There are several data security compliance standards that impact today’s organizations, but few of them have the public visibility of HIPAA. Unlike compliance regimes such as ISO/IEC 27001:2013 or PCI DSS 3.2, the average consumer has likely heard of HIPAA and might even know that it applies to health information. Part of this familiarity is due to their experience with the healthcare system, but high profile media reports of data breaches no doubt play a role as well. For any company that could potentially deal with health information, however, understanding the details of these regulations when developing IT compliance for HIPPA programs is critically important.
Passed by the US Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) established nationwide standards for the management and security of protected health information (PHI). Although the original purpose of the law was to cut down on healthcare fraud and abuse, it came to play a very important role in patient data security thanks to the rapid digitization of health records in the years following its passage. In order to comply with the law, organizations must put safeguards in place to ensure the confidentiality, integrity, and availability of health information. In 2009, HIPAA was further augmented by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which promoted the expanded use of electronic health records (EHR) and expanded existing protections to cover the management of electronic protected health information (ePHI). New HIPAA regulations that strengthened non-compliance liabilities were put in place in 2013.
Although HIPAA is understandably associated with healthcare providers, the provisions of the law can apply to any organization that collects or manages data that falls under the definition of PHI. Generally, PHI is any health information involved in the provision of healthcare, payment for healthcare services, or use in healthcare operations. While it includes obvious information such as the results of a medical diagnosis, treatment information, lab test results, or prescriptions, it also applies to identifiable information such as names, Social Security numbers, biometric identifiers, or anything that could be used to connect existing patient data to a specific individual.
Even if an organization is not involved in collecting this data or delivering healthcare services, if they are a vendor or supplier for a company that does, they need to be in compliance with the law. As the recent data breach involving the billing agency AMCA has shown, it’s critically important for healthcare organizations to make sure their contractors have implemented best compliance and risk management practices.
When an organization makes a HIPAA compliance checklist, there are three broad areas they need to consider as they assess their risk management systems and controls to assure compliance with HIPAA standards.
Protecting medical records and PHI is the fundamental purpose of HIPAA. The concept is based upon a patient’s fundamental right to privacy. Under HIPAA law, no health information or records can be disclosed without the patient’s authorization. Patients also have the right to request a copy of their records at any time and make whatever corrections they deem necessary. Any system for managing health data must account for these privacy requirements.
In order to ensure privacy, organizations must put security systems in place to protect any health information they gather, use, or manage. These protections are referred to as safeguards under HIPAA and they take a number of forms within a broader information security program.
Although HIPAA focuses heavily on breach prevention, it also has very strict requirements companies must adhere to when a breach does occur. The first step is defining the scope of the breach, assessing the potential risk it poses to the people whose information was affected. It’s also possible for protected information to be inadvertently exposed without a direct breach, usually as a result of human or administrative error (although these exposures are usually limited in impact).
When a breach of any kind occurs, the organization must disclose the event to the people impacted. If a large number of people were affected, the media must be notified along with the Secretary of Health and Human Services.
When an organization sets out to meet HIPAA requirements, there are a few key steps it should follow as preliminary actions to prepare for an external HIPAA audit event. Once these steps are completed, an external accredited agency must evaluate the organization to assess its adherence to the standards. If the auditor is satisfied with the measures taken, an attestation report is issued.
Best completed by a third-party audit, a readiness assessment evaluates existing security programs to determine their level of readiness for full HIPAA compliance. This assessment should identify gaps and provide prioritized recommendations for risk remediation as well as a clear road map for how to achieve compliance.
After potential risks are identified, the organization should amend its information security program to address those areas. All deficiencies in privacy, security, and notification policies need to be brought into alignment with the compliance scope the organization needs to meet.
Risk management is a team effort for any organization, so it’s critical that all processes implemented to address compliance need to be distributed and made available to all employees. Documentation detailing HIPAA policies and procedures needs to be created and training programs put in place to ensure continued awareness of compliance requirements.
The best compliance protocols in the world won’t amount to much if an organization’s supplier or vendor doesn’t meet basic HIPAA requirements. A thorough audit needs to identify which business associates could potentially access or handle protected information. An independent audit may be necessary to accurately evaluate their compliance status.
As data breaches continue to make headlines, it’s more important than ever for organizations to have systems and procedures in place to keep health information secure. Apart from the unpleasant media scrutiny, a healthcare-related data breach can also lead to costly HIPAA fines and class action lawsuits organized by individuals whose privacy was violated. Even if an organization isn’t directly involved in the healthcare industry, it needs to take a close look at the patient data it manages and implement the necessary controls if any of it could fall under the scope of HIPAA compliance.