Our last post on HIPAA compliance — HIPAA Compliance Tips & Best Practices — Building Your Foundational Knowledge — provided expert insights that are designed to help healthcare providers and business associates develop their foundational knowledge of HIPAA regulations and requirements. Today’s post offers insights into how an organization can achieve effective governance by translating its understanding of HIPAA into effective operational policies and procedures.
If you use a cloud services provider such as Amazon Web Services (AWS), remember that no platform can ensure total compliance — ultimately, compliance is your responsibility.
AWS operates under a shared responsibility model, meaning that they are responsible for certain aspects of security and compliance, while the user is responsible for others. While AWS has several tools, features, and services that make it easier to be HIPAA compliant, you should always remember that using AWS alone is not proof of compliance. You’ll still need to make sure that you are following the standards. No software, platform, or healthcare technology can ensure total compliance. Only you can. Compliance is not a feature of AWS: It is the result of using it.
In light of this, all organizations need policies and procedures to provide strong and effective governance. The more closely your policies and procedures mesh compliance requirements with the specific nature of your organization and systems, the more effective they will be. Our goal in this blog post, therefore, is to bring you insights that will help you develop a well-thought-out set of policies and procedures that will, in turn, help you address your HIPAA compliance, security, and operational needs in a proactive, consistent, and structured manner.
1. Know the fundamentals of an effective HIPAA compliance program.
“The Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) released a compliance training guide and established ‘The Seven Fundamental Elements of an Effective Compliance Program.’ These are the seven guiding principles that you should use to drive your HIPAA compliance efforts, and an auditor uses these criteria during investigations:
- Implementing written policies, procedures, and standards of conduct
- Designating a compliance officer and compliance committee
- Conducting effective training and education
- Developing effective lines of communication
- Conducting internal monitoring and auditing
- Enforcing standards through well-publicized disciplinary guidelines
- Responding promptly to detected offenses and undertaking corrective action”
— Jeff Petters, What is HIPAA Compliance? Your 2019 Guide + Checklist, Varonis; Twitter: @varonis
2. Document all changes in policy, procedure, and training in order to comply with HIPAA.
“HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.”
3. Get outside help.
“Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.”
4. If you’re not sure where ePHI is located in your environment, assume that all systems contain ePHI that must be adequately protected.
“In many of its breach investigations, the OCR has found that the scope of systems covered in an organization’s risk analysis / risk management program failed to consider all places ePHI could be located in their environment. Knowing where ePHI can be located can be difficult, but it is a very important part of compliance, and it is surprising how often companies aren’t exactly sure where ePHI resides within their systems. In any case, it’s better to be safe than sorry — if an organization is handling ePHI as part of the services provided, and it is unknown which systems ePHI is restricted to, an organization should assume that all systems in the environment are in scope for HIPAA. For efficiency purposes, a good approach, when possible, is to segment out systems that could receive, transmit, or store ePHI. That can help limit the scope. But at the end of the day, it’s very difficult to implement an effective risk analysis / risk management program without knowing how ePHI flows through the environment or what systems are in scope for HIPAA. As such, identifying ePHI and the various environments that it touches within an organization is the necessary first step in developing a HIPAA-compliant risk analysis / risk management program.”
— Doug Kanney, HIPAA Risk Analysis and Risk Management Program Considerations, The Schellman Advantage Blog; Twitter: @schellmanco
5. Follow up your risk assessment with a comprehensive, effective risk-management strategy.
“All risks identified during the risk analysis must be subjected to a HIPAA-compliant risk management process and reduced to a reasonable and appropriate level. Risk management is critical to the security of ePHI, and PHI and is a fundamental requirement of the HIPAA Security Rule.”
— HIPAA for Dummies, HIPAA Guide
6. Create an airtight BYOD policy.
“When we think of a bring your own device (BYOD) policy, we might think of privately owned cell phones brought into a sensitive network, but there’s more to it than that. It includes the devices used at a company: work laptops and work phones — that go home and are connected to home networks or airport Wi-Fi — and then are brought back to your sensitive data environment. We see devices stolen which had no disk encryption. Remember: All of your PHI and ePHI needs to be properly encrypted.”
