At CBOSS, we take compliance seriously. In healthcare, this not only applies to the Payment Card Industry Data Security Standard (commonly referred to as PCI-DSS) compliance, but also those requirements surrounding HIPAA as well. We’ve previously discussed the nuances of PCI-DSS in an earlier blog series, so feel free to refer to that for a detailed look at how to prioritize PCI. In this post, we’ll examine HIPAA, its role in protecting healthcare data, and finally its inherent importance surrounding you and your payment gateway.
In understanding HIPAA and how it differs from (and in healthcare, one could argue – compliments) PCI-DSS, as well as why it matters, let’s briefly examine HIPAA. Enacted in 1996, The Health Insurance Portability and Accountability Act or HIPAA for short, was primarily focused on the emerging need to modernize and standardize electronic storage and interchange for patient data that had previously been stored and transcribed using pen and paper. Though most of the law was focus on the minutiae of data interchange, perhaps the most well know and far reaching aspects of HIPAA were what are commonly referred to as the Security Rule and the Privacy Rule.
The Security Rule requires that appropriate administrative, physical, and technical safeguards are in place to ensure the confidentiality, integrity and security of all electronic protected health information (PHI). Guidance for appropriateness of controls is based on risk analysis using the NIST HIPAA Security Toolkit as a baseline for understanding. But is incumbent upon every covered entity to understand their risk in managing PHI.
The Privacy Rule requires Covered Entities to limit disclosure of Protected Health Information (PHI). PHI may only be disclosed with authorization of the patient unless it is needed to further healthcare or billing, or required to satisfy legal requirements, like a subpoenas for example. Additionally, Covered Entities must share with the patient to whom their PHI is being disclosed to and for what reasons, and must do so by disclosing only the minimum required information whenever possible. Finally, Covered Entities must track where and how they have stored and disclosed PHI.
The Privacy Rule applies to all covered entities and their business associates. Covered Entities include:▪️ Health Insurance Companies
▪️ Healthcare Clearing Houses (e.g. billing companies, service providers storing or processing PHI, etc.)
▪️ Healthcare providers that store or transmit health records electronically
▪️ Business Associates are any entities that a CE must disclose PHI to in the course of business
▪️ Only Covered Entities are bound by the privacy rule. It does not cover personal disclosures, life insurance companies, employers (unless the employer is also the direct health insurance provider), schools, or other public/private entities
The Balancing Act
While dealing with raw numbers and financial data is covered by the requirements of PCI-DSS, the necessity to have healthcare-related data be portable as well as accessible by Covered Entities requires a different set of rules and standards. For those CEs that need proper access to data in order to provide the patient with quality care, HIPAA dictates that a patient’s health related data must be treated differently.
In order to properly diagnose a patient’s condition, medical experts rely on data available to them from a variety of sources. All qualitative, quantitative, and diagnostic information that healthcare professionals rely on to prescribe the highest level of patient care would fall under HIPAA in order to protect a patient’s privacy, security, and safety. As we all utilize computers more and more in our daily lives, we need to be very cognizant of the risks associated with the increased reliance on technology as the integral part of effectively performing our daily tasks. This is most evident in the healthcare field, as patient data is a literal goldmine to those who partake in nefarious activities on the Internet.
Just how serious a threat is it? Take into account these sobering facts, published in 2021 by The HIPAA Journal:
“Between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records. That equates to more than 81.72% of the population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. In December 2020, that rate had doubled. The average number of breaches per day for 2020 was 1.76.”
According to the same source, the average HIPAA violation in 2020 cost the offending organization around $713,000 in penalties. So, who enforces HIPAA? The Dept. of Health and Human Services has enforcement power over HIPAA and the Office of Civil Rights within HHS is responsible for enforcing the Privacy Rule. Individuals who believe their information was improperly disclosed may file a complaint with the OCR. The OCR may then take up an investigation and penalize a Covered Entity if they are deemed non-compliant.
Contrary to what one might think, individuals may not take direct action under HIPAA or the Privacy Rule. It is the HHS that has sole enforcement power over HIPAA. As a result, the HHS may levy penalties up to $50,000 per HIPAA violation, not to exceed $1.5 million per calendar year.
It becomes quickly apparent that the need and desire for optimal patient care can potentially expose one’s PHI, be it from negligence or outright theft.
The CBOSS Commitment To PCI-DSS And HIPAA Standards
CBOSS, via our leading Central Payment Portal Gateway, is dedicated to both PCI-DSS and HIPAA standards, and takes both sets of regulations seriously. To that end, it is our commitment to ensure that our client’s data is collected, transmitted, encrypted, and stored in industry leading ways that leverage best-practices as well as best-of-breed technologies. In doing so allows CBOSS to provide our customers with the highest degree of trust in handling sensitive healthcare payment data.