Any organization that has access to electronic Protected Health Information (ePHI) must comply with HIPAA. If your organization needs to be compliant, this isn’t something you can delay or phase in gradually because failure to meet HIPAA compliance can carry steep penalties. (On the positive side, becoming HIPAA compliant can be a tremendous business driver if you’re interested in starting a company, entering a new market, attracting new customers, or reducing the time it takes to obtain approvals.)
Some of the most drastic HIPAA fines include the following:
- University of Texas MD Anderson Cancer Center fined $4.3 million for HIPAA violations.
- Memorial Healthcare System paid $5.5 million because employees shared PHI data incorrectly.
- Advocate Health Care Network paid $5.5 million after failing to protect the data of over four million patients.
- Anthem fined $16 million for a significant data breach that exposed the health information of almost 80 million people.
Whether a violation results from a willful breach or ignorance of HIPAA regulations, the resulting damage in the form of fines, loss of business, and damage to reputation can be significant. So it’s best to get ahead of the curve and become compliant as quickly as possible.
Key HIPAA Terminology
You already know what HIPAA, OCR, and ePHI are, but some of the terms used within HIPAA can be confusing. Before going any further, you need to understand the following three terms:
Covered Entity: A covered entity is any organization that stores, shares, or transmits ePHI. However, most employees, including doctors who work at a hospital are not considered a covered entity. In this instance, the hospital is the covered entity. (But having said that, all employees who have access to ePHI should receive training to ensure that they understand their role in HIPAA compliance.)
Business Associates: Business associates include people and companies that provide services like email, computer support, accounting, billing, and network or data security services. Any third party that has access to patient health information is a business associate. They must maintain HIPAA compliance, as well.
Business Associate Agreement (BAA): Business associates must also sign a Business Associate Agreement that outlines their access and responsibilities.
All covered entities and business associates with access to PHI must meet the technical, administrative, and physical requirements set by HIPAA to maintain the privacy of patients. Access is a broad term used to describe anyone who can read, change, create, or transmit PHI.
This section covers three key areas: administrative, technical, and physical safeguards. These areas all tie together ultimately, but looking at them individually will give you a better understanding which, in turn, will enable you to use your resources and teams more effectively.
Oftentimes, the importance of this area is downplayed, perhaps because it seems less tangible or is deemed to have less impact than technical and physical safeguards. Nothing could be farther from the truth, however; the policies, practices, and procedures defined here help you establish an effective governance and operational framework within your organization.
To oversee this aspect of compliance, assign security and privacy officers. Their jobs include tasks like governing employee conduct where it pertains to PHI and conducting regular Security Risk Assessments (SRA). OCR will look at your SRAs to make sure you conduct them regularly and to identify possible compliance issues.
- Conduct Risk Assessments: Your security officer must conduct regular security assessments that identify and assess any places where PHI might be at risk.
- Create a Risk Management Policy: This defines how often you perform a risk assessment along with the steps you use to reduce risks to PHI. It should include a section that outlines penalties for employees who break the rules to reinforce the fact that your organization takes HIPAA compliance seriously and keeps its employees up to date on expected roles and behaviors.
- Prepare a Contingency Plan: This is your backup plan and policies for managing incidents. It outlines how you will continue to operate and protect PHI during an incident. It also defines your plan for backing up and restoring data that may get lost in a natural disaster along with plans for any conceivable emergency.
- Test Your Contingency Plan: Test your contingency plan to make sure it works and to keep it updated. This plan should always be evolving. By testing it frequently, any technical or procedural changes that may have occurred over time in the Contingency Plan itself will be taken into account, and the more you’ve tested your plan, the more efficiently you’ll be able to carry it out.
- Restrict Third-Party Access: This governs who has access to PHI in addition to your employees. It keeps unauthorized contractors and vendors from gaining access to PHI indirectly and helps ensure that you have BAAs with anyone who gets access to PHI.
- Train Employees: This outlines training programs you put in place to make sure your employees follow the rules and understand them. As a best practice, it should include training on how to identify phishing attempts, avoid malicious software, and browse the web safely, along with training on each policy that affects an employee. Training must be well documented. A good training program is conducted at least once a year to ensure that all affected employees are up to date, and it will address any changes in your security or compliance programs.
