Healthcare information security

Overview of Regulations and Compliance

Infosec
September 2, 2016 by
Infosec

Introduction

The healthcare industry consists of a large pool of individuals and entities. There are of course doctors and nurses, but there are also administrative staff which could include everyone from the hospital CEO, the IT department to the medical secretaries. There are also the insurance companies and their staff, clinics, hospitals, nursing homes, pharmacies and labs. Because the healthcare field consists of so many varying entities and individuals, the regulatory system is also complex. For those that work in this field, they are potentially dealing with issues concerning life and death, so this has to be a highly regulated field.

For many people, when they think of compliance or regulations within the healthcare field, their first thought is HIPAA, the Health Insurance Portability and Accountability Act, as that is the most well-known medical standard for privacy. If you’ve ever been to the doctor, you probably signed a HIPPA notification form informing you of your right to privacy concerning your records.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Aside from HIPPA, there are a multitude of regulations that are mandated for the healthcare industry. Healthcare professionals have to adhere to the Joint Healthcare Commission accreditation standards, the Health Department rules, CMS (Centers for Medicare & Medicaid Services), EMTLA (The Emergency Medical Treatment and Labor Act), DRG (Diagnostic Related Grouping), and a host of other rules and regulations regarding medication administration, continuity of care, patients’ rights, staff to patient ratios, and the number of hours staff are able to work within a 24-hour period.

The U.S. Department of Health and Human Services (HHS) issue many of the regulations for healthcare providers. Under the Regulatory Flexibility Act of 1980 and Executive Order 12866, the HHS is required to issue a summarized statement concerning soon to be issued regulatory actions and to inventory current rules. They are also mandated to review the current rules and update them as current trends demand.

What are the major healthcare compliance standards and regulations?

The Office of the National Coordinator (ONC) for Health Information Technology is the main organization working to create and mandate regulation and compliance standards in the healthcare industry as it relates to Information Technology. The Health Information Technology for Economic and Clinical Health (HITECH) Act is a major IT regulation in the healthcare field. It established the ONC and provides the HHS with the authority to establish and enforce policies related to the electronic exchange of health related information.

As stated earlier, HIPAA, is one of the most well known standards in healthcare. HIPAA was established in 1996, but it works in conjunction with the HITECH act that was established much later, in 2009, to help establish standards to protect electronic records and transactions. The two acts both make references to each other, and when the ONC meets with other organizations to collaborate on current trends and needs regarding IT regulations, they use these two as their foundation for establishing any new policy.

The FDASIA (Food and Drug Administration Safety and Innovation Act) of 2012 is another act that addresses IT security needs in healthcare. This act was written to help establish a risk based framework in reference to IT in healthcare.
(Healthit.gov).

Who do they apply to?

All of the listed regulations apply to all healthcare providers. Anyone who works in the healthcare field, including nurses, doctors and practitioners, as well as hospitals, clinics, pharmacies, nursing homes and even insurance companies. Patients are also expected to abide by the rules under these regulations. The rules are in place to protect them, and to ensure they know their rights, but the patients themselves are also expected to protect the rights of other patients. That is why if you find yourself in a line at a healthcare facility you may be asked to stand a certain amount of space away from the front desk if another patient is in front of you to ensure their privacy. As healthcare records continue to become more digital, these regulations could also be used to prosecute anyone who purposefully tries to access a patient’s records, or if they hack a medical device.

How much IT Security is covered?

IT security in the healthcare field is still a bit behind the curve compared to other industries, but there is regulation in place to address these concerns. The FDASIA, HITECH and HIPAA are the three acts that cover most IT Security related concerns.

Section 618 of the FDASIA is the portion of the act that speaks specifically to IT regulations. The ONC and FDA worked together to construct a proposal for a risk-based regulatory framework for Health IT. In regards to security, they even worked with NIST (National Institute of Standards and Technology) to better refine the standards. NIST, the industry standard for IT security regulations, write the standards used and enforced by the federal government. Under the FDASIA, providers are expected to follow suggested guidelines to protect digital data, and the exchange of patient information. Healthcare organizations will be expected to go through accreditation and certification standards. The plan is to incorporate those standards into the already established Joint Commission’s existing accreditation program. The entire heath report for the FDASIA can be read here.

