Most people with even a casual understanding of HIPAA realize there is a great deal of gray area involved in the implementation of the Rule. This is another way of saying lawmakers intended to provide the regulators with flexibility in HIPAA enforcement. After all, this is a Rule that applies to everything from single doctor practices to multiple-site hospital systems. It is this flexibility – specifically regarding “addressable specifications” of the Security Rule – that makes HIPAA such an implementation nightmare. However, navigating the gray areas, and determining what is “reasonable and appropriate” for your organization is not as challenging as it may seem.
First, you must establish what you need to analyze to determine whether a safeguard is “reasonable and appropriate.” HIPAA provides the factors as follows,
The size, complexity and capabilities of the organization;
The technical infrastructure, hardware, and software capabilities;
The costs of the safeguards being considered; and
The probability and criticality of potential risks to PHI.
Once the criteria is established, the method of analysis must be determined. The Rule provides the answer to that as well, a Security Risk Analysis. This is a systematic approach to identifying and determining the likelihood of organizational risks and vulnerabilities. There are many of these available on the market, HHS even provides one free of charge. The two most important things to consider when completing a risk analysis is 1) ensure it covers your entire organization, and 2) ensure it is well documented.
Once you are equipped with the information from the risk analysis, you will understand the scope of your risks.
Based on your organization’s size, complexity, technical capabilities, and associated costs you will then be able to clearly determine what safeguards are required.
As we discussed it Part 1 of this Blog becoming secure and compliant doesn’t have to be overwhelming or cost-prohibitive. There are several software solutions to guide your project and allow you to focus on only what you really need to do. This can make being HIPAA compliant a cost effective and potentially revenue enhancing initiative. So what steps should you take right now?
At a minimum you should complete basic HIPAA HITECH security activities to minimize risks and be prepared to respond to business partners and new customer requests. This means completing at least the following:
- Risk Assessment to understand where PHI is stored and used, identify critical technology risks that must be controlled and understand what mitigating actions need to be taken.
- Gap Analysis to prioritize remediation activities and develop a work plan to systematically close identified requirement gaps
- Workplan to have a plan and strategy so progress can be measured and tracked
- Remediate Critical Risks and Implement Mitigating Controls to reduce risk and implement a secure and protected environment. Key activities include:
- Develop and implement core security and privacy policies and procedures.
- Implement ongoing monitoring tools to secure your technology, networks and physical environments
- Develop Core Risk Management Plans including
- Incident Response
- Contingency/ Business Continuity
- Physical Security
- Conduct workforce training to ensure staff understand what security risks exist and what actions every staff member must do daily to maintain a secure environment.
The other key initiative to reduce risk is to ensure you have Business Associate Agreements (BAAs) in place with any organization you exchange PHI with. Here are some quick Business Associate Agreement best practices:
- Single Repository: Your organization should have one place where all executed Business Associate Agreements are stored. There should also be a master list of all organizations you receive, transfer and/or store PHI data with.
- Good Contracting Practices: If your organization receives a Business Associate Agreement for signing, ensure that it has been reviewed by your attorney beforehand. Small changes can have significant consequences in these agreements.
- Due Diligence: When entering into a new business associate or subcontractor relationship, ask two important questions about their HIPAA preparedness. Have they done a risk assessment in the last year; and who in the organization will be the Chief Compliance Officer? Remember, you have an obligation to end the transfer of PHI to any organization you have reason to believe is not able to safeguard the data.
- Audit: Review your Business Associate Agreements at least once a year. Also, look at all vendors you do not have Business Associate Agreements with and make sure you are not transferring PHI with these organizations.
In summary, the time for taking effective steps to secure protected health information is now. Debt buyers, medical billers and debt collectors are coming under the microscope of regulators and business partners and must be able to demonstrate their safeguard protocols. As businesses and consumers become ever more computer savvy and as large data breaches are announced frequently, they are already asking “is my Personal Healthcare Information data secure and do you follow good security and privacy practices?” As technology advances and interoperability becomes more prevalent, standards to do business in this environment will be increased.
When Can You Accurately Say You Are HIPAA Compliant?
