HIPAA Compliance Tips & Best Practices — Building Your Foundational Knowledge

Threat Stack SOC Report – Q3 2019

Read the report for full details, including an update on Shellbot.

Download Now

The last few years have seen a number of failures in the field of HIPAA compliance and fines that would put many smaller-scale practices out of business. While an increase in the use and sharing of electronic patient data accounts for many HIPAA compliance issues, the bottom line is that too many organizations are leaving themselves vulnerable to data protection breaches in ways that are fundamentally avoidable.

Leveraging the right technology can aid in compliance, but keep in mind that ultimately, responsibility falls squarely on the shoulders of the covered entity or business associate. A growing number of organizations such as Amazon Web Services are providing HIPAA-compliant solutions. AWS operates on a Shared Responsibility Model, meaning that AWS takes responsibility for certain compliance measures while others are up to the user. While the built-in security mechanisms can certainly help you, you can’t rely on a cloud platform to ensure that your company is compliant with HIPAA or other regulations. Adding other tools can take compliance a step further. Threat Stack’s Cloud Security Platform®, for instance, provides healthcare companies and business associates with a range of the most advanced capabilities for meeting a broad range of HIPAA compliance requirements. 

But even with the right tools at their disposal, it’s crucial for healthcare providers and business associates to understand HIPAA and take an active role in ensuring ongoing compliance. To help you ensure that your organization has the knowledge it needs to become HIPAA compliant, protect client data, and avoid potentially devastating fines, we’ve used this blog post to compile a list of HIPAA compliance tips and quotes from experts in the field. Our intent is to help you build your foundational knowledge of HIPAA issues so your organization can then go on to create HIPAA-specific policies & procedures and training materials (topics that we’ll cover in future blog posts).

Disclaimer: The views and opinions expressed in this post are those of the respective authors and do not necessarily reflect the policies or positions of Threat Stack, Inc. The contents of this post are not ranked in terms of perceived value or quality of content. Our intent is simply to provide information that could help you add to your knowledge of HIPAA standards and best practices.

1. Know the consequences of failures in HIPAA compliance. 

“The need for HIPAA compliance in many offices is a serious one. A failure to stay compliant could cost your company a fortune in fees and fines, and that’s if there are no lawsuits.” 

Is Your Multifunction Printer HIPAA Compliant?, Electronic Business Products, Twitter: @EBP_Inc

2. And just how costly those consequences could be.

“Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined, appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can be levied against the negligent party per violation with an annual maximum of $25,000 for violations of an identical provision. If the violation resulted from willful neglect and was not rectified within 30 days, a fine of $50,000 per offence is possible up to an annual maximum of $1,500,000 for violations of an identical provision.” 

HIPAA for Dummies, HIPAA Guide 

3. Understand why HIPAA matters. 

“Many may see the law as burdensome, complex, annoying, hard to understand, or even maddening, but it comes down to one thing that everyone can agree is important: protecting patients.” 

HIPAA Compliance: 3 Quick Tips To Keep Your Practice Compliant, Audigy; Twitter: @AudigyGroup

4. Know the parameters of HIPAA compliance. 

“According to HIPAA, if you belong to the category of ‘covered entities’ or ‘business associates,’ and you handle ‘protected health information (PHI),’ you and your business are required to be HIPAA-compliant. ‘Covered entities’ describes U.S. health plans, health care clearinghouses, and health care providers.” 

— Newtek, Does Your Business Need To Be HIPAA-Compliant?, Forbes; Twitter: @Forbes

5. Know your obligations.

“The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans, while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their data to healthcare organizations, and it is the duty of these organizations to take care of their protected health information.” 

— Juliana De Groot, Data Protection 101: 2019 HIPAA Requirements, Digital Guardian; Twitter: @DigitalGuardian

6. Understand the implications of the HIPAA Omnibus Rule. 

“The HIPAA Omnibus Rule is the most significant change to the HIPAA regulations and clarifies and updates several of the previous definitions. It broadens the definition of Business Associates to include subcontractors, consultants, and storage companies, which effectively expands HIPAA to cover many more organizations and individuals. The changes to the regulation increased and tiered the civil penalties for HIPAA violations, updated the breach notification rules, and prohibited the use of genetic information for purposes of underwriting insurance policies. Lastly, companies can’t use PHI for marketing purposes.” 

— Jeff Petters, What is HIPAA Compliance? Your 2019 Guide + Checklist, Varonis; Twitter: @varonis

7. Be aware of what falls under the term ‘Protected Health Information (PHI).’ 

“With such a wide range of entities and business associates covered by HIPAA, it’s therefore critically important to know exactly what PHI entails. Any information included in a medical record that can identify an individual and was created and used while providing health care (such as diagnosis or treatment) falls under the category of protected health information. PHI also includes:

  • Any conversations a patient has with a physician or nurse about his or her treatment
  • A patient’s billing information
  • Medical information in the patient’s health insurance company’s database.” 

