc.  
The Privacy Rule can be summarized into the following bullet points – 

The general rule for disclosure of PHI of an individual is only with a patient’s written authorization. The exceptions to this general rule are –

1. Disclosure to the law enforcement agencies as required by the law via court orders, subpoenas, warrants, etc. or respond to administrative requests for locating or identifying a material witness, suspect, fugitive, or missing person. 
2. Disclosure to state child welfare agencies in cases of child abuse 
3. Disclosure to certain parties for the facilitation of payment, treatment, or a health care operation.

Responsibilities of a covered entity include –

1. Taking written authorization from a patient for disclosure of his PHI, whenever necessary. 
2. While disclosing PHI of a patient, efforts must be made to ensure that minimum information is disclosed. 
3. Implementing appropriate technical and procedural safeguards to secure the PHI of individuals. 
4. Notifying individuals about the use of their PHI. 
5. Keeping track of disclosures of an individual’s PHI made to any party. 
6. Documenting appropriate privacy policies and procedures. 
7. Appointing a Privacy Official and a contact person for dealing with the complaints from individuals and training employees as to how to deal with PHI. 

Rights of an individual (or a patient) include –

1. Right to request correction of an inaccurate PHI stored with a covered entity, 
2. Right to ensure confidentiality of communications, 
3. Right to access the PHI stored with a covered entity in either physical or electronic form, and 
4. Right to file a complaint for violation of HIPAA at HHS Office for Civil Rights (OCR). 

The Security Rule

The Security Rule under HIPAA was issued on February 20, 2003, and it came into effect on April 21, 2003. Entities covered under HIPAA were given a deadline of April 21, 2005, to show compliance with the law. It complements the privacy rule, however, there is a slight difference between the two. The Privacy Rule applies to PHI in any form, while the Security Rule specifically applies to ePHI. It prescribes three types of safeguards to protect ePHI – administrative, technical, and physical. For each of these safeguards, it again prescribes certain security standards. Furthermore, for each security standard, it lays down required as well as addressable specifications with respect to the implementation. Required specifications must be implemented in essence as laid down by the Rule. However, covered entities have been given the flexibility to evaluate their organization-specific situation and determine the best possible way to implement these specifications. The chart given below visualizes this structure.

Figure-HIPPA Security Rule

In the next article, we will elaborate on the safeguards under the HIPAA Security Rule along with discussing FAQs related to penetration testing under HIPAA.