It is estimated that a HIPAA violation on average will cost an organization around $1.1 million in settlement fees. That’s before the loss in revenue that accompanies a data breach, as well as the costs of breach notifications, forensics, lawsuits and other key implications. The more accurate figure when all that is taken into consideration is closer to $8 million. Can your organization afford to not be HIPAA compliant?
What is the HIPAA Security Rule? A Definition
The HIPAA Security Rule acts as the national standard when it comes to protecting the electronic personal health information (ePHI) of patients whenever it is created, received, used or maintained by covered entities. The HIPAA Security Rule focusses on ensuring that covered entities have the appropriate administrative, physical and technical security safeguards in place to ensure that ePHI remains accurate, confidential and secure.
How Does the HIPAA Security Rule Work?
The HIPAA Security Rule is broken down into three critical categories; administrative safeguards, physical safeguards and technical safeguards. Let’s break them all down here so that you know what you need to implement in order to be secure.
- Security Management Process: Covered entities must be able to adequately identify and analyze potential risks to ePHI and implement any security measures that will mitigate these risks to an acceptable level.
- Security Personnel: Covered entities must assign someone to be the security officer. They will be responsible for ensuring that security policies are correctly developed and implemented across the organization.
- Information Access Management: You must operate on a policy of least privilege where access to ePHI is limited only to those individuals that require it based on their role (role-based access).
- Workforce Training and Management: All employees working with ePHI must receive appropriate supervision and training as to the correct security procedures and policies. Any employees that deviate from the policies and practices should be appropriately punished.
- Evaluation: Periodic risk assessments must be undertaken to ensure that the security policies and practices are in adherence to the HIPAA Security Rule.
- Facility Access and Control: Covered entities must ensure that access to company grounds is limited only to authorized individuals.
- Workstation and Device Security: Employees must know how to properly use their workstations and devices to ensure the security of ePHI. Appropriate measures should be put in place for the removal and disposal of any devices that have access to ePHI when required.
- Access Control: Technical policies and procedures must be implemented to ensure that only those users who require access to ePHI are able to do so. This is similar to the policy of least privilege model previously mentioned.
- Audit Controls: You must ensure that your users are not behaving inappropriately when it comes to interacting with ePHI. For this it is probably best to look a solution that provides user and entity behavior analytics.
- Integrity Controls: You must ensure that ePHI is not modified, deleted, copied or moved without authorization. To do this you will need proactive and continuous change auditing and monitoring of your critical IT infrastructure.
- Transmission Security: Security measures must be put in place to ensure that unauthorized access to ePHI whilst it is being transmitted over an electronic network is defended against.
Meeting the HIPAA Security Rule
Native auditing tools are simply not proactive or detailed enough to allow you to adequately meet all the requirements laid out in the rule. A data security platform like LepideAuditor will require you to successfully meeting the HIPAA Security Rule.