October is National Cybersecurity Awareness Month (NCSAM), “a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online” (National Initiative for Cybersecurity Careers and Studies (NICCS), 2019, p. 1). This awareness does not stop in October though, all health professionals must be vigilant twelve months of the year.
Cybersecurity is an important topic in healthcare, often spurred by the need to be HIPAA compliant. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was first introduced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to set standards to guard protected identification health information (PHI) and privacy and to establish administrative simplification. A final Privacy Rule was published in 2000 which was later updated in 2002. “This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically” (Office for Civil Rights (OCR), 2017, p. 1).
The Privacy Rule goes beyond protection of patient health information (PHI) – it also mandates patient access to their own information by giving “…individuals important rights with respect to their protected PHI, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes” (The Medicare Learning Network, 2018, p. 2).
In 2003, the Security Rule was added to the HIPAA Act and established mandatory compliance by 2005. “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties” (Office for Civil Rights (OCR), 2013b, p. 1).
Three other rules emerged from revisions of HIPAA over the years, including the Enforcement Rule (to enforce compliance); the Omnibus Rule (that added provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to reinforce privacy and security of information); and the Breach Notification Rule.
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate” (Office for Civil Rights (OCR), 2013c, p. 1).
Despite best efforts, a data breach may occur within a healthcare setting. Whether the breach occurs in a private office, clinic, medical home, hospital or during virtual care, there are strict steps that the agency must follow in accordance with the HIPAA - HITECH Data Breach Notification Rule. PIH is not restricted only to medical records: it may also be visible on specimen containers, empty IV bags, and other medical waste. It is important to dispose of all old paper records and other waste in safe and secure ways so that privacy is maintained.
National changes that promote access to personal health information for all US citizens reinforce the critical need for data privacy, security, and protection from data breaches. All health professionals must follow the HIPAA and HITECH directives in all encounters with PIH of clients and families. This is not only morally or ethically required but also has legal sanctions and repercussions if not followed. Hefty fines can be enforced with willful neglect of the HIPAA directives and compliance is mandatory for all health care organizations and professionals and their business associates who are involved with client PIH.
Now that most PHI is maintained using electronic records, and more and more clients want access to their health records, it is important that the HIPAA Privacy Rule is followed by all health professionals and is shared with their clients. Clients have a right to know about this rule and its components and it is up to health professionals to help them to understand their privacy rights.
It is important that nurses help their clients to recognize ways to protect their own data and information privacy and secure any devices used to access or transmit their PHI. A good place to start is the NCSAM Toolkit – created to help all citizens protect themselves from cybercriminals, loss of privacy, and loss or theft of PHI. As well, the NCSAM site has some excellent handouts and tips that nurses can share with their clients on topics ranging from online privacy to protecting a digital home. It is time that all health professionals included clients in their privacy and security plans to ensure that all partners of the health team are safe and secure. It’s time to keep IT safe and ensure Cybersecurity for all!
Citation: Kaminski, J. (Fall 2019). Keeping IT safe: Cybersecurity for all! Online Journal of Nursing Informatics (OJNI), 23(3).
The views and opinions expressed in this blog or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.
Powered by the HIMSS Foundation and the HIMSS Nursing Informatics Community, the Online Journal of Nursing Informatics is a free, international, peer reviewed publication that is published three times a year and supports all functional areas of nursing informatics.
Compliance Editor. (2019). The Relationship between HIPAA and HITECH. Compliance Home. Retrieved from https://www.compliancehome.com/hipaa-hitech/
National Initiative for Cybersecurity Careers and Studies (NICCS). (2019). National Cybersecurity Awareness Month 2019. Washington, DC: NICCS. Retrieved from https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019
National Initiative for Cybersecurity Careers and Studies (NICCS). (2019). National Cybersecurity Awareness Month 2019 Toolkit. Washington, DC: NICCS. Retrieved from https://niccs.us-cert.gov/sites/default/files/documents/pdf/dhs_ncsam2019_toolkit_508c.pdf?trackDocs=dhs_ncsam2019_toolkit_508c.pdf
Office for Civil Rights (OCR). (2017). HIPAA for Professionals. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html
Office for Civil Rights (OCR) (2013a). Summary of the HIPAA Privacy Rule. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Office for Civil Rights (OCR) (2013b). Summary of the HIPAA Security Rule. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Office for Civil Rights (OCR) (2013c). Breach Notification Rule. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Privacy Rights Clearinghouse. (2014). The HIPAA Privacy Rule: Patient Rights. San Diego, CA: Privacy Rights Clearinghouse Consumer Guides, Retrieved from https://www.privacyrights.org/consumer-guides/hipaa-privacy-rule-patien…
The Medicare Learning Network. (2018). HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf