14 years later, public and private sector organizations are still constantly found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the softest links in compliance. In this article, we’ll review some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with fines.
For the unfamiliar, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that complete many types of transactions.
Policing of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement fin 2009. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been reviewed by OCR. 98% (or 147,826) of the complaints have been settled.
OCR enforces HIPAA Rules by applying “corrective measures,” including ether settlement or a civil cash penalty.
Only 47 cases have lead to a settlement, although the total monetary penalty is still a massive $67,210,982.00. Most compliance issues, OCR reports, stem from improper use or disclosure of electronic protected health information (ePHI); poor health information security measures; inadequate patient access to their ePHI; and the absence of administrative safeguard for such details.
In other words, there is a systemic failure in developing and maintaining appropriate security management procedures. Which is ironic because one of the very first stipulations in HIPAA § 164.308 (a)(1) calls for groups to implement policies and procedures to prevent, detect, contain, and correct security breaches.
There are several required specifications to put in place these management security measures. These include the following:
Risk analysis – Accurate and complex assessment of the possible risks and flaws to the confidentiality, integrity, and availability of electronic protected health information held by the covered group or body (or its business associate/s).
Risk management – Security measures to limit risks and vulnerabilities to a “reasonable and appropriate level.”
Sanction policy – Staff who do not comply with the security policies and procedures must be sanctioned according to a standard policy applied to breaches.
Information system activity review – Processes to monitor records of information system activity, including audit logs, access reports, and security incident tracking reports.
Prior to any of that, however, groups must use best practices to get their arms around the protected information under their management, and to apply some common sense thinking to managing access to that information.
Let’s review some of these best practices.
List relevant information systems – It seems obvious, but here’s where many groups fall down. You have to be able to list all information systems that house ePHI. Moreover, you have to be able to analyze business functions and verify the ownership and management of those information systems.
Ask yourself the following:
- Does the hardware and software in your information systems incorporate removable media and remote access devices?
- Have you identified the range of information you manage?
- Have you listed and evaluated the sensitivity of each type of information?
Complete a risk assessment – You have to have an accurate and thorough assessment of the possible dangers and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
To ensure accuracy and thoroughness, ask yourself the following:
- Is the facility in an area prone to any natural disasters?
- Have you delegated responsibility to review all hardware?
- Have you analyzed existing safeguards and identifiable risks?
- Have you reviewed all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected data?
Purchase IT systems and services – After identifying your systems and exposure to danger, you may find that you’ll need additional hardware, software or services to adequately secure information such as:
- Multi-Factor Authentication
- Data-at-Rest Encryption
- Data-in-Transit Encryption
- Cryptographic Key Management
When reviewing options for new systems or services, ask yourself the following:
- Will new security controls work with the current IT architecture?
- Have you completed a cost-benefit analysis to make sure the investment is reasonable when measured against possible security risks?
Establish and deploy policies and procedures – This is a problem for any working set of management processes. You have to have policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or centers. Does your formal system security and contingency plan stand up to that kind of testing?
In both the public and private sectors, hospitals, clinics, and other health care suppliers that manage private health information today must adhere to stringent policies for ensuring that data is safe at all times. The best practices shown here can help ensure that data isn’t stolen or impacted, and that your group doesn’t face steep fines for being out of compliance.