5 min read

Security requirements for HIPAA-covered transactions

Security requirements for HIPAA-covered transactions

In What the HIPAA Transactions and Code Set Standards Will Mean for Your Practice, David C. Kibbe states, “The data in the transactions you will be transmitting electronically contain patient-identifiable health information. Under HIPAA you are required to have adequate safety measures in place – including technical ones – to protect this information from breaches of privacy.”

The requirements include:

  • Administrative safeguards focus on managing policies and people. This means creating clear guidelines, assigning a dedicated security officer, and training staff to understand data protection protocols. 
  • Physical safeguards protect the locations and devices storing patient data by controlling access to servers and computers, using secure workstations, and establishing strict device tracking procedures. 
  • Technical safeguards that leverage technology to secure electronic patient information through methods like data encryption and continuous monitoring of system access logs. 

Learn more: What is the HIPAA Security Rule?

 

Why these requirements matter

According to an article in Fox News, “If your healthcare data hasn't been breached in 2024, then you either don't know it yet or should consider yourself very lucky. That's because 2024 was a nightmare year for healthcare institutions and patients in the U.S. A total of 184,111,469 records were breached. That's 53% of the 2024 population of the United States. This staggering figure represents a significant increase from previous years, setting a new and alarming record in healthcare data breaches.” 

The Lincare Holdings case exemplifies the legal and financial consequences of HIPAA violations. Lincare Holdings faced enforcement action due to multiple violations in their handling of HIPAA-covered transactions. The company's failures centered around two areas of HIPAA compliance. In their electronic claims processing, they not only failed to properly format and secure their claims submissions but also transmitted sensitive patient information in an unencrypted format. The company also demonstrated shortcomings in its eligibility verification processes, where it failed to implement proper authentication protocols and didn't maintain secure channels for transmitting eligibility inquiries and responses.

US Attorney, Vanessa Waldref, stated in a press release, “I am appalled by Lincare’s admitted past practice of putting profits before its obligations to patients and to the Medicare program, and in particular by Lincare’s admitted improper practice of wrongfully collecting co-pays from elderly beneficiaries on fixed incomes and with limited means."

When sensitive health information is compromised, patients lose confidence in the healthcare provider's ability to protect their most personal data. A study conducted by the National Health Institute (NIH) found that “New information technologies in health care have the potential to enhance care quality and access, yet the widespread information sharing enabled by them also create new risks and concerns. Patients concerned about privacy may be less likely to disclose health information to providers and may be concerned about how their information is being used and accessed within the health care system.”

 

Cost considerations 

The 2023 HIMSS Healthcare Cybersecurity Survey states that, “Robust cybersecurity measures require substantial investment in cybersecurity resources. Shoestring budgets typically cannot afford much. It is not uncommon for Chief Information Security Officers to be constrained by their budgetary limitations. However, having more money available to invest in cybersecurity can certainly make a difference. In other words, healthcare organizations that lack adequate funding for their cybersecurity programs will likely struggle to keep up with evolving threats. On the other hand, healthcare organizations that have adequate funding may be able to invest in solutions that are on the cutting edge.”

Furthermore, the survey found that, “Fortunately, budgets are on the rise for many organizations compared to previous years. Most respondents to this year’s survey indicated that their budgets increased (55.31%), and others reported that their budgets stayed the same (23.46%). A very small minority (2.79%) indicated that their budgets decreased. This is indeed a positive trend. Compared to an analysis of historical data from 2021 to 2022, more respondents are enjoying increased budgets. Historically, only a slight majority (51.57%) reported an increased budget for the 2021 to 2022 time period.”

“The increase in cybersecurity budget is expected to increase in 2024 with a majority of respondents (57.54%) anticipating this change. Only 17.32% of respondents expect that the budget will stay the same, and a very small minority (2.79%) are expecting a decrease in the cybersecurity budget,” analyzed the HIMSS survey.