Technology is rapidly changing and as healthcare providers and vendors to the medical profession, we must all recognize our roles in the safekeeping of our patient’s health information in a world of ever increasing threats to the security of that data. Business Associates like Billing and Collection companies, Application Developers and Data Analytics Companies must be compliant with the HIPAA HITECH regulations. We must ensure the security and privacy of personal health information (PHI) and fully comply with the HIPAA HITECH requirements.
If you handle PHI, you are a business associate and must comply with all the HIPAA HITECH requirements including critical items like performing periodic risk assessments, documenting and implementing security and privacy policies and procedures, conducting HIPAA awareness training, and regularly testing disaster recovery and business continuity plans. But you may ask: “should I worry if I’m not compliant? Could my business operations be disrupted by a data breach? Am I prepared if, my customers and partners require me to be HIPAA compliant?” The answers to all of these should be an unqualified Yes.
The risks are real and they need to be managed. Here are just a few:
- There has been years of underinvestment in technology (especially security) in both the healthcare and medical billing/collections industries
- Healthcare records contain large amounts of personal information
- Mass digitization of patient data has greatly increased attack opportunities
- The value to thieves of a healthcare data record is 50 times that of a credit card record
- Mobile devices have become the primary computing vehicle increasing the potential for lost and theft
A KPMG study reported that 81% of healthcare organizations have been hit with a breach in the last two years. Some speculate that number could be even higher given that there could be some data breaches that remain undetected or go unreported. Furthermore, over 50% of respondents believe healthcare related organizations will remain the industry most at risk in 2017. What do you think is the largest privacy and security threat in your organization?
Most business associates have similar gaps. Do these sound like what your organization looks like?
- Incomplete or out-of-date risk assessment;
- Missing security and privacy policies and procedures;
- Limited or no HIPAA awareness training;
- Untested disaster recovery plans;
- Ad hoc data breach incident response;
- Limited or no encryption of PHI; and
- Unmonitored access controls.
Being HIPAA HITECH compliant can pay dividends to your organization. It can help you generate more revenue and increase new potential business opportunities. If you haven’t already noticed, more and more business partners are asking, are you HIPAA compliant? Many will not work with you if you can’t answer affirmatively to that simple question. Being HIPAA compliant can also be a business development differentiator; reduce the impact of a costly lawsuit over PHI mishandling or access; prevent reputational damage and consumer mistrust; and minimize potential fines from breaches and audits.
While not easy by any standard, becoming secure and compliant doesn’t have to be over whelming or cost prohibitive. This investment will pay for itself many times over. Part 2 of this Blog will show you what you need do. So get ahead of the curve. Bottom line…It pays to be HIPAA compliant!
When Can You Accurately Say You Are HIPAA Compliant?
There’s an age-old adage: The chicken or the egg? Which one came first? In a lot of ways, when it comes to a time-tested cybersecurity program, the same goes for security or compliance. And, are they different?
Many people ask the seemingly simple question “what do I need to do to be compliant?”
Unfortunately, that question doesn’t always a simple answer, and the answer varies by organization. Another common question is “what do I need to do to be secure?” Another complicated and organization-specific answer is required.
However, many organizations confuse security and compliance to be the same thing, when in fact they are quite different.
Cybersecurity protects the protected health information (PHI) your organization has access to from threats by controlling how it is used, consumed, and provided. Compliance, in particular HIPAA compliance, is a demonstration of those safeguards.
However, being compliant with specific safeguards does not ensure that information will be secure and private, as the requirements that are prescribed in regulations are either minimum baselines, or are open to interpretation and not prescriptive. To merely strive for compliance would be essentially trying to only meet the minimum requirements.
A good security program is constantly evolving and improving. While regulations attempt to push for this result, it becomes nearly impossible to define and enforce.
It is immaterial whether compliance or security comes first. If compliance is first, it is a solid foundation on which to build a security program. If security is the initial objective, compliance will be a natural byproduct. In the end, preventing impermissible access and disclosure of PHI must be the goal and the best way to do this is through an ever improving, and evolving, cybersecurity program.