Spelling out HIPAA Compliance in the Realm of Information Security
Most people have heard of HIPAA (the Health Insurance Portability and Accountability Act), and tend to associate it with protected health information (PHI) in a hospital or doctor’s office setting. While protecting the integrity of patient data is critical in a literal medical setting, HIPAA compliance encompasses a broad set of regulations that can apply to a wide range of settings in numerous industries and verticals. Given the multiple facets of HIPAA regulations, many organizations dealing with sensitive healthcare data are left wondering how to become HIPAA compliant. The mandates themselves can be broken down into two key rules: the Security Rule and the Privacy Rule.
Where information technology and security are concerned, HIPAA compliance is based on the Security Rule. As defined by the U.S. Department of Health & Human Services, “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.”1
In essence, HIPAA determines how a patient’s protected health information (PHI) can be used and disclosed, and stipulates administrative, physical and technical safeguards. Here’s the catch—HIPAA regulations, specifically the Security Rule, apply to any organization that interacts with electronic healthcare data; not just hospitals or doctor’s offices. If you store, transmit or process PHI, you’re responsible for compliance with HIPAA, period.2
If your organization commits a HIPAA violation, the consequences are serious, including sizable fines and loss of business. Further, while efforts made to ensure that your critical systems and data are HIPAA compliant are important for regulatory purposes, preventing a breach or misuse of data is critical to the well-being of your organization at large. Few businesses can afford the reputation damage a breach gone public can cause.
Steps to Realizing a HIPAA Compliant Future State
If your organization deals with healthcare data and currently has IT systems in the cloud, or is in the midst of planning a move to the cloud, knowing how to become HIPAA compliant is not negotiable. A good place to start is creating an execution list for moving toward a HIPAA-compliant future state. A reputable cloud services provider (CSP) who can support HIPAA compliance will be a valuable ally.
A quick list worth considering:
- Assess where you are now.
Conduct a risk assessment. Start by creating a data inventory.
- Establish an incident response plan.
Develop a data breach response plan and have an incident response team ready to enact it.
- Know your compliance requirements.
A key component of your security plan should be HIPAA/HITECH compliance. If you are classified as a “covered entity”, are you in compliance with the requirements stipulated by HIPAA?
- Remember That CSPs are Business Associates Too.
CSPs have typically been considered to be business associates; the HIPAA Omnibus Rule makes it clear that they are and that they are also directly responsible for complying with the HIPAA standards that apply to business associates. Make sure any CSP you work with signs a business associate agreement (BAA). In addition, ask how the CSP handles data security and privacy.
- Put Thought into Your Mobile Device and BYOD Polices.
Another key consideration for your security plan should be your policies for mobile device usage and BYOD. PHI can travel on smartphones, laptops, tablets and other mobile devices used by healthcare employees, contractors, vendors and others—devices that are subject to theft, loss and hacking.
- Invest in a Cyber Insurance Policy.
Consider purchasing cyber insurance. Review the insurance plan carefully before purchasing. Policies can be either stand-alone or an addendum or endorsement to an existing policy.2
An additional significant consideration is knowing where your organization’s responsibilities begin and end as far as HIPAA is concerned, which will depend on whether you host your critical infrastructure internally or in the cloud. If you have a CSP, it’s essential to ask yourself whether you have a full understanding of 1) what is required for your organization to be HIPAA compliant and 2) which controls your team is responsible for. Not all CSPs have the same offerings when it comes to a HIPAA-compliant cloud.
Given the rate at which technology changes, HIPAA compliance is a living, breathing and ongoing effort on behalf of your organization and your CSP. A viable option for ensuring your business has all policies and procedures covered on an ongoing basis is working with a cloud provider who offers professional, consultative services when it comes to HIPAA mandates. A knowledgeable partner will be able to delineate to your IT team which aspects of controls you’re responsible for, and what they can take care of on your behalf.
Becoming and Remaining HIPAA Compliant
Despite your methodology for achieving HIPAA compliance, including a strategy for remaining in compliance in order to stay audit-ready is key.
In fact, the top two vital considerations for becoming and remaining HIPAA compliant are:
- Working with a trusted IT partner who has a proven, long track record with helping organizations in providing those services.
- Finding a trusted auditor to engage with early and often.
Do not go down one path without the other.
When you’ve solidified your HIPAA compliance strategy, particularly when working with a CSP, ensure that your team is keeping all involved parties abreast and in communication so that the solution developed protects your organization today and in the future.