The HITECH act was established to regulate the use of an Electronic Health Record (EHR) system, and mandate how access to the system is handled. Patients have the right to receive their electronic health information, and they can determine who else has the right to view and receive it. HITECH also mandates how third party vendors may be responsible for the creation of the EHR systems (the software and hardware vendors), and how they access and handle the electronic data contained within the system. They are under the act requirements as well and could face harsh penalties if found in violation.

HIPAA also addresses some IT security related concerns. HIPAA is more specifically broken down into a privacy and security rule. The Privacy Rule, known as the Standards for Privacy of Individually Identifiable Health Information, is the foundation for protecting health related information. The Security Rule, also known as the Security Standards for the Protection of Electronic Protected Health Information, specifically addresses how to handle Electronic Protected Health Information (e-PHI). The rule creates policy to ensure this information is protected and, under its General rule, it specifically requests healthcare organizations to consider the following when deciding which security measures to use:

  • Size, complexity and capabilities
  • Technical infrastructure
  • Costs
  • Potential risks to e-PHI

These are the items to consider, but the security rule does not dictate, or mandate, a particular framework or particular security measures. For example, nowhere in this rule does it mandate the use of a set backup schedule to ensure data is properly stored, nor does it mandate the use of any type of virus scanning or an intrusion detection system. The security rule does get more specific and makes suggestions in relation to the Administrative, Physical, and technical safeguards. Below are the items for consideration for each safeguard.

Administrative:

  • Security Management Process
  • Security Personnel
  • Information Access Management
  • Workforce Training and Management
  • Evaluation

Physical:

  • Facility Access and Control
  • Workstation and Device Security

Technical Safeguards

  • Access Control
  • Audit Controls
  • Integrity Controls
  • Transmission Security

These policies help to create a framework for security considerations but lack in detailed compliance standards. They may suggest having a secure infrastructure but provide no specific details on how that is achieved. With the massive amount of other regulation and compliance issues, and with the rise in healthcare costs, healthcare organizations may not have the funds to have the latest and greatest technical security measures. Even if they do have the means to expand their IT department, they may not have the desire to, when that money could be allocated to other uses. As technology advances in healthcare progress, these regulations may have to provide further details on how to best achieve their security goals.

What is the trend for healthcare regulations?

With the implementation of the Affordable Healthcare Act, most regulation trends are geared towards ensuring there is a value based model, and regulating insurance and insurance costs. There will be more pressure to keep pricing low and affordable, and regulation will continue to change to reflect those needs.

Hospitals continue to be the targets of hackers, and technology continues to change and advance in regards to healthcare. Many medical devices used are now hackable and require evaluation for risk. HIPAA is one of the biggest health regulations around, and healthcare organizations will need to increase their digital data security protections to ensure they do not receive violations which would in turn affect their accreditation and operational status. Costs and privacy will always be top concerns for organizations responsible for creating healthcare policy and regulations.

Conclusion

The healthcare industry has a large number of regulations and compliance standards they must follow. The list can be a bit daunting and overwhelming, but these rules are in place to protect patients from healthcare disasters as well as to safeguard their privacy. Some of these rules, like those set by HITECH, FDASIA and HIPAA, are in place to also consider the technological rules that need to be in place, but these regulations do not provide specifics on how to best implement security. In order to avoid data breaches, more specifics may need to be written to ensure healthcare organizations have properly trained staff as well as advanced technical security measures to keep our data safe.
Page Break

References

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2730786/

http://www.medicalrecords.com/physicians/general-overview-of-emr-regulations

https://www.jointcommission.org/

https://www.federalregister.gov/articles/2015/12/15/2015-30620/regulatory-agenda

https://www.cms.gov/regulations-and-guidance/regulations-and-guidance.html

https://www.cms.gov/Regulations-and-Guidance/Legislation/EMTALA/

https://www.verywell.com/drg-101-what-is-a-drg-how-does-it-work-3916755

http://www.hhs.gov/regulations/

https://www.healthit.gov/policy-researchers-implementers/health-it-legislation

https://www.healthit.gov/FDASIA

https://www.healthit.gov/sites/default/files/fdasia_healthitreport_final.pdf

http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

https://www.healthcatalyst.com/top-healthcare-trends-challenges

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

http://www.hipaasurvivalguide.com/hitech-act-summary.php

Infosec
Infosec