What are three major things addressed in the HIPAA law?
Within the HIPAA Security Rule guidelines, there are three major categories that address security measures for ePHI, these tend to be very relevant for IT professionals. The following HIPAA compliance checklist goes through those three categories. MSPs should be sure to understand and address each of the standards within:
1) Administrative
These are the policies and procedures that an organization should have in place to help protect against an ePHI breach. With the right administrative safeguards in place, the other requirements—physical and technical—can be implemented consistently and correctly. It’s crucial to have well-defined administrative actions to help manage, develop, implement, and maintain an overall security strategy. When it comes to administrative standards, there’s a long list that the organization should consider:
- Security Management Process: This standard is about risk management and analysis. Organizations should review their current procedures for preventing and correcting violations and have a plan in place that follows these basic policies and procedures.
- Assigned Security Responsibility: A security official should be designated to create and implement policies designed to protect ePHI.
- Workforce Security: This section is about how to help ensure employees have the right levels of access to ePHI in order to do their jobs. That includes determining appropriate employee authorizations, and deactivating access upon employee termination.
- Information Access Management: This standard emphasizes that access to ePHI should be restricted, to limit employees having unnecessary or inappropriate access to health information.
- Security Awareness and Training: These standards apply both to IT admins and other employees. There should be proper access controls in place, like effective password policies, and employees should be aware of common threats or mistakes around data security.
- Security Incident Procedures: Organizations should consider what kinds of security incidents might occur and have policies in place to clarify how such incidents should be handled and reported. Security incidents include attempted or successful unauthorized activities, like data access, modification, or other interference.
- Contingency Plan: In case of a catastrophic data loss, or a disaster like power outage, flood, or fire, the organization shouldn’t be caught short. There should already be a plan in place around backups and recovery, with clarity around acceptable RTO (recovery time objective) and RPO (recovery point objective).
- Evaluation: It’s not enough just to have these policies in place. Organizations must also ensure that they have ongoing monitoring around these policies so they can adjust to changes in operations or environment.
- Business Associate Contracts: This standard relates to organizations with agreements or contracts with vendors who create, maintain, or transmit ePHI on their behalf. Essentially, there must be a contract in place that meets HIPAA standards. Obviously, if a MSP is transferring ePHI, MSPs should be aware of this requirement.
2) Technical
Technical safeguards are the policies and procedures that guide the use of technology, especially access controls, for ePHI. For organizations covered by HIPAA, it’s imperative that they use appropriate IT security measures designed to protect data, whether at rest, in transit, or in use. Those standards may well vary depending on the organization—smaller healthcare organizations might not need as many robust tools as a larger entity with more complicated operations. HHS requires entities to balance risks, costs, complexity, and general capabilities when choosing and implementing the most appropriate measures.
- Access Control: This standard requires that protections are in place to allow access to ePHI for authorized users or software. Users should be assigned unique identifiers, and control procedures should be implemented through appropriate hardware or software. IT should also monitor access for new or terminated accounts.
- Audit Controls: To help demonstrate compliance, IT should implement hardware, software, and relevant procedures that can record and examine activity around ePHI. The resulting audit data trail can help the organization prove they are generally compliant with HIPAA regulations.
- Integrity: To help prevent ePHI from being altered or destroyed improperly, MSPs should have a clear understanding of who is authorized to access the data, and in what ways unauthorized actors could modify the data. Essentially, that could call for threat protection, log management, and other appropriate measures.
- Person or Entity Authentication: This standard calls specifically for measures that help ensure the user seeking to access ePHI is in fact the correct user; following best practices for access-control measures is helpful to meet this requirement.
- Transmission Security: It’s also crucial to protect data as it’s being transmitted. MSPs will have to identify potential vulnerabilities based on how the data is typically used and determine sufficient safeguards designed to protect in-transit data. In many cases, some form of encryption is a feasible and smart choice.
3) Physical safeguards
Physical safeguards have less to do with hardware and software, and more to do with the environment around IT equipment. Since MSPs may be required to be compliant as well, they should be sure to understand their responsibilities, both for their own physical equipment and potentially for their customer’s equipment.
- Facility Access Controls: This standard calls for organizations to limit access to facilities in which ePHI is housed. This applies to data centers, equipment locations, IT offices, and the location of workstations—though of course, the specifics will look different for different entities, especially when partnered with an MSP. This could mean anything from locks on doors to security cameras and ID badges. And yes, covered entities are allowed to use cloud computing, as long as proper protections are in place.
- Workstation Use and Security: When it comes to HIPAA compliance, organizations are tasked with ensuring that workstations and devices, and their physical surroundings, are assessed for any risks. That may include assigning unique roles for certain workstations, depending on potential security violations. Workstations may need physical safeguards, like locked doors or guards, and employees may need to be trained on access procedures.
- Device and Media Controls: Devices have only become more mobile and widespread, making it crucial that organizations consider this standard carefully. This applies to hardware and electronic media containing ePHI, and its movement into, out of, and within a facility. That could relate to disposing of equipment, removing ePHI from devices, keeping track of all relevant devices, and ensuring appropriate data backups before physically moving storage files.
What does it mean to be in compliance with HIPAA?
Being HIPAA compliant ultimately requires protecting patient data. That requires balancing expense with risk, depending on the size and scope of the business. Remember that if a breach occurs and you are found to have overlooked or disregarded one of the above measures, especially if that disregard was willful, you could be subject to greater penalties. It’s to your advantage to make a good faith effort to comply with the regulation.
HIPAA compliance is also crucial when the worst happens. If a breach does occur, and you are processing ePHI, you will have to comply with the notice requirements, which may include notifying your client within 60 days of a data breach discovery.
Be aware that pleading ignorance of HIPAA regulations is not considered a justifiable defense. The Office for Civil Rights of the Department of Health and Human Services may still issue fines if they find you to be noncompliant, whether or not the violation was willful. In addition, you may be subject to criminal charges and a civil action lawsuit in the case of a breach.
In this context, it’s to your benefit to keep good records. Use monitoring and management software with robust event logs and reporting functions to help you recognize if data is at risk. In fact, choosing the right software can be a cost-effective way to address many of the security tasks around compliance, like access control, encryption, and threat detection. There are many HIPAA-covered businesses out there that need good MSPs, and you could add real value to your practice by learning more about HIPAA compliance requirements.
Learn about other compliance considerations from our blog and help ensure your business is following industry standards.