For enterprises that handle consumer healthcare information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become one of the most important regulations around data security. A lack of understanding of or commitment to HIPAA requirements has proven to be costly for a variety of organizations. For example, CardioNet, a provider of remote mobile care for patients at risk for cardiac arrhythmias, was recently ordered to pay $2.5 million in noncompliance fees for not fully implementing safeguards for electronic protected health information (ePHI).
CardioNet was reported to the government agency that handles HIPAA complaints after an employee laptop was stolen, endangering the personal health data of nearly 1,400 individuals. The $2.5 million penalty will no doubt be a blow to the organization; meanwhile, the damage to its reputation will likely be felt for years to come.
The CardioNet example illustrates how important it is that enterprises meet the strict—and, at times, complex—security and privacy standards set forth by HIPAA. But with so many other cybersecurity concerns to contend with, you may be wondering where to start. Here, we explain what your enterprise must do to ensure HIPAA IT compliance:
MEET BOTH SECURITY RULE AND PRIVACY RULE STANDARDS
The U.S. Health and Human Services (HHS) website explains that organizations must meet two key standards:
- The HIPAA Privacy Rule, which establishes national standards for the protection of certain health information
- The HIPAA Security Rule, which establishes a national set of standards to protect certain health information that is held or transferred in electronic form
The Privacy Rule applies to private health information in any form, while the Security Rule specifically covers ePHI. The latter was designed to protect people’s health information while providing a path forward for organizations looking to adopt newer technologies and techniques for handling such data, including electronic health records, digital pharmacy and laboratory systems, and computerized physician order entry (CPOE) systems.
To comply with both the Privacy and the Security Rules, you must meet a list of requirements, including:
- Ensure the confidentiality, integrity, and availability of all ePHI that your enterprise creates, receives, maintains, or transmits
- Identify and protect against potential threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by all employees
To effectively protect patient data, HHS expects organizations to conduct frequent risk analysis to identify potential threats and evaluate their likelihood and impact.
MEET ALL APPLICABLE SAFEGUARDS
The Security Rule is the key to ensuring enterprise-level HIPAA IT compliance. The rule is divided into three different safeguard categories: administrative safeguards, physical safeguards, and technical safeguards. In turn, each safeguard category is divided into standards that are meant to guide an organization toward compliance.
It’s important to note that some implementation standards are mandatory, while others are “addressable,” or recommended. Generally, it’s best to err on the side of caution, but your organization may decide against implementing certain “addressable” standards.
Here is a brief overview of each of the Security Rule safeguard categories:
- Administrative safeguards govern a company’s workforce and how it handles IT security. Standards cover the following areas:
- Security management process
- Security personnel
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency planning
- Business associate contracts and other arrangements
- Physical safeguards focus on physically protecting electronic systems and data from unauthorized access, environmental dangers, and other outside threats. Standards include:
- Facility access controls
- Workstation use and security
- Device and media controls
- Technical safeguards protect the data itself and limit access to it. Standards include:
- Access control
- Audit controls
- Person/entity authentication
- Transmission security
MEET RISK ANALYSIS REQUIREMENTS
The Office for Civil Rights (OCR) also requires organizations to conduct and document risk analyses to identify what steps they need to take to meet the HIPAA Security Rule and to ensure that all ePHI is being properly protected. The risk analysis can be a self-evaluation or can be done by a third-party consulting firm.
The OCR offers general guidelines on those elements of a risk analysis that must be evaluation and documented; however, a full risk assessment will be different for many organizations. It’s important for organizations to realize that risk analyses are in fact required, and documentation of your analysis would be one of the first items requested during a HIPAA audit.
CONDUCT REGULAR REVIEWS
Of course, HIPAA compliance isn’t a one-and-done task. It’s a process that requires regular audits and review, constant vigilance, and ongoing training of new and existing employees.
At an enterprise-level organization, achieving HIPAA IT compliance will require dedicated resources and complete buy-in from the top down. The good news is that thousands of organizations nationwide are successfully meeting HIPAA requirements and, in turn, helping to keep their IT data extremely secure. Working through the HIPAA safeguards and standards may help to heighten your level of IT security enterprise-wide—a goal that all companies could benefit from today.
To get started, you and your team can easily find helpful HIPAA checklists online. However, to ensure ongoing compliance and to meet the requirements for risk analysis, consider partnering with an IT consulting firm that can provide insight into your IT security position and what needs to be done to ensure all applicable HIPAA rules and standards are met.