If you work in healthcare IT and you’re doing research on HIPAA compliance, no one could blame you for getting confused. HIPAA can be vague, serving more as a manifesto than a set of prescriptive directions – and it doesn’t help that plenty of providers make bold promises and unrealistic guarantees to deliver a quick compliance fix.
Take it from me, there’s no such thing. Anyone who promises you a miracle product or silver bullet is trivializing the entire compliance process. You may want a quick and convenient solution (who wouldn’t?) but ultimately HIPAA compliance is achieved in just one way: getting secure. You must create a security program that addresses all the ways your organization handles sensitive medical data and PHI – and that means addressing the relevant risks with the right strategies and controls.
This may not sound all that fun. I’ll be honest with you: getting HIPAA compliant can be tough. But there’s good news and that’s the serious long-term benefits that come with building the right security program. You’ll discover a wealth of opportunities for improvement and find yourself with a stronger, higher-performing environment.
The most direct road to security starts with performing a thorough risk assessment. HIPAA’s Security Rule requires organizations to periodically conduct a thorough risk analysis, yet a 2012 series of Office of Civil Rights (OCR) audits found a widespread lack of or poorly conducted risk assessments. Why? My guess is many organizations just aren’t sure of how to perform one – and they may not realize how much a good risk assessment can strengthen their business.
If that sounds familiar, I’d recommend using a good risk assessment framework like NIST 800-30, FAIR or OCTAVE. But you’ll still need to understand the basic steps for an effective risk analysis, so let’s go over those now.
Your first step is conducting a broad overview of your organization. Consider your processes for creating, accessing and storing PHI, and document all of them, including their purposes, diagrams of the data flows and the roles people play in handling the data. Not only is this a vital element in compliance, you’ll find new ways to improve your systems.
After that, you want to look at all possible threats, including natural threats such as floods or earthquakes, intentional human attacks, and environmental threats such as power outages or leakages. Assess the likelihood of any of these occurring and the severity of the impact if they did; make sure you factor in the number of people impacted, the financial cost of the impact, any impact on patient care, and the impact to your brand reputation. After that, prioritize the risks based on the combination of impact and likelihood and then identify and document your mitigation options. Come up with corrective actions to mitigate each risk and be sure to cover everything – from protecting paper medical records from fire to encrypting data access, storage and backup to adopting safe personnel screening processes, you need to address all data-related risks. You also need to understand and add the cost of each mitigation option so that you can determine how to approach mitigation of your risks.
In terms of approaching your risk, remember that you have three options: to treat it, accept it as part of the cost of doing business or transfer it. You can transfer risk through taking our cyber risk insurance or engaging a provider to assist you. The latter will go far in reducing your responsibility and scope, which is why it’s such a popular option. But be careful when choosing your provider and be sure they demonstrate not only their compliance with HIPAA requirements but how what they do actually help you achieve your compliance goals.
Hopefully this was a good start to dispelling confusion on what’s involved in HIPAA compliance.