HIPAA By the Numbers

With at least 20 million employees in over 901,000 businesses, the healthcare, and social assistance sector is the largest employer in the United States. The Health Insurance Portability and Accountability Act (HIPAA) applies to nearly all of these people and businesses and impacts patients as well.

The law sets standards regarding the privacy and security of patient medical records and the right of access to records. While the law was written in such a way that it’s often difficult to understand how best to meet those standards, looking at HIPAA by the numbers will yield some insight.

HIPAA By the Numbers – One (1)

HIPAA compliance is binary. If you fail to meet one (1) standard outlined in HIPAA, you are not compliant. The law is the ultimate pass/fail exercise.

HIPAA By the Numbers – Three (3)

The HIPAA Security Rule outlines three (3) types of safeguards needed to secure patients’ protected health information (PHI) –  Physical, Technical, and Administrative.

Physical Safeguards are the “nuts and bolts” of security. The locks on the doors of your offices, your security system, and even the software you use to protect your data are all examples of physical safeguards. Other examples of physical safeguards include screen barriers to prevent PHI from being seen in high-traffic areas, and keycards and keys to control access to areas where PHI is stored.

Technical Safeguards often refer to how you use your physical safeguards. For example, the software you use for access control would be a physical safeguard, but how you configure it to limit access is the technical safeguard. When properly configured, technical safeguards can assist in securing data automatically.

Administrative Safeguards failures are responsible for the most significant number of HIPAA violations because they affect the aspect of your organization that is hardest to control – your people. Examples of administrative safeguards are HIPAA policies and procedures, risk management processes, security awareness contingency planning, and business associate contracts.

HIPAA By the Numbers – Four (4)

HIPAA’s rules and regulations can be reduced to four (4) rules within the law.

The HIPAA Privacy Rule establishes the basic minimum standards for the privacy protection of patients’ PHI for covered entities such as healthcare providers, health insurance companies, and healthcare data clearinghouses. It also ensures that patients have right-of-access to their personal medical records.

The HIPAA Security Rule establishes the minimum security standards to protect patients’ electronic protected health information (ePHI). Some of these include requiring ePHI to be encrypted while being stored and transmitted and using multi-factor authentication when accessing systems containing ePHI.

The HIPAA Breach Notification Rule establishes requirements for providing patients, the Secretary of the Department of Health and Human Services (HHS), and possibly the media with notification of a breach of unsecured PHI, depending upon the number of records breached.

The HIPAA Omnibus Rule extends the protections of the HIPAA Privacy Rule to business associates (business partners used by covered entities that take possession of information containing patient PHI). It also requires Business Associate Agreements between covered entities and business associates that outline responsibilities for protecting PHI.

HIPAA By the Numbers – 18

The HIPAA Privacy Rule identifies 18 types of personal information that constitute PHI or ePHI.

These are:

1. Name
2. Address (including subdivisions smaller than states, such as a street address, city, county, or zip code)
3. Any dates (except years) directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate/license number
12. Vehicle identifiers, serial numbers, or license plate numbers
13. Device identifiers or serial numbers
14. Web URLs
15. IP address
16. Biometric identifiers such as fingerprints or voiceprints
17. Full-face photos
18. Any other unique identifying numbers, characteristics, or codes

HIPAA By the Numbers – 30

A healthcare provider must respond to a patient’s right-of-access request for medical records in some manner within 30 days of receiving it. Failure to do so would be a HIPAA violation.

HIPAA By the Numbers – 60 and 500

If a breach affects less than 500 individuals, affected patients and the HHS secretary must be notified within 60 days of the end of the calendar year in which it occurred.

If the breach affects 500 or more individuals, involved patients and the HHS secretary must be notified within 60 days of the discovery of the breach’s discovery, and local media must also be notified.

HIPAA By the Numbers – 4,406 and 312,816,560

Through the end of November 2022, there have been 4,406 breaches of 500 records or greater reported to the Secretary of HHS on the U.S. Department of Health and Human Services, Office for Civil Rights Breach Portal, representing a total of 312,816,560 patient records.

Some records were likely reported multiple times because they were stored in more than one location, such as a physician’s office and a vendor providing billing or mailing services to the physician. In any case, it means a lot of patient PHI has been exposed.

HIPAA By the Numbers – $16 million

The largest fine ever issued by HHS was $16 million against Anthem health insurance. The HHS Office for Civil Rights (OCR) investigated the 2015 breach that affected the PHI of at least 78,800,000 patients and entered into a resolution agreement with Anthem that included a robust corrective action plan.

After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014, and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to review information system activity regularly, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

While most violations do not yield fines as hefty as the one imposed on Anthem, the HHS fines structure considers an organization’s responsibility and awareness of what should be done to comply with the law.

Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help! They help healthcare organizations achieve HIPAA compliance with Compliance Coaches® guidance. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!