— Newtek, Does Your Business Need To Be HIPAA-Compliant?, Forbes; Twitter: @Forbes

8. Have a contingency plan for when things go wrong. 

“This is the ‘what happens next’ standard. Create and follow a data backup plan, disaster recovery plan, and have an emergency mode operation plan in place, just in case things go sideways and you get breached. There’s also guidance in this standard for testing and revising these plans, as well as managing critical applications that store, maintain, or transmit ePHI.” 

— Jeff Petters, What is HIPAA Compliance? Your 2019 Guide + Checklist, Varonis; Twitter: @varonis

9. Passwords alone won’t do. Instead, layer your authentication processes. 

“Make sure you use multi-factor authentication. The long-trusted combination of username and password (and too often passwords are weak, e.g., 123456) will no longer suffice to protect all of your data. You need to make sure that you have a strong and unique username and password combined with other accepted and secure factors. An example of this would be if your privileged access login requested two or more factors (e.g., it asked for username and password/PIN, and then prompted you to enter a security token, One Time Password token, or some other accepted factor). Failure to properly secure all of your remote access is one of the main reasons for breaches today.”

— Brand Barney, 5 Tips to Improve HIPAA Compliance, Security Metrics; Twitter: @SecurityMetrics

10. Use the right software. 

“Use HIPAA-compliant software to make managing protected health information easy and secure. Your electronic record keeping should include data storage solutions and forms that comply with HIPAA requirements.” 

What is HIPAA Compliance and How to Get Started?, JotForm; Twitter: @JotForm

11. Make sure your cloud storage and apps are compliant. 

“The Health Information Technology for Economic and Clinical Health Act (HITECH) clarified how healthcare providers need to secure electronic protected health information (PHI). This law also ensures that regulations stay current with quickly advancing technologies like cloud storage. 

“HITECH states that healthcare providers aren’t the only ones who need to stay compliant. In fact, any storage services and apps you use have to meet HIPAA security guidelines as well. According to the law, your cloud storage service has to provide you with a business associate agreement (BAA) stating that they’re HIPAA compliant.” 

— George Davidson, The five best HIPAA-compliant cloud storage solutions for your practice, JotForm; Twitter: @JotForm

12. Understand that HIPAA is designed to benefit providers as well as patients.

“Though initially aimed to ease the portability of health insurance for individuals changing jobs and to strengthen protections against fraud and abuse, HIPAA evolved into legislation that also encompasses: 

  • Greater administrative efficiency
  • Reduced paperwork
  • Confidentiality and privacy of electronic information” 

HIPAA Compliance: 3 Quick Tips To Keep Your Practice Compliant, Audigy; Twitter: @AudigyGroup

13. Be aware of third-party obligations. 

“Some of you reading this are likely a third-party. Maybe you’re a business associate performing a duty like development, platform as a service, infrastructure as a service, billing, or something like that. We see a lot of vulnerabilities coming through third parties. As a third-party, you need to make sure security and compliance is a top priority as it will directly affect the growth of your business. Doing business with a business associate is often necessary to provide proper care to patients, but it is not without risks. I work with many vendors who diligently take care to ensure all patient data they access or are provided is secure, and that they are compliant. However, this is not the case for all business associates in the industry. It’s important to remember that you should engage business associates with proper due diligence. Make sure that all BAAs (Business Associate Agreements) are in place and obtain assurances that your data and systems will be secure and compliant when shared or accessed by any third party.” 

— Brand Barney, 5 Tips to Improve HIPAA Compliance, Security Metrics; Twitter: @SecurityMetrics

14. Keep a close eye on configurations. 

“We can see how an AWS Secure Storage Service (S3) can be calibrated to the exact specification to allow attackers in the door. We also know that such services come equipped with all the controls necessary to stave off the tragedy. So what’s going wrong? Not only are newer technologies more complex than ever, but with the rise of DevOps and continuous iterations, the services and resources we use are in constant flux. Keeping tabs on the right configurations for the current build and maintaining your own security intent have never been more complicated…having an unobstructed view of the attack surface will help to identify where configurations are risky and what steps you can take to restore order.” 

— Josh Mayfield, 3 Lessons Learned from Healthcare Security Breaches, Absolute Blog; Twitter: @absolutecorp

15. Partner with the right people. 

“Under revised HIPAA rules, HIPAA business associates are held to the same standards as HIPAA-covered entities when it comes to protecting patient data and being fined for failing to do so. Update your business associate agreements to reflect this — and do so regularly. Force business associates to create processes for discovering and reporting data breaches to you. Work with them to explicitly state who’s responsible for what in the event of a data breach, and remember that state breach notification laws may differ from HIPAA. Make your BAs responsible for their subcontractors’ actions, since a healthcare data breach caused by a subcontractor will eventually get back to you.” 

