Regulatory compliance is a phrase that sends a shiver down the spine of even the most experienced network administrator. Ever since the Health Insurance Portability and Accountability Act or HIPAA was introduced in 1996, covered entities holding protected health information (PHI) or electronically protected health information (ePHI) have been under pressure to keep it safe.
Organizations that fail to keep this data safe face severe financial consequences, depending on their level of awareness. Annual HIPAA Fines can cost up to $25,000 for non-compliant organizations who had no knowledge of wrongdoing, $100,000 for those with reasonable cause, $250,000 for wilful neglect – corrected, and $1.5 million for wilful neglect – uncorrected (which would be adjusted for inflation).
Unfortunately, complying with the regulations isn’t a matter of filling out a few forms. The growth of cloud computing and the Healthcare industry’s struggle to prevent disclosure of patient data calls for a hands-on approach to network security and internal access controls.
In this article, we’re going to examine the HIPAA regulations and provide you with a HIPAA compliance checklist to help you stay on the right side of the regulations and protect patient’s protected health information.
What is HIPAA?
HIPAA was put in place to regulate the handling of protected health information. The act created industry-wide standards for data handling, cybersecurity, insider, access, and electronic billing. One of the most important regulations to emerge from the rules was that medical data must remain confidential.
The regulations apply to covered entities, insurance providers, and clearinghouses (that process transactions between covered entities and insurance providers). If the care provider doesn’t submit an electronic transaction for insurance payment for the treatment provided to patients then HIPAA doesn’t apply to them.
It is also worth noting the role of business associates. Business associates are companies that provide services that require persistent access to protected health information and are subject to the regulations.
The idea behind HIPAA is that patient data should be protected from fraudsters and other malicious entities. In the age of cloud computing; the range of entry points makes protecting this data a complex issue. All of your physical and virtual resources need to be secured against cyber attackers to protect patient data.
However, becoming HIPAA compliant is not just a question of network security, but of internal access as well. You must have plans in place to control internal access to patient data and ensure staff adheres to minimum use and disclosure requirements.
These restrictions were put in place to enable the Healthcare industry to reduce the improper disclosure of patient information. All staff and business associates must make sure to work alongside your network security processes, and not rely on them alone to protect patient data.
The HIPAA Privacy Rule
The HIPAA Privacy Rule dictates how PHI can be accessed and handled. The rule only applies to covered entities and states that there must be procedures in place to protect the privacy of patient data. However, privacy rule requirements can also be incorporated into business associate agreements.
Beyond the basic requirement to protect patient data, enterprises also have to support the rights that patients have to that data. There are three rights outlined in HIPAA that all patients have the right to:
- authorize disclosure of their PHI
- request access to a copy of their health records at any time
- request corrections to their records
To break it down further, the HIPAA Privacy Rule states that consent is required from the patient in order to disclose PHI data. In the event that a patient requests access to their data, organizations have 30 days to respond. Failing to respond on time can leave an enterprise open to legal liabilities and potential fines.
The HIPAA Security Rule
The HIPAA Security Rule is a security requirement that outlines how ePHI should be managed. The rule stipulates that enterprises should “implement the necessary safeguards” to protect patient data. The HIPAA Security Rule and the HIPAA Privacy Rule are closely related but separate, as they were implemented three years apart.
While the safeguards themselves are not ambiguous, how an entity determines the level of “necessary safeguards” and addresses those in a reasonable and appropriate manner is more complex. To help simplify the requirements, HIPAA breaks down the safeguards into three main sections:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
The HIPAA Security Rule defines administrative safeguards as “administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information.” It also states that managing the conduct of the workforce comes as part of that responsibility.
Administrative safeguards suggest that enterprises must implement administrative processes that control access to patient data and provide additional training to enable employees to interact with information securely. To manage workforce conduct an employee should be appointed to manage HIPAA policies and procedures.
The physical safeguards requirement is about securing the facilities where patient data is located and the resources used to access the data. Controlling access to these areas is one of the major take-away messages of this section.
You need to have measures in place to control access to where patient data is processed, protect devices against unauthorized access (using methods such as two-factor authentication), and to control/record the movements of devices in or out of the facility.
‘Technical safeguards’ is a term used to refer to the technical policies and procedures that protect patient data. Authentication, audit controls, audit reports, record keeping, access controls, and automatic logoffs are all measures that enterprises can implement to fulfill these criteria. There must also be measures in place to make sure that data is safe, whether it’s being stored in a device or being moved between locations.
You should also complete a risk assessment to identify risk factors and threats to the security of ePHI data. You must then take measures to address these specific threats. The technical safeguards requirement is one of those areas where hiring a qualified HIPAA consultant will pay dividends as they will make sure there aren’t any gaps.
The Breach Notification Rule
The Breach Notification Rule specifies how enterprises should respond to data breaches. The rule states that organizations must notify individuals, the media or the HHS Secretary in the event of a data breach. A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”.
