Whether you’re a healthcare provider or a third-party contractor storing protected health information (PHI), you likely wrestle with HIPAA compliance. HIPAA is one of the more strict compliance regulations, and it’s difficult to navigate with all of its exceptions and added obligations that depend on the nature of your business. Most businesses need a third party consultant to help navigate HIPAA regulations, but we’ve created a checklist to help you get started. We’ve also broken down the “three rules of HIPAA,” which are general guidelines that give you direction on how to protect PHI and other critical data.
The Three Primary HIPAA Rules
Before we get into a checklist, let’s first cover the three primary HIPAA rules. These three rules give you an overview of how HIPAA works and helps you understand compliance at every step. Remember that HIPAA mainly focuses on PHI to protect users from losing data to a malicious third party and becoming a victim of identity theft. Each rule focuses on safeguarding this data.
The Privacy Rule - Patient Data Must Stay Confidential
PHI includes 18 different identifiers.¹ Identifiers range from names to medical history and social security numbers. As an organization, you must aim to keep this data private and only allow the patient and authorized users to access it. HIPAA sets limitations on PHI usage, gives patients rights to access their health data, and requires organizations to implement the right security on PHI.
This rule also defines covered entities, which are the organizations responsible for HIPAA compliance.² The privacy rule also covers scenarios where an organization can share PHI. For example, data could be shared for specific legal purposes or for public health concerns.
The Security Rule - Safeguards for PHI
Virtual threats seek out electronic PHI and aim to steal it from your network. The HIPAA security rule oversees virtual safeguards protecting patient data. Any time patient data is retrieved, stored, or sent to an authorized recipient, the HIPAA security rule details methods to safeguard the data.
The right security rules aren’t always the most convenient for users, but it’s essential for data protection. For example, it’s easier to skip encryption of stored data, but it’s essential to protect patient data should an employee lose their laptop to theft. HIPAA regulations require organizations to take “reasonable” steps to protect data, which gives them the ability to determine the right framework for security. But the choices you make to safeguard data must be chosen carefully to ensure that any cybersecurity infrastructure and data loss protection are configured and implemented correctly.
In addition to adding layers of security on your network environment, any employee or contractor with access to ePHI must also be trained to recognize threats – particularly social engineering and phishing attacks. Security awareness training is essential for any organization to stay HIPAA compliant and reduces risk from these types of threats.
Safeguards are categorized as technical and physical. Administrative security is also necessary and oversees all employee compliance training and data management training. Employees need training on handling sensitive information, but IT staff must deploy the right virtual and physical security to protect data.
Technical security includes:
- Access controls: Users should not have full permissions to all data. Instead, they should only have access to data they need to perform their job functions.
- Auditing: Every access request – success or failed – should be logged and an audit trail available for review. Any changes to data should also be documented.
- Encryption: Data at-rest and data in-transit should be encrypted.
Physical security includes:
- Door security and access controls: Any office rooms containing infrastructure or workstations should be secured at the entranceway doors, likely with security access cards.
- Workstation security: Shoulder surfing is an issue with open screens on workstations around the office, so they must be locked when users walk away from their computer and hidden from visitor view.
- Disposal policies: Data stored on hardware must be destroyed before discarding the hardware.
Breach Notification Rule – Notifying Patients After a Breach
No safeguards are ever 100% risk-free. Whether it’s an employee improperly using patient data or cyber-criminals breaching the network environment, your organization must report the breach within 60 days. The following notifications are required:
- Individuals: Using your audit trail from the technical safeguard rules, you must determine all impacted individuals and notify them of the data breach. The notification must include information about the breach and the steps impacted individuals can do to protect themselves.
- Media: Write and publish a press release notifying the media about the breach if more than 500 individuals are impacted.
- Secretary of Health and Human Services: If fewer than 500 individuals are impacted, you must notify the Secretary within 60 days of the end of the calendar year. If it’s more than 500 individuals, notify the Secretary within 60 days of discovery.
A Few General Checklist Guidelines
The primary three HIPAA rules define general steps for data security, but HIPAA offers a few guidelines for getting started ensuring that your business is compliant. Here are a few checklist items that help you review infrastructure, procedures, policies, employee training, and other aspects of your business that could leave it open to a data breach.
Audit Data to Find Sensitive Data
Some healthcare data requires additional access controls and added layers of security. For example, protecting a patient’s name and email address is important, but their social security number and health status are much more critical. You need added controls on this type of data, but first you need to audit your infrastructure and determine where it’s stored, retrieved, and collected. Don’t forget physical storage such as paper healthcare records and imaging. Hardcopy paperwork containing sensitive data should also be safeguarded.
Perform a Risk Assessment
You probably have specific access policies and rules in place, but they might not adhere to HIPAA requirements. Every procedure both physical and virtual that works with PHI should be reviewed and aligned with HIPAA regulations. For most organizations, a third-party consultant is necessary for this step. You need someone familiar with HIPAA regulations, but they should also understand how to identify risks. Without the right consultant, you could have oversights or misunderstand potential risks.
Monitor Data Access Requests and Create Alerts
HIPAA requires constant monitoring and auditing of data. This means that specific tools must be in place that trigger alerts on any suspicious activity and access requests on sensitive data. One step in this process is determining the staff member responsible for receiving alerts. It could be more than one staff member, but anyone accountable for monitoring and alerts should understand potential threats and the next steps to contain and report it.
Revise Policies Out of Compliance
Any policies that aren’t HIPAA compliant must change, so be prepared to change procedures and employee workflows to align with regulatory standards. After a risk assessment and review of current data access policies, several departments might need to adapt to the way they work with PHI.
Document Policies and Procedures
Should you ever get audited, the auditor will review documentation of policies and procedures. Every security and privacy policy must be documented for compliance, but it also helps future staff members understand why your organization has set policies in place. Documented changes are also beneficial for onboarding new staff members and training.
How Access Point Can Help
Knowing HIPAA rules enough so that you can assess your policies and audit any current security controls takes the work of an experienced professional. One misstep and you could be fined millions in penalties and destroy your brand reputation. Also, having the wrong framework implemented could give you a false sense of security.
Access Point’s advisory services team is on hand to provide audit support. Meet with a subject matter expert today to see how Access Point can help you get started with HIPAA compliance.
Sources
¹ https://cphs.berkeley.edu/hipaa/hipaa18.html
² https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html#:~:text=Who%20Must%20Follow%20These%20Laws,such%20as%20Medicare%20and%20Medicaid