This is a quick guide to the Health Insurance Portability and Accountability Act (HIPAA) and how you can become HIPAA compliant. We will take you through a short definition of HIPAA compliance, as well as go through the data security-related fundamentals of this compliance requirement.
What is HIPAA Compliance?
So, the first thing you might be asking yourself is; what is HIPAA compliance? The Health Insurance Portability and Accountability Act is a compliance requirement designed to protect sensitive patient data. In particular, companies that store, process or handle protected health information (PHI) must have numerous security measures in place to ensure HIPAA compliance; including physical, network, and process security measures. Healthcare organizations, businesses, and any other contractor or manufacturer with access to PHI need to ensure HIPAA compliance.
Differences Between HIPAA Privacy and HIPAA Security Rules
Both the HIPAA Privacy Rule and HIPAA Security Rule work together to ensure that PHI is protected from data breaches. However, they are distinctly separate and function with two separate purposes. The HIPAA Privacy Rule essentially states that an individual should have the right to a degree of control over how their PHI is used by organizations. What it boils down to is that organizations can use PHI for crucial functions (such as operations, medication, and payment) but for everything else the data must remain confidential.
The HIPAA Security Rule, on the other hand, applies only to electronic protected health information (ePHI). Mostly the objectives are the same; giving control to individuals over the use of ePHI and ensuring organizations act responsibility when it comes to ePHI security. There are some other differences, which can be found in another blog we wrote earlier.
Why Does HIPAA Compliance Exist?
HIPAA compliance is vital when it comes to ensuring that protected health information is protected. If an attacker or insider got hold of PHI, it wouldn’t be too difficult for them to commit full identity theft. With the wider adoption of cloud technology and electronic processes throughout healthcare organizations (such as CPOE systems, electronic health records, and more), HIPAA compliance is more important than ever. Whilst these new forms of technology drastically improve business operations, they can also lead to security vulnerabilities.
HIPAA enables organizations to adopt new technologies, processes, and practices that improve the security of patient data, whilst at the same time enabling the subject of that data to have more control over how it is used. That can only be a good thing surely!
HIPAA Compliance Audit Checklist
Below is a simple HIPAA compliance checklist that can help your organization satisfy the most important compliance requirements.
1. Conduct HIPAA Audits and Assessments
The first step in the HIPAA compliance checklist is to perform regular security audits and assessments in accordance with the HIPAA security rule. You will also need to analyze and document the results, including any potential security issues that you have identified and how you plan to address them.
The first step is to carry out a risk assessment for any system that stores ePHI. Assessments should be carried out on a regular basis, in accordance with the NIST recommendations. You will also need to implement a risk management policy, which evaluates the likelihood and potential impact of a data breach.
Included in the policy should be information about the security standards and protocols that are required to protect ePHI.
2. Implement Policies and Procedures
In addition to implementing a risk management policy, the next step on the HIPAA compliance checklist is to ensure that you have policies that cover the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.
You will also need policies that cover business associates, including a Business Associate Agreement (BAA), to ensure that they are able to satisfy the compliance requirements.
Other related policies that you will need to implement will include password policies, acceptable use policies, remote access policies, and email and communication policies, to name a few. You will also need an Incident Response Plan (IRP) to help you respond to security incidents in a timely and coordinated manner.
3. Introduce Safeguards to Protect ePHI
Next on the HIPAA compliance checklist is to ensure that you have the necessary technical, physical, and administrative safeguards in place to ensure data integrity, availability, and confidentiality.
- Authentication: A strong password policy will need to be enforced at a minimum. Multi-factor authentication should be used where possible.
- Authorization: Carefully considered access controls must be in place to ensure that users are only granted access to the data they need to carry out their role.
- Real-time auditing: The ability to detect and respond to anomalous user activity is necessary to prove that you know who is accessing what data, and when. Administrators should receive real-time alerts when critical ePHI is accessed, modified, shared, or deleted.
- Encryption: ePHI should be encrypted according to NIST recommendations. This includes data at rest and in transit.
- Perimeter security: As with any IT environment, AV software, a commercial-grade firewall, or an intrusion prevention system (IPS) should be installed and maintained to protect against external threats.
- Additional technologies: Other solutions such as mobile device management, automated patch management, penetration testing, and vulnerability scanning software can also help to keep your system secure, and safeguard ePHI.
Security awareness training: All relevant stakeholders must be sufficiently trained in data security best practices. Considerable time should be taken to ensure that all users are able to identify and report on any suspicious emails that might be used to either distribute malware or obtain a set of credentials through social engineering.
Users should be trained to identify suspicious email attachments or links. They should check to see if the email comes from a public domain, such as Gmail, Hotmail, Yahoo!, and so on. Users should also check for domain names and emails with spelling and grammar mistakes.
All users will need to be informed about the HIPAA compliance requirements, and the potential consequences of failing to adhere to them.
Incident response: Healthcare service providers will need to ensure that they have a tried and tested Incident Response Plan (IRP) in place. A typical IRP will document the protocols relating to incident preparation, identification, containment, eradication, recovery, and post-incident activity.
Secure data removal: Any paper documents containing sensitive data should be shredded when they are no longer required. If you need to dispose of a hard disk containing sensitive information, you will need to ensure that the data has been safely removed. Of course, you can simply wipe the data stored on the drive via a desktop utility. However, this method doesn’t guarantee that the data is unrecoverable. To be extra safe, you may want to look into other disposal methods such as disk encryption, degaussing, digital shredding, or even shredding/crushing the physical drive.
Secure workstations: Desktop computers that have access to sensitive data should never be left unattended when they are logged in. You will need to ensure that they automatically log themselves out when they are inactive for a given period of time. The server room should be adequately secured using locks, alarms, ID badges, CCTV cameras, and so on.
4. Designate a Security Officer
This point of the HIPAA compliance checklist looks at the HIPAA Security Rule, which stipulates that all covered entities are required to appoint a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of ePHI. The ideal candidate would be someone who is confident, communicable, organized, and has a profound understanding of the HIPAA requirements.
5. Understand the Breach Notification Rule
A vital step in the HIPAA security checklist is adhering to the HIPAA Breach Notification Rule, which states organizations are legally obligated to notify the authorities and all relevant stakeholders within 60 days of discovering a data breach. Notifications can be sent by snail-mail, email, telephone, or some other agreed method of communication. If the organization doesn’t have contact details for over 10 persons, they can post a clear notice on their website, or notify those affected via a relevant news outlet.
How to Meet HIPAA Compliance Requirements
The increase in the generation of electronic patient data and the potential repercussions of non-compliance, make meeting HIPAA compliance requirements essential. Failing to adequately protect patient information can lead to crippling fines, and irreversible damages to reputation. Worse than that, because of the nature of the data itself, failures in protecting patient health data can potentially be fatal for those patients involved. In fact, it’s so important, that the U.S. government passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. The sole purpose of this act being to punish organizations that are non-compliant.
So, how Lepide helps?
In short, you need a data security strategy that ensures you are able to predict, detect and react to threats to your sensitive data. To do this, you’re going to need a solution like Lepide Data Security Platform that is specifically designed to help discover and protect patient data and that can meet HIPAA compliance audit requirements.
To see how the Lepide Data Security Platform helps you meet HIPAA compliance through pre-set reports, real-time alerts, user behavior analytics, and data classification, schedule a demo with one of our engineers or start your 15-day free trial today.