Following a breach, you should notify the necessary parties ASAP but no later than 60 days after the event. When writing up the notification you will need to state: what personal identifiers were exposed, the individual who used the ePHI, whether the ePHI was acquired or viewed, and whether the risk of damage has been mitigated.
Reporting is another integral component of The Breach Notification Rule. Smaller breaches affecting less than 500 individuals need to be reported through the HHS website annually (if more than 500 individuals are affected you need to contact the media as well). Monitoring breaches closely on a case-by-case basis to assess the damage and respond accordingly is the key to success.
To help you stay compliant with HIPAA, we’ve compiled a brief list of steps you can take below. Please note that we recommend you enlist the assistance of an experienced HIPAA consultant to keep your data protected. Your consultant will be able to perform a full evaluation of your current security practices and identify areas to improve.
Complete a Risk Assessment
The first thing you need to do when preparing for HIPAA compliance is to assess the overall readiness of your enterprise. What you need to do to comply with the regulations depends on your current cybersecurity processes. Conducting a risk assessment that assesses how PHI and ePHI data is being managed will show you the gaps in your cybersecurity policy.
For the best results, work with a HIPAA compliance consultant. The consultant will assess your current practices against the requirements of the OCR Audit Protocol, and provide you with a list of recommendations to help achieve compliance. They will also tell you when you’re ready to start the certification process.
Working with an expert is beneficial because you will be able to rely on their experience to find vulnerabilities you may have overlooked. An experienced consultant will have a comprehensive grasp of HIPAA requirements and give you the best chance of achieving your certification.
Remediate Compliance Risks and Refine Processes
When the results of the initial assessment show that you have risk factors to address, it is time to change your processes. If you work with advisors to help you with the assessment, then they can provide you with specific guidance on the policies and procedures you need to implement.
To start with you will want to address smaller compliance issues before trying to follow through on larger targets. Implementing basic measures like training employees on cybersecurity practices, minimum use guidelines, disclosure guidelines, and how to use two-factor authentication on devices can help to start off on the right foot.
From there on you can start to set more complex remediation targets that will tell you which processes you need to prioritize. While network security is very important it is essential that employees are aware of the importance of internal access controls, and avoid disclosing patient information where possible.
Manage Risks Long Term (With Network Monitoring Tools)
Achieving HIPAA compliance isn’t a one-time effort but a consistent challenge. Your long term strategy will revolve around continually managing risks to make sure that patient data has been kept safe.
A network monitoring tool won’t get you compliant on it’s own, but it can help you to manage some of your risks (provided your internal access controls are adhered to by employees).
In particular, you want to use a tool that:
- uses vulnerability scans
- detects network events
- analyzes audit logs
- visualizes HIPAA components with a topology map
- monitors logons
- automates event analysis
- and automates compliance reporting.
While you can attempt to monitor HIPAA risks with multiple software products it is much easier to use a unified platform so you can manage everything in one place. Keep in mind that it only takes one vulnerability for an attacker to gain access to confidential data
Conditions of compliance
Problems arise when businesses outsource part of their data processing or data storage to external companies. Under these circumstances, the company is dependent on those managed service providers (MSPs) also being HIPAA compliant. Compliance, therefore, needs to be a condition in any contract signed for outsourced IT services.
The requirement of a chain of trust between a company under HIPAA obligations and the companies that serve it puts a great responsibility on MSPs. Without the ability to demonstrate HIPAA compliance, MSPs will not be able to bid for work from companies in the health sector. This creates san imperative for MSPs to become HIPAA compliant.
As discussed above, the easiest way to comply with HIPAA regulations is to buy in a platform of software products that already conform to HIPAA specifications.
MSPs need remote access utilities and system administration tools. They also require Help Desk platforms for both user access and technician support. The technician utilities in an MSP platform are collectively called a remote monitoring and management (RMM) system. The RMM tools have access to the entire client system and are responsible for backing up and archiving data and so they must be designed with HIPAA standards in mind.
The tools needed by the MSP to run its business include team management client management, and contract management. This category of utilities also requires a password vault to keep the access account details for each client – and keep them separate and secure. The MSP business management tools are known as “professional services automation” (PSA). As the PSA system includes access rights and sensitive information about client companies, this also needs to be compliant with HIPAA requirements.
Atera is an example of a fully HIPAA compliant MSP support platform that includes both RMM and PSA systems. The service has been certified as HIPAA compliant since December 1st 2016. The company can even supply a signed business associate agreement (BAA) to its subscribers, which is a requirement of HIPAA.
Consult an Experienced HIPAA Consultant
The challenges that come with complying with HIPAA are steep. A small oversight can result in the disclosure of private patient information. Reading up on the rules of the regulations and enlisting the help of an experienced HIPAA consultant will help you to implement the best protection for your enterprise and your patients.
Working with a consultant reduces the chance of any compliance gaps that could compromise PHI. While going alone is possible, there is a higher chance of misinterpreting the level of safeguards you need to protect patient data. An experienced consultant can make the process easier and close the door to financial liabilities.