The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Unprotected health information can be a tempting target for hackers and other data thieves as illustrated by the recent data attacks on Anthem, one of the largest health insurers in the US.
In 2003, the U.S. Department of Health and Human Services (HHS) finalized its HIPAA security rule to provide organizations with “administrative, physical and technical guidelines” to safeguard protected health information (PHI). The Privacy Rule addresses the use and disclosure of individuals’ health information by organizations subject to the Rule, called “covered entities.” Within HHS, the Office for Civil Rights (OCR) has the responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties, ranging from $100 to as much as $1.5 million. The law also allows for criminal penalties of up to 10 years in prison for HIPAA privacy violations.
With so much at stake, many large medical and health enterprises, particularly those with their own IT departments have dedicated HIPAA specialists whose primary task is to guard against any kind of HIPAA non-compliance. Some smaller businesses, especially medical practices, without a resident IT HIPAA specialist are partnering with a trusted Managed Services Provider (MSP) to ensure HIPAA compliance. HIPAA compliance requires a concentrated team effort and attention to detail.
Here are five essential best practices for HIPAA compliance:
- Perform a Protected Health Information Inventory
- Evaluate Your Security Policies
- Conduct a Risk Analysis
- Plan for Contingencies
- Have an Incident Response Policy and a Disaster Recovery Plan
Read on to learn more about how you can implement each of these compliance best practices.
1. Perform a Protected Health Information Inventory
Do a discovery of every type of PHI that your enterprise possesses, both paper and digital. For each type of PHI, document its lifecycle through your organization, including the who/what/where/when/why/how details for the following lifecycle stages:
When you're creating your PHI inventory, take time to work through the entire lifecycle for each type of PHI and document all related aspects. Consider any existing systems that may be in place to collect, protect, store, and/or destroy PHI.
Conduct short interviews with all stakeholders within your business who have access to PHI. In their own words, have them to walk you through the PHI lifecycle, or the portion(s) of the lifecycle in which they participate. Find out how and where documents are stored: physically on-site, physically off-site, and/or electronically in one or more systems.
This will help identify any potential security risks where data leaks could occur. It may also help identify opportunities to create efficiencies and standardize the way different individuals and departments within your organization handle sensitive data.
2. Evaluate Your Security Policies
Begin with your organization’s overall data security policy. Clearly identify employees and classes of employees who will have access to PHI. Restrict PHI access to only those employees who need it to complete their job function. Designate a Privacy Officer with responsibility for developing and implementing HIPAA security policies, and document all security controls. In addition to access authorization, security procedures must be established for modification of PHI, as well as a termination procedure.
3. Conduct a Risk Analysis
Take a realistic, objective look at the potential costs and damages that could result from HIPAA noncompliance through a data breach. Here is where in-depth evaluation of PHI data assets identified during the inventory and security review take place. Physical safeguards need to be implemented that control access to and monitor all hardware and software containing PHI. If you already have remote monitoring systems in place from an MSP like Meridian, the monitoring component of this should already be covered.
Also establish a policy for the proper disposal of said equipment when it is retired. All the safeguards and monitoring in the world can't help you if hardware containing PHI ends up in the wrong hands due to improper procedures for sanitizing and disposing of hardware.
Have a policy establishing criteria for proper workstation use and location to shield monitors containing PHI from unauthorized viewing. For example, at Meridian, our HR department who handles employee PHI, uses many security protocols, including the following:
4. Plan for Contingencies
Knowing what assets you have to protect, establishing a security policy and doing risk analysis will hopefully prepare you for new situations as they arise. Emerging technologies such as texting and the use of social media in the workplace continue to present new challenges to HIPAA compliance.
Conduct regular internal audits to review operations with goal of identifying potential security violations. Carefully record and document these audits for any future OCR review.
5. Have an Incident Response Policy and a Disaster Recovery Plan
Keep a detailed log of any breaches. Have a designated incident response team, the roles they play and outline when and how to respond after a security incident.
Remember, covered entities who outsource some of their business processes to a third party must ensure that they also have a framework in place for HIPAA compliance.
Gone are the days when compliance with HIPAA regulations mainly concerned those in healthcare and medical fields. In today's interconnected world, it's essential that all business leaders be well-informed of regulatory requirements and compliance issues, and how they relate to their business. Your CIO or VCIO should build out and maintain a customized technology road map for your business, including any applicable considerations necessary to maintain compliance with regulatory requirements.