Blogs Home
Wednesday, October 30, 2019 12:00 PM

Cybersecurity Awareness: The Layers of Patient Privacy

Written by Tim Burris, HCISPP, Product Manager, Privacy and Security - iatricSystems

SecureRamp Blog Post Header March 2019

As part of Cybersecurity Awareness Month, we've shared tips so far for "Owning It" with remote access security, "Securing It" with multi-factor authentication, and "Protecting It" against Phishing attacks, and the potential costs of a HIPAA violation. Today I want to talk about how having layers of patient privacy help keep Protected Health Information (PHI) safe. 

Before I dive into that topic, I wanted to remind you that in ongoing support of National Cybersecurity Awareness Month, we hosted a series of five short 10-minute webinars each day the last week in October called "Cybersecurity Coffee Chats." We covered topics including remote access security, multi-factor authentication, phishing, and patient privacy.

Click this link to access the entire Cybersecurity coffee chat series.

So now let's move to the very important topic of protecting patient privacy. The layers of patient privacy aren't all that different in their approach to many security frameworks.

Many security frameworks demonstrate a layered approach to cyber security. They have different focuses and requirements stacked atop one another to demonstrate all the considerations that need to be made when it comes to an effective defense strategy. This approach helps us to visualize the individual cyber security components and hopefully spot areas for improvement in our defenses.

The framework for protecting Patient Privacy is similar. While it certainly overlaps with security in many regards, there is also a unique layered model laid out for us within HIPAA.


Layer 1 - Privacy Rule

Layer 1 sets the foundation for everything else that is required. By defining what information must be protected, and ways that it can be protected, it serves to give us focus for subsequent layers. Specifically, the privacy rule addresses the following:

  • Proper Use and Disclosure
  • Minimum Necessary Standards
  • Notice of Privacy Practices and Individual Rights
  • Rules for Consent and Authorization
  • Administrative Requirements
    • Policies and Procedures
    • Privacy Personnel
    • Workforce Training and Management
    • Mitigation
    • Data Safeguards
    • Complaints
    • Non-Retaliation
    • Documentation and Record Retention

Layer 2 - Security Rule

Layer 2 focuses on one of the requirements outlined in the Privacy Rule – Data Safeguards. Now that we know what information is at stake, and what our obligations are, the Security Rule focuses on how we can keep patient information safe. It addresses the following:

  • Risk Analysis and Risk Management
  • Administrative Safeguards
    • Security Management Process
    • Security Personnel
    • Information Access Management
    • Workforce Training Management
    • Self Evaluation
  • Physical Safeguards
    • Facility Access Controls
    • Workstation and Device Security
  • Technical Safeguards
    • Access Controls
    • Audit Controls
    • Integrity Controls
    • Transmission Security
  • Business Associate Management
  • Policies and Procedures

Layer 3 – Breach Notification Requirements

The top layer is for Breach Notifications. This layer establishes the rules for identifying breaches, evaluating breaches for exceptions, and reporting breaches to the appropriate entities when they occur. While Breach Notification is certainly something that no organization wants to engage in, it is an important requirement associated with HIPAA. It provides a tangible incentive to protect patient information. The financial penalties and loss in reputation associated with a breach can be a painful lesson for any organization. It serves as an effective motivator to solidify the lower layers.  

This layer specifically addresses the following:

  • Breach Definitions and Exceptions
  • Individual Notice
  • Media Notice
  • Notice to the Secretary
  • Notification by a Business Associate

As organizations, we have a responsibility to protect patient information. HIPAA doesn’t just provide the rules we must follow, but a framework with HOW we can follow them, as well as the penalties when we don’t comply. Understand and implement these layers of defense in your organization and your patients will be better protected.  

You can watch the recording of "The Layers of Patient Privacy" webinar below.

{% video_player "embed_player" overrideable=False, type='scriptV4', hide_playlist=True, viral_sharing=False, embed_button=False, width='1920', height='1080', player_id='19897952721', style='' %}

Click this link to access the entire Cybersecurity coffee chat series.