Blog » HIPAA Compliant Hosting HIPAA Compliant Hosting HIPAA compliant hosting Overview HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It established national standards for rules to maintain the privacy and security electronic health care records. The rules laid down by HIPAA apply to all health care providers, health plans, and health care clearinghouses, collectively referred to as covered entities, which are required to adhere to its regulations when handling and transmitting health care information. Requirements for a HIPAA Compliant Environment HIPPA details five specific rules regarding the privacy of health care information: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. 1. The Privacy Rule – This rule regulates the use and disclosure of “protected health information”, which includes any information about an individual’s health status, the health care they are receiving, and their payment for that health care. Protected health care information may only be disclosed with written authorization from the individual, with only a few exceptions: it can be given without the patient’s authorization for the purpose of facilitating treatment or payment; or when required by law, such as when child abuse is suspected or when a court-order, warrant, or subpoena is presented. However, when a covered entity does disclose protected health information, it must disclose only the minimum necessary information to fulfill it’s purpose. The Privacy Rule also mandates that individuals be given the right to request incorrect protected health information be corrected, that communications with individuals be kept confidential, that individuals be notified when their protected health information is used, and that a Privacy Official and contact person be appointed for receiving complaints and training workforce members in proper private health information procedure. 2. The Transactions and Code Sets Rule – This rule requires a universal standard for all healthcare transactions. 3. The Security Rule – This rule lays out the administrative, physical, and technical safeguards required for compliance with the Privacy Rule. Administrative safeguards are policies and procedures which show that the covered entity is complying with the act, such as written procedures, documentation, and training. Physical safeguards are security measures which control who has access to computers and devices containing protected health information. Technical safeguards are requirements for computer systems storing protected health information, ensuring that the data can only be accessed by authorized individuals. 4. The Unique Identifiers Rule – This rule requires that covered entities identify covered health care providers only by their National Provider Identifier, or NPI. An NPI is a unique, ten-digit alphanumeric code possessed by each health care provider. 5. The Enforcement Rule – This rule establishes civil and criminal penalties for failing to conform to HIPAA requirements. Four types of civil violations and three types of criminal violation are described, with penalties varying based on their severity. Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA: Civil violation, $100 fine per occurrence. HIPAA violation due to reasonable cause and not due to willful neglect: Civil violation, $1,000 fine per occurrence. HIPAA violation due to willful neglect but violation is corrected within the required time period: Civil violation, $10,000 fine per occurrence. HIPAA violation is due to willful neglect and is not corrected: Civil violation, $50,000 fine per occurrence. Covered entities and specified individuals who “knowingly” obtain or disclose individually identifiable health information: Criminal violation, fine of up to $50,000 and imprisonment of up to 1 year. Offenses committed under false pretenses: Criminal violation, fine of up to $100,000 and imprisonment of up to 5 years. Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm: Criminal violation, fine of up to $250,000 and imprisonment of up to 10 years. Please note that the fines shown are the minimum penalty prescribed for that type of violation; for any civil violation, a maximum fine of up to $50,000 may be imposed, with an annual maximum of $1.5 million for repeat violations. HIPAA Specific Hosting Requirements Due to the Privacy Rule and the Security Rule, any covered entity which intends to host medical information on a web server must adhere to stricter requirements than usual for web hosts. The provisions set down by HIPAA are designed to be flexible, so that certain specific security requirements don’t apply to covered entities to which they are not relevant, but this can lead to confusion and uncertainty as to which regulations apply to any given company. To generalize, there are seven basic requirements which at the very minimum must be met by any covered entity trying to be HIPAA-compliant. 1. Transport Encryption – Any information which is transferred over the Internet must be encrypted with SSL. 2. Backup – All information must be backed up, so that it can be recovered in the event of a hardware failure. Backups should be stored at a separate facility. 3. Authorization – All information must be accessible only by people with the appropriate authorization. Access should require two-factor identity authentication. 