HIPAA and HITECH Compliance

If you create, transmit, receive, or store electronic Protected Health Information (ePHI), then you need to be HIPAA Compliant

What is HIPAA and the HITECH Act?

When private medical records are breached, healthcare service providers suffer damage to their brand, reputation, loss of trust from their patients, and severe financial repercussions. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that appropriate administrative, technical, and physical safeguards be used to protect the privacy and security of sensitive health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law February 2009 as part of the American Recovery and Reinvestment Act (ARRA) clarifies and supplements HIPAA requirements, particularly by raising the financial penalties incurred by covered entities that violate the HIPAA Privacy and Security Rules. Both HIPAA and the HITECH Act are enforced by the U.S. Department of Health and Human Services.

The goal of the security provisions of HIPAA is to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information. Security provisions for HIPAA compliance are designed to motivate healthcare service providers and their business associates to adopt practices that reduce the risk of losing valuable patient information due to data theft from security breaches.

To achieve HIPAA compliance, covered entities must demonstrate adherence to the Security Rule. The Security Rule mandates protection of all electronic Protected Health Information (PHI) created, received, maintained, or transmitted by any covered entity. Protected health information is individually identifiable health information, including items such as the patient’s name, address, e-mail address, birth date, Social Security number, employee number, claim number and health plan beneficiary number.

Covered entities must comply with three types of security safeguards: administrative, technical and physical. Specifically, sections §164.308 to §164.316 of the HIPAA Security Rule define safeguards that must be used to protect confidential medical information. The goal of the HITECH Act is to improve patient confidence in the security of their data medical system, and improve the quality of patient care in the healthcare system by providing incentives for the adoption and ‘meaningful use’ of electronic health records (EHRs) shared over electronic health information exchange (HIE) networks. The new audit and enforcement requirements introduced by the HITECH Act are in response to the threat faced by healthcare services providers as more patient information moves into EHRs, online employee health benefit plan portals, and e-prescription kiosks accessible via the Internet.

Who needs to be HIPAA and HITECH compliant?

The U.S. Department of Health and Human Services (HHS) delegated HIPAA enforcement authority to the HHS Office of Civil Rights (OCR). The HITECH Act clarified that all health service entities, including business associates in the private sector, that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose protected health information (PHI) is accountable to HHS for HIPAA and HITECH requirements for breach prevention activities, audits, notifications, and penalties for disclosures.

This includes:

• covered health care providers (hospitals, clinics, regional health services, individual medical practitioners) that conduct certain transactions in electronic form
• health care clearinghouses (including entities that help health care providers and health plans standardize their information)
• health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit PHI to enroll employees or students in health plans)
• their business associates (including private sector vendors and third-party administrators)

Penalties for non-compliance

The HITECH requirements for breach prevention activities, audits, notifications, and penalties for disclosures came into effect on February 17th 2009. However, HITECH standards become mandatory and enforceable as of February 2010, clearing the way for HHS OCR to begin conducting mandatory audits and enforcement of civil monetary penalties. The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up $50,000 fine for each violation, to a maximum of $1.5 million per year. The high fines levied on HIPAA violators reflect the importance of safeguarding protected health information. Faced with the looming threat of steep fines from failing to meet HIPAA data breach requirements, the health service industry is seeking ways to become HIPAA compliant.

How Rapid7 Helps

Rapid7 NeXpose helps organizations that handle sensitive patient information achieve HIPAA compliance, including medical schools, hospitals and their business associates, private labs, and insurance companies. Rapid7 has extensive experience partnering with healthcare service providers such as BlueCross BlueShield of Vermont, Memorial Sloan-Kettering Cancer Center, and the Spectrum Health System, to help them with the complex regulatory environment of the health sector. Rapid7’s solutions for healthcare services meet the Protected Health Information (PHI) safeguards required to achieve HIPAA compliance in accordance with relevant sections of §164.308 to §164.316 of the HIPAA Security Rule. Here's how Rapid7 prepares you for a HIPAA audit while providing sound vulnerability management practices that ensure that your entire infrastructure is protected from intruders:

Rapid7 helps you comply with sections of §164.308 to §164.316 of the HIPAA Security Rule. Rapid7 NeXpose can help your business achieve HIPAA compliance by:

• Automating HIPAA audit requirements with pre-configured HIPAA compliance scanning and reporting with Rapid7’s NeXpose for the broadest, deepest and most accurate vulnerability management solution so you can find vulnerabilities other scanners miss
• Providing both executive HIPAA summary reports for management and detailed HIPAA remediation plan for security administrators
• Performing internal scanning of your entire infrastructure with NeXpose in preparation for HIPAA audits by evaluating potential security risks to electronic PHI, including monitoring of system activity for vulnerability and patch status on devices with PHI
• Performing asset discovery, vulnerability detection, event management and compliance reporting on workstations, as well as automated monitoring of passwords policies with the customized policy compliance framework
• Performing external scanning with NeXpose either using distributed engines, or with Rapid7 Managed Services to detect and close any holes in your network perimeter

With Rapid7 NeXpose, our HIPAA Compliance Services staff can perform internal and external vulnerability scans as part of your HIPAA risk assessment, and provide healthcare providers with documentation on their current security posture in accordance with HIPAA audit standards.

These services include:

• Defining policies and procedures to secure protected health information
• Providing Rapid7 security experts to perform vulnerability scanning, penetration testing and a detailed audit of your networked environment to enable you to detect deficiencies more quickly and get recommendations for fixes that would prevent attacks.
• Identifying protected health information (PHI) and unprotected health information
• Providing Rapid7 Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to attain HIPAA Compliance
• Providing Rapid7 HIPAA Professional Services Review to evaluate all security policies and procedures, in addition to providing guidance on developing missing control policies for all areas, including control for modifying access rights
• Rapid7 Security Awareness Training to provide staff with knowledge needed to secure PHI from electronic, physical and behavioral challenges that put data at risk

To learn more about how NeXpose capabilities meet the requirements to comply with the HIPAA safeguards, refer to the Rapid7 HIPAA and HITECH Act Compliance Guide.

Contact us to find out more about how Rapid7 can help you achieve HIPAA compliance so you can avoid costly data breach penalties faced by HIPAA violators, and secure personally identifiable patient PHI.