— Brian Eastwood, 12 Tips to Prevent a Healthcare Data Breach, Computerworld; Twitter: @Computerworld

16. Know the basics of HIPAA non-compliance and common violations. 

“The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures, and safeguards to protect data. HIPAA violations occur when there has been a failure to enact and enforce appropriate policies, procedures, and safeguards, even when PHI has not been disclosed to or accessed by an unauthorized individual. Violations of HIPAA often result from the following:

  • Lack of adequate risk analyses
  • Lack of comprehensive employee training
  • Inadequate Business Associate Agreements
  • Inappropriate disclosures of PHI
  • Ignorance of the minimum necessary rule
  • Failure to report breaches within the prescribed timeframe” 

HIPAA for Dummies, HIPAA Guide 

17. It’s up to companies to develop their own security measures to ensure PHI integrity, availability, and confidentiality. 

“The HIPAA Security Rule specifies safeguards that covered entities and their business associates must implement to protect ePHI confidentiality, integrity, and availability. Covered entities and business associates must develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. Each entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity’s business as well as its size, complexity, and resources.” 

HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, MLN Fact Sheet, CMS.gov; Twitter: @CMSGov

18. Use caution when sending PHI through email or other messaging services. 

“Although the text portion of the message may be encrypted, subject lines are not. Protected health information (PHI) can also be unknowingly revealed if you include sensitive information in the titles of email attachments.” 

— Bethany Nock, 4 Helpful Tips for Ensuring HIPAA Compliance, Gebauer Company; Twitter: @GebauerCompany

19. While “addressable” specifications in the HIPAA Security Rule aren’t required, implement them anyway to follow best practices. 

“The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI). 

“The Security Rule is made up of 3 parts:

  • Technical Safeguards 
  • Physical Safeguards 
  • Administrative Safeguards 

“All 3 parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. (See the HHS answer.) 

“It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.” 

— Jason Wang, How do I become HIPAA compliant? (a checklist), TrueVault; Twitter: @TrueVault

20. If you decide that an addressable specification isn’t reasonable and appropriate for your company, you must document the basis for this decision and implement an alternative mechanism to meet the relevant standard. 

“In an effort to make the Security Rule more flexible and applicable to covered entities of all sizes, some implementation specifications are required, while others are only addressable. Required implementation specifications must be implemented by all covered entities. Addressable implementation specifications require a covered entity to assess whether the specification is a reasonable and appropriate safeguard in the entity’s environment. 

“If the specification is reasonable and appropriate, the covered entity must implement the specification. If a covered entity determines that an addressable implementation specification is not reasonable and appropriate, it must document its assessment and basis for its decision, and implement an alternative mechanism to meet the standard addressed by the implementation specification.” 

HIPAA security rule & risk analysis, American Medical Association; Twitter: @AmerMedicalAssn

21. Implement all technical safeguards required under the HIPAA Security Rule. 

“The technical safeguards included in the HIPAA Security Rule break down into four categories. 

  1. Access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information. 
  2. Audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI. 
  3. Integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance. 
  4. Transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network. 

“The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.” 

— Bojana Dobran, HIPAA Compliance Checklist: How Do I Become Compliant?, PhoenixNAP; Twitter: @phoenixnap

22. Make risk analysis an ongoing process. 

“The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all the safeguards contained in the Security Rule. 

“A risk analysis process includes, but is not limited to, the following activities: 

  • Evaluate the likelihood and impact of potential risks to e-PHI; 
  • Implement appropriate security measures to address the risks identified in the risk analysis; 
  • Document the chosen security measures and, where required, the rationale for adopting those measures; and 
  • Maintain continuous, reasonable, and appropriate security protections. 

“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” 

Summary of the HIPAA Security Rule, HHS.gov; Twitter: @HHSOCR

23. Encryption is paramount for HIPAA compliance. 

“The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks. 

“Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. 

“Data is first converted to an unreadable format — termed ciphertext — which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen, it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.” 

HIPAA Compliance Checklist, HIPAA Journal; Twitter: @HIPAAJournal

24. Know the record retention requirements of your state. 

“There are no HIPAA record retention requirements as far as medical records are concerned, but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly.” 

HIPAA for Dummies, HIPAA Guide

Stay Tuned for More . . .

Stay tuned for future blog posts where we provide tips for creating HIPAA Compliance Policies & Procedures and Employee Training Tips for HIPAA Compliance. In the meantime, if you would like to learn more about how Threat Stack can help you with your organization’s specific compliance and cloud security requirements, be sure to sign up for a demo of the Threat Stack Cloud Security Platform. Our experts would be pleased to speak with you.

Threat Stack SOC Report – Q3 2019

Read the report for full details, including an update on Shellbot.

Download Now