- Report Security Incidents: This rule is different from the Breach Notification Rule. Incidents are not breaches since an incident is defined as a security flaw or severe risk that was found and fixed before a breach occurred or data was misused. You still require a policy on recording and reporting them.
This area governs the technology used to store, transmit, or otherwise use PHI and ePHI. HIPAA doesn’t supply a list of accepted software or frameworks; you can use any technology you choose provided it works. However, any PHI that is transmitted beyond your network must be encrypted using NIST protocols.
- Control Access: Develop policies and procedures that define who has access to PHI. Every user needs a unique identifier, and credentials cannot be shared. You need to know who accessed any part of your network or systems. This policy should also include information on how access is granted or maintained during an emergency. Remember that a good access policy is based on the concept of least privilege, and only grant access to PHI to those who need it.
- Maintain Access Logs: Technically, this is an audit control meant to help you see who tried to or gained access to PHI. It can also be an early warning sign that some nefarious person is attempting to gain access to PHI. Logs, especially logs that contain incidents, need to be saved in an organized manner. Also, if you centralize the logs, it will allow you to easily see who has accessed PHI by using a single tool and can allow you to put monitoring in place to scan the logs for any unusual access that might need investigation.
- Authenticate ePHI: You need some method to check the integrity of PHI to make sure it hasn’t been altered or gone missing. Data can be leaked as a result of disasters, mistakes, or malicious activity, and therefore, you need a detection and monitoring mechanism to ensure that there is no unauthorized leakage of PHI.
- Encrypt Data: Data at rest and in transit (that is, data coming into and going out of your network) must be encrypted. In addition, you must be able to show how data is encrypted, what software and methods are used, and how the data is decrypted. If you outsource encryption to a third party, they must have a BAA.
- Use Automatic Logoffs: Any computer that an authorized individual uses to access PHI must use a predefined logoff timer to ensure that the computer is locked if an authorized user walks away and forgets to logout. You should train employees to stay logged out of a machine unless they are using it and to lock it immediately or to logout when they walk away. Typically, an employee is completely responsible for any activity that happens on their computer, whether it was done by them or by someone pranking or intending harm. But mistakes happen, and this is one way to prevent an incident.
Whether you store ePHI onsite, in the cloud, or on servers in a third-party data center, you must make sure that the data is protected. This may come down to using a BAA where the vendor agrees to maintain the locks and alarms you use onsite to protect the data. No matter where the data is stored, it’s in a physical location on physical devices that must meet specific standards.
- Workstation Policies: The policies and procedures defined by this rule govern how you place physical devices like computer monitors. They must be positioned in a way that prevents unauthorized users from seeing ePHI that may be on the screen while an authorized user is working.
- Mobile Devices: If users can access or work with ePHI on mobile devices, you must have a policy that outlines the security measures you use to protect the data and how the data is cleaned off the mobile device. Avoid using personal mobile devices, but if you do allow them, you must have a plan for cleaning ePHI off the equipment if the employee is fired or quits.
- Facility Access: This policy defines who has access to physical locations from janitorial staff to third-party IT contractors. Define who has keys, keycards, PINs, and what the plan is for emergencies if no one is available to unlock the facility. If you use electronic access controls, make sure they log users and monitor doors to make sure they close within an appropriately short time after they’re opened.
- Inventory: You must keep an updated inventory of every device and piece of hardware used to access ePHI on your network. The log should record the movements of the hardware along with who is responsible for it. Data on a device must be verified before it leaves your facility and when it returns in order to guarantee the integrity of the ePHI on the hardware.
Each section and policy outlined above must be in place and updated to ensure the security of data and to provide a record if you get audited or suffer a breach. Strong administrative safeguards provide a framework for governance and a context for technical and physical safeguards. In addition to strong administrative safeguards, a fundamental way to reduce risk and avoid penalties is to build compliance into your technology stack. To this end, leveraging a tool such as Threat Stack’s Cloud Security Platform® can help healthcare companies and business associates address a broad range of security needs and HIPAA compliance requirements. And finally, don’t forget that employee training is critical in the overall plan because policies don’t work if no one knows about them or understands how they work.
If you follow this HIPAA Checklist, your security stance will be significantly strengthened, and you shouldn’t have any issues passing an audit.
If you’re interested in learning more about how Threat Stack can help you with your security and compliance needs, contact us today to set up a demo.