It is important to make security a priority when your business data goes through the internet.
Data breaches in the healthcare industry are on the rise. In the first five months of 2022, the number of reported breaches was twice the amount compared to the same time period in 2021.
Experiencing data breaches devalues the integrity of any organization, but leaks of unprotected personal health information affects individuals too. Health information is valued on the black market at about $250 per record.
Encryption is a key component of the Health Insurance Portability and Accountability Act (HIPAA) because it can help prevent breaches. In the event of a data leak, if the protected health information (PHI) is secured through encryption and the key remains secure, then it does not have to be reported to the Department of Health and Human Services (HHS).
The encrypted information is considered unusable to unauthorized parties and therefore only the data leak itself warrants action. Therefore, encryption is a key resource for organizations subject to HIPAA and other data privacy regulations.
For these reasons, electronic health information exchange must be secure. In this article, we will explore what secure exchange is, why it’s important, and how to use tools like WinZip® Enterprise to protect your organization’s sensitive and confidential data.
What is secure exchange?
The secure exchange of protected health information is regulated to ensure patient privacy and information availability and enables healthcare providers to retrieve their patient’s data quickly.
Three primary forms of secure exchange exist:
- Directed exchange. Directed exchange of patient information happens between healthcare providers and has a specific sender and receiver. Healthcare providers may transfer information via direct secure email, fax, text, and phone calls. These avenues of communication are not HIPAA compliant by default, so IT administrators will need to determine an appropriate service to ensure security.
- Query-based exchange. Query-based exchange typically happens when unplanned care occurs and a receiver is requesting information from many potential senders. Healthcare providers request PHI from organizations and receive it securely to deliver the best care.
- Consumer mediated exchange. Consumer mediated exchange is a form of exchange where the patient receives their own information from healthcare providers for purposes such as correcting mistakes, distributing it to other providers, and the tracking of health and billing information.
HIPAA requirements for businesses
Electronic health information exchange (HIE) helps healthcare providers access and share patient medical data electronically. This ensures that medical professionals have a more complete patient record to work with and facilitates timely sharing of important information.
HIE also plays an important role in standardizing patient data. It improves patient care because the individual’s electronic health record (EHR) will contain all relevant clinical information needed to improve evidence-based decision making and other care-related activities.
To ensure that the privacy and security of patient data is maintained at all times, healthcare organizations must follow certain state and federal regulations, such as HIPAA and the California Confidentiality of Medical Information Act (CMIA). When it comes to HIPAA requirements for secure exchange, businesses must comply with safeguards contained within the Privacy Rule and Security Rule.
The Privacy Rule addresses the following:
- Conditions under which PHI may be used or disclosed without direct
authorization from an individual.
- What security measures must be taken to protect PHI.
- How individuals may direct their healthcare providers to disclose information to other covered entities—organizations which are subject to the Security Rule.
The Security Rule specifies how electronic PHI (ePHI) covered by the Privacy Rule is to be safeguarded against threats to privacy, integrity, and availability. It contains required measures that must be taken by businesses as well as addressable implementations that enable businesses to take reasonable safeguards of their choosing instead. For example, encryption is an addressable issue which businesses must handle themselves or through a third party.
Examples of PHI are name, contact information, address, social security number (SSN), and information related to payments for healthcare. Any disclosure or impermissible use of unsecured health information is considered a breach.
Potential outcomes of HIPAA noncompliance may come from your employer, such as termination, or extend as far as criminal charges—namely fines and imprisonment—as well as being sanctioned from professional boards.
The HHS requires HIPAA compliance from covered organizations and any business associates they engage that involves the use of PHI. Business associates may include accountants, consultants, and technical support roles. For example, IT professionals brought on to secure cloud services for ePHI storage are associates of the covered organization.
Some of the HIPAA requirements for businesses include:
Privacy procedures. Appropriate standards consistent with the Privacy Rule must be made and enforced by covered entities. The Security Rule applies to ePHI, which your company creates, receives, maintains, and transmits, and must therefore be secured. Any form of ePHI is required to be protected through appropriate data safeguards such as encryption, strict access controls, and backups.
Additionally, a chief privacy officer (CPO) must be appointed to oversee a privacy oversight committee which will aid in enforcing compliance. Part of the committee’s responsibilities will be training employees in HIPAA compliance when they are brought into a role that involves PHI, or when risk assessment demonstrates a need for corrective training.
Risk analysis. Covered entities are responsible for annual risk analysis, which is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”
The HHS categorizes some potential threats to information systems containing ePHI as human, natural, and environmental. Examples include the uploading of malicious software to information systems, natural disasters, and long-term power outages which render ePHI inaccessible, respectively.
Breach Notification Rule. This rule requires covered entities to report any breach of unprotected PHI to the individuals it affects, to the HHS, and potentially to the media. When 500 or more individuals of a state or jurisdiction are affected, notices of the breach are not to be delayed unreasonably, must be distributed to the local media, and must be submitted within 60 days of discovery.
When fewer than 500 individuals are affected, the media does not need to be notified, and reporting the incident to the HHS may be submitted as late as 60 days after the end of the calendar year in which it occurred. It is important to note that the burden of proof for every mandatory notification of breached PHI lies with the covered entities and applicable business associates.
Omnibus rule. Business associates are fully liable for HIPAA noncompliance, including resulting fines. A situation where business owners may still be fined for an associate’s noncompliance occurs when the covered entity cannot disprove willful negligence to HHS. The Omnibus rule resulted in the new standards found in other sections, such as the current rules regarding breach notification.
Why secure exchange is important
Health information is personal, so data breaches leaking that information to malicious parties can result in harm to the individuals whose PHI was exposed.
PHI is valuable in underground markets because it has a long shelf life. Individuals are unlikely to know about the data breach until it is detected and reported by the responsible organization.
When credit card information is stolen, typically the card is cancelled and the charge is reported as fraudulent, but PHI does not have the same luxury. Victims of data leaks cannot cancel their medical history and get a new one.
Potential abuse of stolen information includes receiving medical treatment using the victim’s identity, filling the victim’s prescriptions, and issuing fake medical claims.
Implementing secure electronic health information exchanges opens your organization to the following benefits:
Enhanced efficiency. Secure exchange allows relevant PHI access to healthcare providers, eliminating the need for patients to fill out medical history paperwork at new facilities.
Optimized treatment. Interoperability of PHI between healthcare providers enables better prediction of patient needs and coordination of health and billing plans.
Streamlined workflows. Physicians can use patient’s real-time data to prevent duplicate testing and procedures, especially in care partnerships, promoting efficient treatment.
Reduced errors. Standardized HIE means physicians always know where to find relevant medical information for patients, such as the timing and dosage of administered medication.
Improved health monitoring. Patients and healthcare providers have the means to view a comprehensive medical history, which can be used to better understand the patient’s health.
How WinZip Enterprise facilitates secure exchange
Need ironclad security to be HIPAA compliant? WinZip Enterprise offers leading encryption tools that feature customization of encryption standards, backup schedules, and centralized IT control.
Military-grade FIPS 140-2 validated AES encryption with customizable key size keeps important data safe in-transit and at-rest. With WinZip Enterprise’s integration of Windows Information Protection (WIP) and deployment and enforcement of security policies, everyone remains HIPAA compliant.
Staying HIPAA compliant can be strenuous, but the tools that make it possible do not have to be. Transferring unprotected PHI is no hassle with WinZip Enterprise secure enterprise file transfer, as it keeps your files encrypted and safe from unauthorized parties and data loss.