Although customer privacy and cybersecurity is critical regardless of the industry, the healthcare industry remains the largest target of data theft. Health data, including patient medical records, are the most valuable forms of data on the black market. In order to protect this confidential data, the Health Insurance Portability and Accountability Act (HIPAA), was established.
Although it certainly is menacing, online piracy accounts for only a small portion of data theft. Unencrypted messaging, unmonitored access controls, faulty employee training, and internal theft are often the cause of expensive violations. There is only one way to protect your bottom line — you must become HIPAA compliant.
What exactly is HIPAA compliance? What businesses are required to be in compliance? And how do I go about building a robust HIPAA compliance program? These are all great questions; let’s examine them in detail.
Who Needs to Be HIPAA Compliant?
HIPAA requires compliance from all Covered Entities and Business Associates.
Covered entities include any organizations that electronically transmit protected health information (PHI). . Covered entities include the following:
Healthcare Providers
Healthcare providers must ensure that they are in compliance with HIPAA regulations. For this reason, all hospitals, doctor’s offices, telehealth, and software platforms that provide patient care must be in line with HIPAA requirements at all times.
Health plans, insurers, and clearinghouses
As health plans, insurers, and clearing houses all manage PHI from a number of patients, they are also considered CEs, and therefore, they must comply with HIPAA regulations at all times.
Business Associates are any entity (vendors, contractors, or hired subcontractors) that work on behalf of a covered entity to store or transmit PHI. In other words, if you’re a startup looking to develop a mobile app that records, stores, manages or shares PHI for/with/or on behalf of CEs, then HIPAA applies to you. Business associate categories include:
- Software vendors
- Legal
- Finance
- Accounting
- Actuarial
- Data Aggregation
- Consulting
- Accreditation
- Management/Administrative
Startups and software development companies
Any startups and software development companies that receive protected health information from covered entities (CEs), including health providers, hospitals, and insurance companies, are typically considered Business Associates (BAs) and must ensure that they are in compliance with HIPAA.
What Are The HIPAA Requirements and Rules?
In order to safeguard patient health data, the US Department of Health and Human Services was directed under Title II of HIPAA, to develop a series of guidelines and standards. In addition, the HHS developed two decrees to ensure these new guidelines and standards were clear and effective. Today, they are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The HIPAA Security Rule
The HIPAA Security Rule was created in order to define the exact stipulations required to safeguard electronically Protected Health Information (ePHI). In other words, the Security Rule regulates how this information is stored, secured, and transmitted between electronic devices.
Under the HIPAA Security Rule, healthcare organizations must ensure that specific data security policies are in place, including administrative, physical, and technical safeguards.
The HIPAA Privacy Rule
The HIPAA Privacy Rule is responsible for ensuring the protection of individually identifiable health information. This includes private information relating to a patient’s mental and/or physical health, medical treatment, and payment history.
When information contains PHI such as names, phone numbers, birth dates, Social Security Numbers, or any other personal identifiers, healthcare organizations and providers are responsible for protecting this information in all forms and media, including electronic, paper, and oral. In short, any information that contains PHI that can be traced to a specific patient is covered by the HIPAA Privacy Rule.
In addition, this rule dictates how healthcare providers may use patient data, including what can be disclosed without patient consent, and to whom. The privacy rule also guarantees and protects a patient’s right to access the majority of their PHI, and to obtain copies of their medical records. For this reason, healthcare providers are required to create and implement privacy policies for staff and patients and ensure that they are well-informed regarding these policies. Organizations must also provide staff with annual HIPAA training.
The Omnibus Rule
In 2013, The Omnibus Rule — which brought about changes to the Privacy and Security Rules — was passed which significantly expanded potential liability for covered entities. This rule extended accountability to any businesses that work for, or on behalf of CEs, and as a result, deal with PHI — these people are referred to as Business Associates.
This rule also introduced a new set of provisions that are now required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009. Thanks to the HITECH Act, Electronic Health Records (EHR) are much more common throughout the United States, HIPAA security and privacy protections were strengthened, and the legal and financial liability for non-compliant organizations was increased.
Breach Notification Rule
This Breach Notification Rule states that all CEs and BAs must notify the Office for Civil Rights (OCR) should any ePHI be breached. In addition, this rule details which types of breaches must be reported and how an organization can go about reporting a breach. A breach is defined by the OCR as impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule is what empowers the HHS to enforce the Privacy and Security Rules. This rule enables the OCR to investigate HIPAA complaints, conduct compliance reviews, perform education and outreach, and disburse heavy fines of up to $1.5 million USD.
