Most people with even a casual understanding of HIPAA realize there is a great deal of gray area involved in the implementation of the Rule. This is another way of saying lawmakers intended to provide the regulators with flexibility in HIPAA enforcement. After all, this is a Rule that applies to everything from single doctor practices to multiple-site hospital systems. It is this flexibility – specifically regarding “addressable specifications” of the Security Rule – that makes HIPAA such an implementation nightmare. However, navigating the gray areas, and determining what is “reasonable and appropriate” for your organization is not as challenging as it may seem.
First, you must establish what you need to analyze to determine whether a safeguard is “reasonable and appropriate.” HIPAA provides the factors as follows,
The size, complexity and capabilities of the organization;
The technical infrastructure, hardware, and software capabilities;
The costs of the safeguards being considered; and
The probability and criticality of potential risks to PHI.
Once the criteria is established, the method of analysis must be determined. The Rule provides the answer to that as well, a Security Risk Analysis. This is a systematic approach to identifying and determining the likelihood of organizational risks and vulnerabilities. There are many of these available on the market, HHS even provides one free of charge. The two most important things to consider when completing a risk analysis is 1) ensure it covers your entire organization, and 2) ensure it is well documented.
Once you are equipped with the information from the risk analysis, you will understand the scope of your risks.
Based on your organization’s size, complexity, technical capabilities, and associated costs you will then be able to clearly determine what safeguards are required.
If you have been paying attention to the healthcare industry you have probably noticed the phrase “HIPAA Compliant” being tossed about in increasing number. In some instances it is used by healthcare practices in an effort to reassure their existing patients or potential new patients that their data is safe. Other times, “HIPAA Compliant” has been used by vendors as a descriptor of a service or technology. These claims beg the questions: “When were you compliant?” and “Who decided you were compliant?”
Determining HIPAA compliance is a constantly moving target. If you are determined compliant today, but fail to train a new hire tomorrow, you are no longer compliant. A business or technology that wants to say it is compliant must do more than have technology in place that meets HIPAA’s required security safeguards. Instead, it must be able to demonstrate it has implemented appropriate safeguards over a significant period of time (three to six months). Additionally, the organization must demonstrate these protections are in place to an unbiased third party that will validate the implementation and utilization of these safeguards. This requires producing not only all the policies and procedures that verify safeguards are in place, but logs and records to validate they are utilized in practice.
Unfortunately, our industry does not have a group in a position to offer this type of validation for the vast majority of the market. Therefore, we must proceed with caution when vetting new partners or technologies.
Spend some time looking under the hood and kicking the tires before deciding to share PHI with a new partner. Unfortunately, you cannot take all claims of HIPAA compliance at face value.
It Pays to Be HIPAA Compliant!
The end of the year is almost here, and that means now is the time to begin completing those HIPAA security and privacy items you need to get done before December 31.
HERE ARE THE TOP 3 THINGS YOU SHOULD COMPLETE BEFORE 2017:
1. Test Your Backup
If you have not done it this year, we strongly encourage you to test your backup before the end of the year. Having a backup that you can easily transition to is the best way to guard against the most devastating cyber attacks (i.e. ransomware). While simply having a backup is a positive step, if that backup has never been tested how confident are you that it can be relied on during a crisis? It is better to test it now and be confident it is reliable if needed.
2. Conduct a Security Risk Assessment
All organizations, both covered entities and business associates, must conduct an annual security risk assessment – have you done one this year? Or at least started? Your risk assessment should include an inventory of all assets that create, maintain, receive, or transmit PHI. It should also include an assessment of risks, threats, and vulnerabilities, and should cover the entire organization. If you have not done so yet, begin planning now to at least start one before the year’s end.
3. Inventory Business Associates and Business Associate Agreements
Before the end of the year you should ensure you have a thorough inventory of your business associates and all business associate agreements. You may have business associate agreements that will expire at the end of the year, or need renegotiation for other reasons. Make sure to plan, as you will need ample time to have those negotiated and executed before they expire.
HIPAA compliance is a continuous endeavor which requires planning and diligence. The start of the fourth quarter of the year is logical time to determine what still needs to be completed before the end of the year, and if you’re just now starting these processes there are organizations that can help you get this work done quickly.