In 2019 Medical Economics published an article titled “HIPAA: At what cost?” which states that, ‘To cope with the expanded HIPAA obligations, healthcare systems have employed an ever-increasing number of compliance officers and deployed sophisticated technology to safeguard the accessibility of individual healthcare information. At the time of implementation, the Department of Human and Health Services (HHS) estimated that HIPAA would initially cost healthcare systems approximately $113 million with subsequent maintenance costs of $14.5 million per year. The actual costs of HIPAA compliance are estimated at closer to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep. The true costs, however, are unknown and buried under layers of purportedly necessary bureaucracy. These costs do not account for the added stress inflicted upon healthcare clinicians and patients struggling to allow each other access to important and necessary healthcare information.

 

Common challenges 

Healthcare organizations struggle to implement HIPAA compliance, according to the National Institute of Health (NIH), “HIPAA, combined with its severe penalties for violations, may cause medical centers and practices to withhold life-saving information from individuals who have a right to it and urgently need it. According to the HIPAA Privacy Rule, the US Government Accountability Office found that healthcare providers were often "uncertain about their legal privacy responsibilities" and tended to take an overly cautious approach to disclosing information. The solution lies in educating all healthcare professionals and support staff to ensure they understand when PHI can be legally shared.”

Furthermore, the NIH states, “HIPAA presents a significant risk of violations that almost any medical professional can inadvertently commit. Staff with limited education and understanding are particularly prone to breaching these rules during routine tasks. At the same time, a small number of violations involve personal gain or curiosity; most result from momentary lapses that lead to costly mistakes. Simple errors, such as writing an incorrect address, phone number, or email on a form or inadvertently disclosing protected information aloud, can put a practice at risk. HIPAA education and training are essential, as is the design and maintenance of systems that minimize human errors and ensure compliance.”

Read also: Challenges with managing regulatory compliance

 

How to ensure compliance

The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data provides that, “Sixty-three percent of [healthcare organizations] agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft. This is an increase from 58 percent in the 2015 study. Fifty-seven percent of respondents say they have the personnel with technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data and this is an increase from 53 percent in 2015.”

Healthcare institutions can start by performing thorough risk assessments to understand system vulnerabilities and identify potential security gaps. Deploy security infrastructure, with solutions like Paubox's HIPAA compliant email encryption and secure forms that safeguard patient communications and data transfer. 

Staff members should receive training to understand their responsibilities in protecting PHI. Additionally, organizational policies should be regularly reviewed and updated to stay in alignment with current HIPAA regulations.

Learn more: How to become HIPAA compliant

 

Mobile device considerations

The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by the Ponemon Institute and published in May 2016, highlights several important findings about employee-owned devices (BYOD) in healthcare settings:

  • Security concerns: 30% of healthcare organizations listed the use of insecure mobile devices among their top security worries. This shows how BYOD practices are creating vulnerabilities in patient data protection.
  • Employee negligence factor: 69% of healthcare organizations identified negligent or careless employees as their biggest security concern - virtually unchanged from 2015. This employee behavior risk directly impacts BYOD security.
  • Emerging threats: The study reveals growing concern over the security of mobile apps (eHealth), which increased to 19% for healthcare organizations, showing the evolving nature of mobile device risks.

Mobile security measures include:

  1. Mobile Device Management (MDM): Implement solutions that can remotely wipe devices, enforce password policies, and manage application access.
  2. Containerization: Separate personal and professional data on devices through secure containers or workspaces.
  3. Secure Messaging: Use HIPAA-compliant messaging platforms, like Paubox,  rather than standard SMS or consumer messaging apps.
  4. Device Encryption: Ensure all mobile devices storing PHI use full-disk encryption.
  5. Biometric Authentication: Leverage fingerprint or facial recognition to prevent unauthorized access.
  6. Clear BYOD Policies: If allowing personal devices, establish policies regarding acceptable use and security requirements.

Related: How to separate work and personal data when using your own devices

 

FAQs

What are HIPAA-covered transactions?

Covered transactions refer to the electronic exchange of health information for specific administrative and financial purposes, such as billing, eligibility inquiries, claims processing, and payment, as defined under HIPAA.

 

What is containerization?

Containerization is the practice of separating personal and professional data on mobile devices to ensure security and compliance with HIPAA regulations.

 

What is encryption in HIPAA compliance?

Encryption is the process of converting data into a secure format to protect sensitive information from unauthorized access during transmission or storage.