Seven Steps to Becoming HIPAA Compliant
1. Create Privacy and Security Policies
Simply following the HIPAA Privacy and Security Rules is not enough. Your organization, including all covered entities and business associates, must provide proof that they are proactively taking measures to prevent violations — this is achieved by developing robust privacy and security policies. In short, HIPAA policies function as a guide for handling sensitive patient data, emergencies, service outages, and staff access and training. Be sure to ensure your policies are well-documented and communicated with all staff members.
2. Delegate a HIPAA Privacy and Security Officer
HIPAA states that all teams must appoint both a HIPAA security and privacy officer. Typically, a security officer is responsible for setting technical security standards, and ensuring that all PHI data remains safely secured — in correlation with the HIPAA requirements. Conversely, a privacy officer is responsible for managing HIPAA administrative standards throughout an organization, including conducting staff training and reviewing and maintaining policies. Within smaller organizations, one individual may be responsible for both roles.
3. Implement Security Safeguards
There are three sets of requirements that a team needs to consider when managing PHI or building healthcare applications and/or solutions that are to be in line with HIPAA compliance standards — they include the following:
Physical safeguards refer to how physical controls are implemented into digital devices that store ePHI. This includes securing physical servers/machines and implementing employee access restrictions.
Technical safeguards refer to the technical aspects of any networked computers or devices that transmit information containing ePHI when communicating with each other, including enhanced network security, perimeter firewalls, access control, and authentication protocols, etc.
Administrative safeguards cover how an enterprise creates and manages its employee policies and procedures, ensuring they comply with the Security Rule.
4. Conduct Risk Assessment
All teams must perform a security risk assessment on an annual basis (at minimum), in order to be HIPAA compliant. Optimally, a team should develop a process for handling risk assessment and analysis. Risk assessments should be performed with the assistance of a third-party in order to avoid a biased assessment of an organization’s HIPAA security controls. Upon completion, security staff should then review the findings and remediate any potential compliance issues.
5. Sign a Business Associates’ Agreement (BAA)
All organizations that manage PHI must ensure that a business associates’ agreement (BAA) is in place with all vendors that will come into contact with PHI. For an organization to become HIPAA compliant, it must sign a BAA with all cloud service providers, vendors, and software solutions that store, process, and/or transfer PHI. A vendor should never store or process PHI if they have not entered into a BAA with an organization. All BAAs must be reviewed annually and updated to reflect any changes throughout the relationship.
6. Establish a Breach Notification Protocol
The Breach Notification Rule that was described earlier, dictates that all CEs and BAs must report a breach to the OCR and immediately notify all patients involved whose data may have been compromised.
Should a breach occur, as long as you can prove that it was unintentional and you did everything in your power to prevent it, you’ll have a good chance of avoiding potentially debilitating penalties. As such, HIPAA requires that all organizations have a well-documented breach protocol in place that outlines in detail, how this rule will be followed and what steps will be taken should a breach occur.
7. Document everything
In a case where your team is audited by HHS/OCR, OCR will want to review all evidence relating to your HIPAA compliance efforts, including privacy and security policies, risk assessments, remediation plans, and staff training efforts. Be sure to keep track of everything and have a copy ready to hand over.
Monitor and Maintain Compliance With Dash
Dash ComplyOps can help your team with the implementation of all necessary technical safeguards, including disaster recovery (DR), encryption, vulnerability scanning, and intrusion detection — everything needed to monitor compliance configuration in the cloud.
Additionally, Dash security policies and administrative safeguards are enforced through continuous compliance monitoring, providing teams with the visibility to see when cloud resources conflict with security policies or fall out of compliance with HIPAA so you can act accordingly.
Typically, digital health companies are vetted, by completing a vendor risk assessment before they can do business with hospitals and enterprise healthcare companies. That’s where Dash comes in — they specialize in providing healthcare companies with the foundation needed to build and validate your security posture and achieve HIPAA compliance. Consider working with Dash to create security policies, generate compliance reports and provide internal controls and security information with hospitals and enterprise partners.
Organizations that have worked closely with Dash have reported an increased understanding of their overall security program, allowing them to quickly complete security risk assessments and, in turn, get through the procurement process with hospitals and health systems much faster.
