HIPAA: Compliance Guide for the Security Leader

In the healthcare industry, the security and privacy of data is one of the most important tenets of delivering and receiving quality care. Trust is paramount—trust must be maintained; once lost, it is nearly impossible to recover. People understandably expect their personal health information to be kept secret.

Regulations have been developed over time for insurance companies, service providers, and health professionals alike to help them employ and enforce data privacy policies and procedures. Indeed, the rules apply to anyone accessing or using protected health information (PHI). The primary such law in the U.S. is the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

What is HIPAA?

HIPAA establishes “national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” 

At HIPAA’s core are five Titles / amendments which improve the administration and coverage of both health and life insurances. There are several individual rules in addition to privacy, namely security, enforcement, patient safety, and breach notification.

For leaders focused on data both from a security and privacy perspective, Title II’s (HIPAA Administrative Simplification), Privacy Rule, and Security Rule are the most relevant. 

Title II enacts “national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. […] Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.” 

The Privacy Rule asserts “individuals’ rights to understand and control how their health information is used.” 

The HIPAA Security Rule has broader implications for electronic PHI (e-PHI) to “ensure the confidentiality, integrity, and availability” of such data.

What is PHI?

“PHI” is used as a catch-all for health data … “patient”, “personal”, “private”, “protected”, etc., depending on which site you read. According to the US Department of HHS summary of the law, “protected” is the preferred moniker and applies to metadata, records, transactions / sharing, plans and payments. But is there any personal data that doesn’t qualify as PHI? 

Yes. Title II defines 18 unique “identifiers” of e-PHI (such as the record number of a treatment document) but “de-identified” data—information that has had any markers associating it with a particular person removed or obfuscated—is not subject to the same restrictions or regulation. 

According to section 164.514 of the final rule text, the following are considered data identifiers (HIPAA was approved more than twenty years ago, and there’ve been many new technologies introduced since. There could be new data types that wouldn’t fit these attributes):

1. ​Names
2. State, street address, city, county, precinct, zip code, and their equivalent geocodes
3. ​​​​​Dates (except year) including birth, admission, discharge, death; ages over 89 
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code

How can Cyera help me comply with HIPAA’s data requirements? 

Cyera offers a comprehensive approach to health information discovery, enabling you to better protect customers’ privacy by analyzing and reporting on data location, type, status, age, and other data-related context. This context can then be used to anonymize, delete, and control data to meet HIPAA’s requirements.

1. De-identification

Since data in your organization likely exists in many places and for many uses, you first need to inventory and classify it, which directly addresses section 164.502-(B)(2)(d) regarding “uses and disclosures of de-identified protected health information” in the standard. 

Cyera tells you whether data is de-identified or not, and its format whether masked, hashed, encrypted, redacted, or tokenized. If you have covered PHI that is not de-identified, then it must be processed and anonymized before it can be disclosed or used.

2. Data lifecycle management 

Section 164.530(iv)(2) mandates a retention period for documentation by a covered entity: “six years from the date of its creation or the date when it last was in effect, whichever is later”. However, PHI differs from systems documentation. The retention period does not actually apply to PHI, but to records contained in security logs, BCDR plans, policies, etc. that are used to administer the data processing system. HIPAA does not have retention requirements for patient records, other than the six-year access rule, differentiating a covered entity (e.g., a hospital) vs. one that processes but does not own data (e.g., a storage platform). 

Cyera summarizes the dates of your data including the creation and last modification date, helping you determine which files are in or out of compliance. This helps prevent accidental deletion before the period ends and enables migrating data (such as over 2 years) into cold storage for cost savings.

3. Access control

The HIPAA Security Rule cites the principle of “minimum necessary”, also known as “least user access”, to reduce exposure in these cases by encouraging administrators to restrict data usage according to role, classification, group association, or other manageable criteria. Specifically, “a covered entity must develop and implement policies and procedures that restrict access and uses of [PHI] based on the specific roles of the members of their workforce.”

Cyera helps you enforce Data Access Governance (DAG) policies. Cyera tells you the level of risk that the data presents. By understanding the risk of data, you are better positioned to decide what access controls are most appropriate for the data. 

In addition, Cyera tells you who has access to PHI including current and former employees. With this information, you can limit access to only those who need the data and remove access to former employees. 

4. Dynamic classification

The level of security needed for an asset depends not only on the risk today, but the risk tomorrow. If a file loses its importance in six months, then you probably don’t need quantum-encryption. But if PHI needs to be kept for six years, you’ll need to ensure that the data remains secured just as long. The Administrative Safeguards of the Security Rule provide additional context around data oversight, such as risk and vulnerability assessments and response plans. These, in particular, are subject to a HIPAA (or other) audit.

Because data itself is dynamic, your understanding of data should also be dynamic. Cyera informs you about the changing state and therefore sensitivity of your data. At one point in time, the data may be about a data subject who is a minor. Months later, that same data may be about an adult. The context about what your data represents at different points in time can help you apply the appropriate levels of information governance to the data. 

The way you govern your data also depends on identifiability – if that data can be linked to a specific individual. Cyera highlights when data is exposed as plaintext or de-identified in your environment. ‍

5. Safeguards

From section 164.530-(c)(1), “A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional […] disclosure of [PHI …] and to limit its incidental use […].” Such technical safeguards (164.312(a, b, c)) might include role-based access controls (RBAC), intrusion detection systems, and even employee security training.

Cyera tells you the context of your security controls  Context indicates if the data was redacted, encrypted, transformed by another method, or exposed as plaintext. Context will also show you if the datastore is accessible and by who (e.g., if it is open to all employees, a single department, specific people, or the internet).

Support HIPAA compliance with Cyera

The technical, legal, and procedural requirements under HIPAA are varied and complex. But with the proper approach, you can understand the depth and distribution of PHI in your organization, and Cyera will get you audit-ready with deep discovery and data security posture analysis tailored to your healthcare organization.

Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.

Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business. 

To learn more about how you can support HIPAA compliance with Cyera, schedule a demo today.