4. Integrity – All information must be protected from accidental or unauthorized alteration. Encryption or digital signing should be used to ensure data is not tampered with. 5. Storage encryption – All information must be encrypted whenever it is being stored. This applies both to backups and to files on laptops and mobile devices. 6. Disposal – All information must be permanently disposed of when no longer needed. Disposal should be complete and permanent, and information should remain secure during the process. 7. HIPAA Business Associate Agreement – The covered entity must have a HIPAA Business Associate Agreement with any other party which hosts its information, ensuring that they have agreed to follow all provisions of the Security Rule when handling the data in question. It is important that all procedures necessary for HIPAA-compliance be well-documented and all employees properly trained, with compliance being verified by an audit by a third-party. Depending on the specific nature of the types of data handled by the company, additional security requirements may also apply; the full rules for HIPAA-compliant hosting can be found at the U.S. Department of Health and Human Services web site, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. Cost of HIPAA Hosting There are a great many hosting services which are prepared to offer HIPAA-compliant hosting for a monthly fee. The cost can vary significantly depending on the company offering the plan and on the amount of data you require to be hosted. Looking at a number of these sites, I found “basic” HIPAA-compliant hosting being offered at prices ranging from $385.00 per month to $784.00 per month. If you wish to purchase HIPAA hosting, it is advisable to compare quotes from several different services and consider both their trustworthiness and your specific needs in order to select the best fit. Be certain to remember that having a HIPAA-compliant host is not in itself enough to make your website HIPAA-compliant; it only one of many steps that must be taken to ensure the overall privacy and security of the protected health information in your possession. Examples of HIPAA Fines for Violations Case 1: Management Services Organization Washington, Inc. In 2009, Management Services Organization Washington, Inc. was charged with violating HIPAA. The covered entity had provided protected health information to another corporation, Washington Practice Management, LLC, with the intention of targeting individuals with specific marketing based on their individual health status. This release of information constituted a violation of the Privacy Rule, as the individuals in question had not consented to have their private information given to another party; and also of the Security Rule, as Washington Practice Management did not meet the security requirements required by HIPAA to ensure the confidentiality of such information. Management Services Organization Washington was fined $35,000 for the violation. Case 2: University of California, San Francisco In 2009, the University of California was charged with violating HIPAA. Numerous employees had repeatedly accessed the protected health information of patients without legitimate medical reason. Staff not directly involved in the treatment of patients would apparently read their medical records out of curiosity. This was a violation of the Privacy Rule, which states a patient’s protected health information may only be accessed with their permission; and of the Security Rule, which states that safeguards should be put in place to ensure that protected health information is only accessible to those with the appropriate authorization.The University of California was fined $865,000 for the violation. Case 3: WellPoint In 2013, WellPoint was charged with violating HIPAA. Under the Security Rule, protected health information should be made available only to individuals with the appropriate authorization. Due to a failure by WellPoint to implement user verification technology, the protected health information of 612,402 individuals was freely accessible to unauthorized users on the Internet for five months. WellPoint was fined $1.7 million for the violation. Case 4: CVS Pharmacy In 2009, CVS Pharmacy was charged with violating HIPAA. Rite Aid pharmacies had been disposing of pill bottle labels containing protected health information in dumpsters accessible to public. This constituted a violation of the Security Rule, which requires that protected information be disposed of in a complete and secure manner so that it cannot be recovered by malicious parties. CVS was fined $2.25 million for the violation. Case 5: Cignet Health In 2009, Cignet Health Center was charged with violating HIPAA. Under the Privacy Rule, a covered entity is required to provide any patient with access to their own protected health information upon request. Cignet failed to respond to requests by 41 patients for copies of their medical information, and further failed to cooperate with a subpoena issued by the Office for Civil Rights. Cignet was fined $4.3 million for these violations. This is thus far the largest fine ever issued to a single covered entity. Examples of Data Breaches with HIPAA Covered Companies Case 1: Adult and Pediatric Dermatology, P.C. In 2011, the medical practice Adult and Pediatric Dermatology, P.C. lost an unencrypted