The United States' Health Insurance Portability and Accountability Act (HIPAA) regulates how organizations like hospitals and insurers must control and manage protected health information (PHI). HIPAA defines the steps that these organizations must take to prevent, identify, and respond to known or suspected security incidents. But to protect patient data privacy, you need more than training and procedures to help you comply with HIPAA – you need effective data governance technology.
HIPAA compliance is essential, but no longer sufficient
Since 1996, HIPAA requirements have provided essential guidance to organizations that must protect the critically important PHI entrusted to them by patients. But while these regulations are important and essential, they are showing their age – especially when compared to industry standards like the Payment Card Industry Data Security Standard (PCI DSS) that are continuously updated to require the use of security-enhancing technologies.
While HIPAA regulations are comprehensive in terms of defining requirements, they leave it to individual organizations to decide which technologies they'll use to meet those requirements. So unlike PCI, HIPAA tells you what you need to do, but doesn't steer you toward technologies that will help you go beyond compliance to deliver true data privacy.
In 1996, "manual data governance" – controls involving locked filing cabinets, tracking numbered sets of keys, and other procedures that exist only in personnel manuals and periodic training – was the best available option for many organizations.
But a lot has changed in the 25 years since HIPAA was passed. And with the digitization of most medical records, controls that don't incorporate data governance technology look woefully out of date. The need for better security for electronic health records (EHRs) is why the US Congress passed the HITECH Act, which requires business associates of HIPAA-covered organizations to observe the HIPAA Privacy Rule. With EHRs becoming increasingly common, it's imperative that organizations covered by HIPAA and HITECH strengthen their data governance practices.
HIPAA training often touts the importance of a "security-aware organization" as the key to protecting HIPAA data. But our perspective as specialists in protecting sensitive data from breaches is: organizational security awareness is necessary, but not sufficient, to ensure medical data privacy.
Minimal compliance means negligible medical data privacy
Unlike PCI, HIPAA tells you what you need to do, but doesn't steer you toward technologies that will help you go beyond compliance to protect medical data privacy. And because HIPAA doesn't have an up-front certification process like PCI certification, organizations must manage HIPAA compliance themselves.
Combining the lack of up-front certification with the lack of detailed technical guidelines, it's no wonder that so many organizations experience HIPAA data breaches and end up on the HHS HIPAA breach "wall of shame" website. In 2021 alone, 45.7 million patient records were breached from over 700 organizations. These organizations probably thought that they were doing enough to be compliant with HIPAA, and maybe they were "compliant". But compliance defines a minimum bar that you need to surpass to deliver true data privacy, and demonstrating compliance won't get your breach removed from the "wall of shame". It also won't protect your organization from fines. Since April of 2003, organizations have paid $131 million for failing to protect data as required by HIPAA.
That's why it's worthwhile to go beyond what HIPAA requires by using infrastructure that enforces data governance, generates an audit trail, and otherwise builds HIPAA compliance into your infrastructure and workflows. Because while a security-aware organization is necessary to protect PHI data, you need security-enhancing technology to truly protect PHI data from data breaches.
Giving substance to the minimum necessary standard
One good example of an important HIPAA regulation that you can better enforce with data governance technology is the Minimum Necessary Standard. This rule states that no data request should include data beyond what's necessary, and no data response should go beyond what's necessary. This rule is explained in HIPAA training, but if that training is the extent of your enforcement of this rule, your organization's reputation is depending on an honor system.
Relying on employees who face conflicting deadlines and other pressures to carefully scope down their data requests and responses isn't a robust way to implement this rule. On the other hand, having data governance that combines account-based and role-based access control can make it easy for both sides of data exchanges to honor this rule. Such controls make compliance with the Minimum Necessary Standard the "path of least resistance" for a data requestor. Without such controls, the path of least resistance leads to over-requesting data, and eventually to the HIPAA "wall of shame".
Securing PHI with isolation, tokenization, and redaction
Beyond access control, it's important to use the digital equivalent of the locked "HIPAA records room" to protect PHI. What's the digital equivalent of the HIPAA records room? A combination of the following techniques helps to protect PHI data from breaches and protect your organization from a HIPAA violation:
- Isolation: Just like paper HIPAA records aren't in the same filing cabinet as facilities maintenance records, electronic HIPAA records shouldn't be in the same databases you use for the rest of your organization. The first step to secure PHI is to separate it from other data and treat it differently.
- Tokenization: Tokenization is a technique where sensitive data is replaced by a "token" – a string that has no exploitable value and acts as a placeholder for that sensitive information. Getting the sensitive information back by "detokenizing" it is quick, and yet provides an extra layer of security.
- Redaction: Redaction is a security technique that allows sensitive data to be partially or fully hidden, depending on the context. For example, you could use redaction so that anyone who tries to view a patient's SSN for verification purposes can only see the last four digits.
If you're currently taking a minimal approach to HIPAA compliance that relies more on your personnel manual than on robust data governance technology, you should reconsider whether a minimal approach really safeguards your business and the PHI that you manage. Investing in robust PHI data privacy is money, and time, well spent.