If your organization qualifies as a Health Insurance Portability and Accountability Act (HIPAA) covered entity, you are legally required to abide by a set of rules and regulations. HIPPA rules define covered entities as the following:
Health plans, including many types of organizations and government programs.
Healthcare clearinghouses, including billing services, repricing companies, and community health information systems.
Healthcare providers who transmit health information electronically.
HIPAA data protection requirements apply not just to those in the medical industry, but also certain government programs, insurance providers, and business associates of covered entities.
HIPAA compliance is the process that businesses and individuals follow to keep people’s healthcare data private. HIPAA sets a standard for healthcare data management, seeking to protect a patient’s right to privacy and ensuring the appropriate security controls are in place if patient data is breached.
Keep in mind that the healthcare industry is governed not just by HIPAA regulations, but by other related data protection laws, such as the Gramm-Leach-Bliley Act and the Payment Card Industry Data Security Standard.
In this article, we’ll look at the various requirements that healthcare and insurance professionals must meet to protect user data.
Why HIPAA compliance matters
Compliance with HIPAA means you have adequate measures in place to protect patient data. HIPAA also protects organizations and employers by holding violators accountable for their actions.
Failure to comply with HIPAA rules is known as a HIPAA violation. Violations can lead to fines and civil and criminal penalties, even if the violations were accidental or unintentional.
It’s easier to violate HIPAA rules and regulations than you may think. Common examples of HIPAA violations include:
Violating patient privacy by snooping on healthcare records. For example, the University of California Los Angeles Health System was fined $865,000 when a doctor accessed celebrities’ medical records without authorization.
Denying or delaying patients’ access to their health records. For example, an Ohio medical services provider received a $32,150 penalty for failing to provide a patient with his requested medical records within 30 days of receiving the request.
Failure to use encryption or equivalent security measures. This must be done to safeguard healthcare information on portable devices. For example, Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit Rhode Island health system, agreed to pay over $1 million to settle violations stemming from the theft of an unencrypted laptop.
Most HIPAA violations stem from simple human error. For instance, if a healthcare worker happens to click on a phishing link while using a device that stores sensitive patient health information, the hospital would then be exposed to a potential data breach.
Accidents and unintentional actions happen, but demonstrating compliance with HIPAA training requirements and its regulations can reduce the fines and penalties in the event of a violation.
Data protection laws for healthcare and insurance organizations
In the US, there is no national, comprehensive data privacy law. Instead, there are a variety of federal and state laws and regulations. This lack of uniformity can leave businesses confused about their data protection obligations, increasing the risk of non-compliant behaviors.
Here’s what you need to know about the various data protection laws that impact the medical and insurance industries:
US healthcare and insurance laws/regulations
HIPAA
HIPPA details data privacy and security requirements for safeguarding protected health information (PHI), which is any health information that can be used to identify an individual. When it comes to data protection, HIPAA compliance requirements are found in the Privacy Rule and the Security Rule.
The Privacy Rule identifies when and how authorized individuals can access Protected Health Information (PHI) and puts limits on the use and disclosure of individually identifiable health information.
This rule also grants patients the right to obtain copies of their medical records and request corrections (if needed) to their files. Upon receiving the request, a covered entity (such as a healthcare provider or health insurance company) has 30 days to respond. Failure to respond in a timely manner violates the Privacy Rule’s right of access standard, leading to enforcement actions and monetary fines.
The Security Rule defines and regulates the standards and procedures for the protection of electronic protected health information (ePHI). The rule identifies administrative, physical, and technical safeguards for ensuring the confidentiality, integrity, and security of ePHI.
HIPAA compliance for data storage depends on understanding what policies, mechanisms, and procedures must be implemented to achieve the following:
Identify potential vulnerabilities that could impact the integrity of ePHI.
Implement measures to prevent unauthorized PHI access.
Develop controls to maintain data security for PHI that is sent on an electronic network.
The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to explain how they share and protect their customers’ and consumers’ private information. Also known as the Financial Services Modernization Act, the GLBA is designed to prevent unauthorized use, collection, and disclosure of non-public personal information (NPI).
The scope of the GLBA is broader than many realize. The term financial institution applies to any company that offers financial products or services, including loans, investment advice, and insurance. As such, health insurance companies must comply with both HIPAA and GLBA regulations.
If your company qualifies as a financial institution, you must take steps to protect customer and consumer NPI. This includes any personal information received by your organization that is not publicly available, such as:
Social security numbers
Credit and income histories
Bank account numbers
Names, addresses, and phone numbers
There are three specific rules for GLBA compliance that pertain to the financial/insurance industries: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Rule.
The Financial Privacy Rule
The Financial Privacy Rule focuses on disclosure practices, such as providing customers with written notices regarding their privacy practices and policies. This privacy notice must be provided at the time the customer relationship is initiated and annually thereafter.
Privacy notices must explain the following:
What information is collected about the consumer.
What information is shared with third parties.
Company policies related to data confidentiality and security.
The customer’s right to opt-out of having their information disclosed to third parties.
The Safeguards rule
The Safeguards Rule mandates protections for information security. To comply with the rule, you must develop a written information security plan that explains how you protect customer data.
A comprehensive information security plan includes the following safeguards:
The designation of a single individual who is responsible for implementing and overseeing the information security program.
The requirement of a written risk assessment that addresses specified criteria, such as access controls, data inventory, encryption, and incident response.
The periodic assessment of your service providers to ensure their safeguards are adequate.