thumb drive containing protected health information about 2,200 patients who had undergone Mohs surgery as treatment for skin cancer. This was a violation of one of the provisions of the Security Rule, namely that all protected health information must be encrypted whenever it is being stored. Additionally, a Health and Human Services investigation found that the practice had not conducted an accurate and thorough analysis of the vulnerabilities of its protected health information until a year after the thumb drive had been stolen, and that it had not properly complied with HIPAA’s Breach Notification Rules because it did not have written policies or procedures about what do in the event of a breach and did not train its employees in Breach Notification procedures until four months after the theft. As a result, the practice was fined $150,000 and agreed to develop a corrective action plan that obligates it to develop a plan to eliminate its security vulnerabilities. Case 2: Massachusetts Eye and Ear Infirmary In 2010, the Massachusetts Eye and Ear Infirmary reported that a laptop had been stolen from one of their doctors, who was lecturing in South Korea. The laptop contained unencrypted protected health information on 3,500 individuals. Though the MEEI remotely disabled the computer’s hard drive as soon as the theft was discovered, the failure to encrypt protected health information constituted a violation of the Security Rule of HIPAA. MEEI was fined $1.5 million for the breach. Case 3: Concentra In 2011, Concentra Health Services reported that an unencrypted laptop containing the protected health information of 870 individuals was stolen from one of their facilities. The failure to encrypt the laptop was a violation of the Security Rule, which requires that all protected health information be encrypted when in storage. A subsequent investigation discovered that Concentra had been aware of the danger posed by their lack of encryption since 2008 and had begun taking steps to correct it, but that their efforts were inconsistent and unevenly applied: though some of their laptops were protected with encryption, a full 28% were not, and it took four years from the discovery of this problem for a full inventory assessment to be performed. Concentra was fined $1.7 million and agreed to adopt a corrective plan. Case 4: Alaska DHSS In 2009, the Alaska Department of Health and Human Services reported that a USB drive containing the protected health information of 501 individuals was stolen from an employee’s car. In addition to the USB lacking encryption, thus violating a requirement of the Security Rule, an investigation found that the covered entity did not have sufficient risk management measures or security training for its employees. The Alaska DHSS was fined $1.7 million and required to adopt a corrective plan. Case 5: TRICARE In 2011, Science Applications International Corp, a business associate of military insurer TRICARE, announced that backup tapes containing protected health care information had been stolen from the car of an employee who transporting the tapes between two facilities. The tapes contained data on 4.9 million patients treated in military facilities since 1992, making this this is the largest breach of information protected by HIPAA ever known to have occurred. In violation of the provisions of the Security Rule, the backup tapes were not encrypted. Investigation is still ongoing, and the size of the fine that will be issued has not yet been determined. References “Alaska DHSS Settles With HHS For $1.7 Million”. Kimberly M. Wong. Lexology. July 20, 2012. http://www.lexology.com/library/detail.aspx?g=1a480d89-277f-4b3e-925d-6cbe2d31f69c. “Cignet Penalty Notice”. U.S. Department of Health and Human Services. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf. “CVS Caremark Settles FTC Charges”. Federal Trade Commission. February 18, 2009. http://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial. “Dermatology Practice to Pay $150,000 in HIPAA Settlement”. The Health Care Group, Inc. http://www.healthcaregroup.com/temp/dermpraticepays.pdf. “Health Information Privacy”. U.S. Department of Health and Human Services. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. “Health Insurance Portability and Accountability Act”. Wikipedia. http://en.wikipedia.org/wiki/HIPAA. “Massachusetts Provider Settles With HHS For $1.5M For EPHI Breach Incident”. Kimberly M. Wong. Lexology. September 19, 2012. http://www.lexology.com/library/detail.aspx?g=bb9f26e6-f320-4d0f-840e-78373ce6ffb7. “Protected Health Information”. Wikipedia. http://en.wikipedia.org/wiki/Protected_health_information. “Seven Steps to Make Your Web-Site HIPAA Secure”. Eric Kangas. LuxSci FYI Blog. July 18, 2013. http://luxsci.com/blog/what-makes-a-web-site-hipaa-secure.html. “TRICARE Breach Affects 4.9 Million”. Howard Anderson. InfoRisk Today. September 29, 2011. http://www.inforisktoday.com/tricare-breach-affects-49-million-a-4105/op-1. “UCLA Health System Settles Potential HIPAA Privacy And Security Violations”. U.S. Department of Health and Human Services. http://www.hhs.gov/ocr/privacy/hipaa/news/uclahs.html. “WellPoint Pays HHS $1.7 Million For Leaving Information Accessible Over Internet”. U.S. Department of Health and Human Services. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html.