7. Carry out your post-audit remediation plan.
“Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.”
8. Have an incident response plan.
“Even if you haven’t been breached yet, it’s likely you will at some point: whether it’s a small incidental breach or a major event where the contents of your database have been exfiltrated outside of your network. The size and severity will vary depending on the amount of time and resources you’ve put into your security. But, regardless of the size of the breach, if you haven’t prepared for the aftermath, it’s going to be significantly more painful and expensive. First, you need to document your incident response plan, (and do so before a breach, rather than after). Second, you need to use the incident response plan to minimize potential impact. This will help you to reduce fines and any negative effects on your business and customers. Make sure you’re identifying all the potential risk and vulnerabilities. This can be done through a risk analysis.”
9. Anticipate breaches.
“Take note of the breaches inside and outside of healthcare. Look for common patterns and themes. Crawl your own IT environment and see if similar conditions are ripe for exploit. Being smart is learning from your mistakes, but being wise comes when we also incorporate learning from others’ shortfalls.”
— Josh Mayfield, 3 Lessons Learned from Healthcare Security Breaches, Absolute Blog; Twitter: @absolutecorp
10. Prepare and implement a layered security strategy.
“The best breach prevention is a comprehensive layered defense strategy that spans endpoints and networks; if one of the layers fails, there are other layers in place to ensure you remain protected.”
— Data Breach Prevention for Healthcare: A Best Practices Guide, Absolute Blog; Twitter: @absolutecorp
11. Have a Notice of Privacy Practices.
“Having a Notice of Privacy Practices is a mandatory standard of the HIPAA Privacy Rule. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment. HIPAA regulation mandates that covered entities must have their Notice of Privacy Practices posted in plain sight for patients to review, in addition to paper copies. Common HIPAA violations can result from a covered entity’s failure to properly disclose their Privacy Practices, or a breach thereof. Under the HIPAA Privacy Rule, patients have certain rights to the access, privacy, and integrity of their health care data and PHI.”
12. Know the difference between “required” and “addressable” security measures.
“Practically every safeguard of HIPAA is ‘required’ unless there is a justifiable rationale not to implement the safeguard, or an appropriate alternative to the safeguard is put in place that achieves the same objective and provides an equivalent level of protection.”
— HIPAA for Dummies, HIPAA Guide
13. Implement continuous monitoring, user access controls, audit logs, and file integrity monitoring.
“While a large number of healthcare breaches make the headlines (Anthem, Premera Blue Cross, and Community Health Systems — among too many others), many more do not. Ponemon reported that nine in 10 healthcare organizations have experienced a data breach in the past two years, and 45 percent of them had more than five breaches in that time period.
“While compliance doesn’t always equal security, it becomes pretty clear what HIPAA is trying to achieve in terms of protecting healthcare data. And in talking with many of our own customers, we’ve found that companies are preemptively putting in place practices like continuous monitoring of their systems and networks, user access controls, audit logs, and file integrity monitoring.
“Then, when it comes to meeting HIPAA requirements, these companies find they’re already well on their way, making HIPAA not as painful as it could be if they were starting from scratch. We also hear from customers that by having Threat Stack in place, they are able to meet a broad range of these requirements without additional work. This is a big deal when it comes to streamlining tools and processes.
“While HIPAA compliance won’t guarantee security or prevent every single breach, it’s a very big step in the right direction.”
Stay Tuned for More . . .
Your organization needs to take responsibility for effective governance, and an effective way to do this is to use well-crafted, repeatable, and improvable policies and procedures. This will help you to optimize operations and achieve continuous compliance. Hopefully, the issues raised in this post will help you identify and analyze the areas in your organization that need to be governed by well-designed policies and procedures that address HIPAA requirements.
In the next post in this series, we’ll cover Employee Training Tips for HIPAA Compliance as a way to shed light on ways of preparing your team for HIPAA implementation, operations, and continuous improvement. In the meantime, if you would like to learn more about how Threat Stack can help you with your organization’s compliance and cloud security requirements, be sure to sign up for a demo of the Threat Stack Cloud Security Platform®. Our experts would be pleased to speak with you.