The Pretexting rule
The Pretexting Rule prohibits access to private information under false pretenses. Pretexting occurs when an attacker convinces their victim to divulge information or give up access to a service or system.
A form of social engineering, pretexting depends on using a made-up story that makes the attacker seem like they have the right to access the information.
Compliance with the Pretexting Rule requires that you have mechanisms in place to detect and mitigate unauthorized access to personal, non-public engineering information.
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS seeks to ensure that all companies that accept, process, store, or transmit credit card information keep their data secure.
There are six control objectives and 12 requirements for PCI DSS compliance, but we will focus on the ones that are specific to data protection: Network and system security, cardholder data protection, and access control measures.
Network and system security
Using and maintaining firewalls will help block and prevent unauthorized access to your systems and network. A firewall monitors and restricts incoming and outgoing network traffic using your defined rules and requirements. For example, your organization may have firewalls installed at your network perimeter to prevent external threats and within the network to protect against insider threats.
To be effective, your passwords should be long, complex, and unique. Avoid common, easy to guess passwords and use a mix of letters, numbers, and symbols. For example, 123456 is commonly used and easily cracked, but a password such as 550-350=TwoHundred is much stronger. Be sure to reset default passwords on your devices and applications, enable session timeouts, and encrypt passwords during transmission and storage.
Cardholder data protection
Protecting cardholder data requires that you encrypt the data and protect it with encryption keys. Primary account numbers (PANs) must be stored in an unreadable form, ensuring that data cannot be read and used by a would-be attacker.
In addition to encrypting stored data, you also need to encrypt data in transit across public networks. You must ensure that your wireless networks follow industry best practices for data encryption, authentication, and transmission.
Access control measures
Restrict access to only authenticated users using individual credentials and identification for access. Unique identifications increase user accountability for their actions and enhances system monitoring.
Ensure that only authorized personnel can access devices and systems that contain cardholder data.
General state healthcare and insurance laws/regulations
Many states have their own rules for data privacy, some of which are even more rigorous than HIPAA requirements.
For instance, the California Confidentiality of Medical Information Act (CMIA) requires that medical and insurance companies obtain written authorization from the patient to disclose medical information.
If an individual’s PHI is compromised, the CMIA makes it possible to file a lawsuit against the person or entity and potentially recover compensatory and punitive damages.
The New York Department of Financial Services Cybersecurity Regulation (NYDFS Cybersecurity Regulation) applies to banks, insurance companies, and all other financial service institutions.
Under the NYDFS Cybersecurity Regulation, you must have a cybersecurity program in place that addresses information security, access controls, and provisions for regular risk assessments.
The role of encryption in HIPAA compliance
Encryption keeps information safe from unauthorized access and use by potentially malicious third parties. The Department of Health and Human Services (HSS) identifies encryption as the best practice to safeguard data from being compromised.
HIPAA data protection requires information to be encrypted both in transit and at rest. Data that is considered at rest is inactive and can be stored in a digital medium such as an organization’s server hard drive. Data in transit is actively transferring from a sender to a receiver at a specified destination (such as sending consumer information via email).
The importance of secure data storage
Ensuring that data is secured properly is paramount to compliance with applicable data laws and regulations. However, insecure data storage is more common than you may realize.
Examples of insecure storage include the following:
Storing unencrypted sensitive data.
Storing sensitive data with weak encryption algorithms.
Storing sensitive data in a shared location.
Using vulnerable components, such as libraries or frameworks.
The healthcare and insurance industries are at an increased risk of cybersecurity attacks because of the volume of sensitive data they collect.
For instance, the finance/insurance industry experienced 721 data breach incidents in 2021, and 467 of those incidents confirmed data disclosure. In the same year, the healthcare industry reported 712 data breaches, impacting hundreds of thousands of individuals.
If you fail to properly abide by laws and regulations for securing sensitive data, there can be legal, financial, and professional consequences.
Failure to comply with HIPAA provisions can result in financial penalties that range from $100 to $50,000 per violation. When cited for numerous compliance failures, these penalties can leave a company responsible for a maximum cost of $25,000 to $1.5 million per year, depending on what caused the violation and how quickly the violation is corrected.
PCI DSS compliance violations can cost you $5,000–10,000 per month in fines. Noncompliance can also lead to reputational damage, lawsuits, insurance claims, and additional governmental fines.
Penalties for GLBA non-compliance include fines of up to $100,000 per violation against the financial institution. Noncompliant individuals face fines of up to $10,000 per violation. There are also criminal penalties, such as license revocation and prison time.
How WinZip Enterprise helps you meet data protection requirements
WinZip® Enterprise uses Advanced Encryption Standard (AES) encryption, a bank and military-grade encryption service that is compliant with all major standards, including FIPS 140-2.
The National Institute of Standards and Technology (NIST) encourages the use of AES encryption to meet HIPAA requirements. AES encryption is known for its ability to provide long-lasting protection against brute force attacks, which is why it is the most widely used file encryption solution.
When data is stored or transported on removable media, such as a USB drive, the device must be properly protected against unauthorized access. WinZip SafeMedia™ empowers your IT admins to customize and uphold security protocols and standards that keep data on removable media secure.
WinZip Enterprise also protects against data breaches through centralized IT control. This ensures that users adhere to your password policies, encryption standards, and access controls to prevent data loss.
Learn more about how WinZip Enterprise help your organization stay HIPAA compliant.