Ready to Start Your Career?
March 2, 2016
7 Critical Points about HIPAA Security
March 2, 2016
The process to comply with HIPAA might seem overwhelming. Keep in mind that most organizations do not become compliant overnight. It's a process that takes time and effort. Each step you take and each safeguard you implement brings you one step closer to compliance. Here are 7 crucial points on HIPAA security: 1. HIPAA is not optional - Many organizations feel they're exempt from the HIPAA regulations. This may stem from that fact that “small practices” were granted a 1 year extension to comply with the HIPAA Security Rule.If you are a covered entity or healthcare provider, HIPAA regulations do apply to your practice or organization and MUST be implemented. On the other hand, if you're a contractor or business associate of a covered entity, you've been only loosely required to comply with the HIPAA Security Rule. Business associates were required to sign business associate agreements that contractually required them to protect patient information. That's changed with the release of the HIPAA Omnibus Final Rule. The new HIPAA rule makes business associates directly liable for compliance with the HIPAA Security Rule. 2. Iterative HIPAA Risk Management Process - At the core of HIPAA security is a process called Risk Management. It sounds more confusing than it actually is. What is Risk Management? Step A – Identify how you are currently protecting patient information and identify current weakness in your protection. Step B – Implement additional security safeguards to better protect patient information. Step C – Go back to Step A. This an oversimplified definition of Risk Management, but it illustrates the process must be repeated over and over. 3. You must perform a risk assessment -The HIPAA Security Rule and HIPAA Omnibus Final Rule mandates that all covered entities and business associates perform a Risk Assessment. The assessment will determine how electronic protected health information (ePHI) is being protected and recommend additional safeguards. A Risk Assessment is the foundation of the HIPAA Security Rule. By performing a Risk Assessment, an organization is forced to analyze where ePHI is stored and how it's currently protected. The output of a Risk Assessment provides valuable insight into vulnerabilities to ePHI and how ePHI can be better protected. If an organization were to be audited by the Department of Health and Human Services (HHS), one of the first questions will likely be: “Where is a copy of your latest Risk Assessment?” You don’t want to respond “we don’t have one” or produce something which is outdated or incomplete. 4. Encryption is your friend - Encryption is one of those technical terms that people have trouble understanding. While the process of encryption is very technical, there is no need to concern yourself with the technical details. Think of encryption as “an unbreakable password." Information that's encrypted is safe and secure and cannot be accessed without the encryption password. Although encryption is not a requirement under the HIPAA Security Rule, it does provide a “safe harbor” in the event of a security incident. If a device (laptop, desktop, USB drive, DVD, etc.) that contains ePHI (electronic protected health information) is lost or stolen and the device is encrypted, the covered entity or business associate is not required to report the breach. Encryption dramatically reduces the liability of storing ePHI on desktops, laptops and portable devices. Remember to keep the encryption password separate from the device. In other words, don’t put the password on a sticky note on the laptop or DVD. 5. You must train your employees on HIPAA Security -The HIPAA Security Rule and HIPAA Omnibus Final Rule also mandate that covered entities and business associates setup a security awareness/training program and all workforce members (employees, contractors, etc.) go through the training. Training is not optional. The only way employees will understand how to protect ePHI is through training.In addition, the HIPAA Security Rule requires that employees be provided with ongoing security reminders. All workforce members must receive training and, after training, they need reminders on security so remain aware of how to effectively protect ePHI. 6. You must have written policies and procedures - The HIPAA Security Rule requires written policies and procedures which describe how ePHI is to be protected. Policies and procedures are important so that every employee knows what they need to do to protect patient information. In addition, it's important to ensure that your HIPAA training reinforces your policies and procedures. A few things to take into consideration here are that the policies and procedures need to be written. It is not good enough to have policies and/or procedures that are generally used but not written down. Policies and procedures must be documented. Additionally, written policies and procedures must be distributed and enforced by your organization. Having a binder with written policies and procedures that sits on a practice administrator’s or head of operations bookshelf, which has never been read, will not satisfy the HIPAA requirement. 7. You must have an incident response plan - To be compliant with the HIPAA Security Rule and HIPAA Omnibus Final Rule, you must have a security incident response plan (SIRP). A SIRP is a predefined plan that guides an organization through the steps that must be taken in the event of a security breach or incident. Here's an example of the high-level steps in a security incident response plan:
- Define the incident – What happened? When did it happen? Who was involved? When was it discovered?
- Stop the incident – If a Smartphone is lost, take the steps to disable the access; if a breach is found take the steps to prevent further access, etc.
- Document the incident – Fill in all the details of what occurred from step 1 (define the incident) and step 2 (steps taken to stop the incident). Clearly document all aspects of the incident.
- Determine who has been affected by the incident – Which patient records have been affected?
- Perform a risk assessment – A risk assessment will determine if the breach has led to disclosure of ePHI. The outcome of the risk assessment will determine next steps including any required notification steps.
- Notification – Notify appropriate individuals/agencies. The amount of patient records affected is a key determining factor of what notification steps are needed. Breaches affecting over 500 individuals require significantly more notifications. Individual patients and Health and Human Services (HHS) will need to be notified. The local media may need to be notified as well.
- Provide guidance to prevent the incident from occurring again–An important aspect of a security incident response plan is to ensure that the same incident does not happen in the future. Recommendations to increase security and reduce the risk of an incident are essential.