HIPAA compliance deadlines come and go, but compliance is forever. Whether you've met all the deadlines or you've fallen severely behind, this HIPAA compliance manual will act as a compliance checklist,
What is HIPAA, and what information is protected by it?
HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards introduced by Congress in 1996 that aim to protect the privacy of patient information in the healthcare industry by regulating how providers handle patient data while conducting business, as well as ensuring the continuity of individuals' healthcare coverage.
There are two sections to the standard: HIPAA Title I, which focuses on protecting citizens' healthcare coverage if they are fired or laid off, and HIPAA Title II, which is focused more on patients' rights and how to properly transmit, share and store their information.
HIPAA created a set of universal standards for exchanging and securing personal data via electronic data interchange (EDI), the goal being to protect all data that is personally identifiable to a specific person, regardless if it is communicated orally, electronically or in writing.
The HIPAA privacy rule requires all health care providers, or any other organization that processes medical records, inform patients of their privacy rights, educate and train staff on how medical data should be properly handled, and implement and practice the required privacy and security policies in order to ensure that electronic health information of patients remain secure.
Breaking down HIPAA security rules and compliance guidelines
HIPAA's standards require that all health care industries apply and enforce certain protections. The implementation process will be different for every organization depending on its size, budget, risks and infrastructure complexity. But regardless of each organization's different needs in terms of HIPAA implementation, the general HIPAA requirements stay the same.
- Organizations must have an administrative authority in charge of managing and enforcing HIPAA compliance rules, regulations and efforts. There should be a clear set of guidelines in place regulating who is and isn't permitted to access patient information. All access to sensitive data and systems should be monitored.
- Documentation should be provided to patients informing them of their rights.
- All corporate systems, machines and buildings must have physical and technical data and intrusion protection controls to prevent malicious hacker and unauthorized access.
- There must be a traffic-monitoring device, such as a firewall, in place to examine activity coming into and leaving the organization's network.
Management should practice risk assessments, data handling policies, data loss prevention (DLP) and record all security policies and procedures.
How to achieve compliance with HIPAA
In the early years of HIPAA, fines and penalties for lack of compliance were seldom seen, causing many organizations to assume that HIPAA compliance was discretionary. But recently, several organizations have received more than a slap on the wrist in the form of hefty HIPAA-related fines for bad practices, causing many healthcare organizations to rethink their lagging efforts in implementing and enforcing HIPAA policies. This section of SearchSecurity.com's HIPAA compliance manual will discuss how to tackle the main components needed to achieve HIPAA compliance and offer insight into how to get prepared for an audit.
Appointing a HIPAA management consultant team
One of the first steps in becoming compliant with HIPAA is to delegate the responsibility of managing and enforcing compliance policies and procedures to a specific person or group of persons, depending on the size of the organization. The responsibility of educating staff, handling data, enforcing polices, answering questions and leading corporate efforts needs to be assigned out to staff members to avoid confusion and keep things organized. It is important for all employees to be aware of what the HIPAA regulations and policies are, how and why the organization needs to become compliant and what the potential penalties and fines are for non-compliance.
This management person or persons will also act as a liaison among business and IT management, employees, HR and the legal department; getting all departments on the same page in terms of compliance and verifying that every department is doing its part to establish a HIPAA-friendly environment.
HIPAA employee awareness compliance training
All organizations affected by HIPAA should ask employees to undergo some form of HIPAA training to make sure the rules and regulations are clear and everyone is on the same page. It should be clearly identified in the training sessions what constitutes as sensitive patient information, how it should be protected and who is allowed to access that information. This will avoid an incident down the road, in which an employee claims that he or she was unaware that, lets say, a patient's Social Security number or name is considered "sensitive" data.
Restricting and monitoring employee access
Administering access controls and data-handling polices are essential parts of any good compliance program. Access to sensitive materials should be restricted to only those who absolutely need it and their access should be monitored frequently and updated as needed. If an employee is terminated or changes positions, update access controls accordingly to avoid giving the wrong people expansive privileges.
There are several identity and access management (IAM) tools available on the market with reporting and auditing capabilities that can assist with user provisioning and with managing and controlling who has access to what.
System monitoring is an important part of system and data access as well as a HIPAA requirement. Being diligent with monitoring efforts will ensure that only the right people are accessing information and that, if information is moved, it is moved to a secure location. System monitoring software should be implemented and the logged information should be examined on a regular basis to spot a potential problem and take the proper precautions before a breach occurs.
Encryption, data protection and data handling policies
Implementing a variety of data loss prevention (DLP) technologies and data handling polices is a good idea when trying get compliant.
Organizations must also have some sort of data classification policy in place that will identify different types of data based on privacy and security demands. Information should be classified depending on its location, type, how sensitive it is to risk, and what storage, transmission or other security measures are currently in place to protect it.
Your data classification policy should determine what information needs advanced security measures, such as encryption or written permission for data sharing. If certain data is extremely sensitive, more advanced security measures should be taken to ensure its protection. For example, if patient data is compromised or lost, having implemented encryption would add another layer of security that the attacker would have to bypass to make use of the data. There should also be a data-sharing policy in place for especially sensitive data. If an employee wants or needs to share data with another party, written permission should be required, lessening the likelihood of unnecessary or malicious information sharing.
HIPAA audit checklist: How to get prepared for a HIPAA compliance audit
Now that it has been made abundantly clear that HIPAA compliance is mandatory and that organizations that fail to comply risk violations and fines, such as CVS Caremark Corp.'s recent $2.25 million HIPAA settlement, corporations should be more concentrated then ever before on appeasing auditors and learning how to properly prepare for a HIPAA compliance audit. In this section of SearchSecurity.com's HIPAA compliance manual, you will learn the proper precautions to take before an auditor knocks on your door.
- Planning for a HIPAA compliance audit: Keeping staff informed
It's important to let employees know that an auditor will be making a visit. work with the staff to review security policies and business processes so that all on the same page and prepared to answer questions. Review in advance what questions the auditor will ask and what documentation he or she will want to see. Some areas that should be discussed include data handling and data classification policies, implemented data loss prevention technologies, risk assessments and security awareness training. If there are any projects in the works, they should be discussed as well -- it should never seem like certain members of the organization are unaware of company policies or compliance projects.
- HIPAA policies, plans and procedures documentation
After preparing employees for the HIPAA compliance audit, the next step is having all that information ready and on hand. You should be able to present documentation on your corporation's current security policies, future security plans, risk assessments, data handling, disaster recovery and DLP technology.
Telling an auditor about your compliance efforts and showing an auditor your compliance efforts are two very different things; he/she most likely prefers the latter.
- HIPAA audit findings: Be cooperative and stay calm
It is best to try and be cooperative as possible when dealing with a HIPAA compliance auditor. Provide as much material and information as you can, in addition to anything they inquire about. It is in your best interest to foster an open line of communication so the auditor can be as helpful as possible -- in short, working together, rather than against each other.
When the auditor finishes the review and returns with his or her conclusions, which will most likely be a mixed bag, try to stay calm. Examine the findings carefully and compare them with the organization's documentation to ensure there were no mistakes made; just because an auditor presents something doesn't mean the findings are correct, so be sure to check every detail.
If an auditor's conclusions are right and they do highlight a problem area, then you should examine your systems to see how the problem has been affecting security, discuss possible reasons for the misstep and how to prevent and fix any issues as soon as possible in a professional, cooperative manner.
This was first published in April 2009