Just as compliance does not equal security, the same can be said in reverse – security does not ensure compliance. In 1996, a lengthy manifesto known as the Health Insurance Portability and Accountability Act (HIPAA) was signed into law to improve the portability and accountability of health insurance coverage for employees between jobs. Since its implementation, healthcare organizations have been tasked with protecting the confidentiality, integrity and availability of protected health information (PHI) from all reasonably anticipated threats.
However, there’s more to HIPAA than simply implementing controls to ensure the security of PHI. Maintaining compliance is an ongoing commitment within an organization that must be upheld by a strong security mindset and program.
HIPAA protects the privacy and security of PHI with three main rules:
- Privacy rule: protects PHI in all capacities
- Security rule: covers electronic PHI (ePHI)
- Breach notification rule: requires affected parties be notified following the breach unsecured health information
The security rule alone outlines 18 different standards healthcare professionals are required to comply with, such as assigned security responsibility, information access management, security awareness training and security incident procedures. However, the most misunderstood and often cited for noncompliance is likely the security management process standard. This standard includes risk analysis, risk management, the implementation of a sanctions policy and periodic information systems activity reviews. The security management process, and specifically the risk analysis, can set the tone for the rest of an organization’s security posture. Misunderstanding the importance of, or how to do, a thorough risk assessment can lead to performing a weak analysis and ultimately be more damaging than not doing one at all.
HIPAA compliance is vague with little proactivity and no government stamp of approval. However, one of the great things about the way the HIPAA law is written is that it accounts for the various sizes and complexities of healthcare providers and allows each one to implement programs that are most appropriate for their own organization.
Unfortunately, most organizations take the check-box approach and completely miss the fundamental underpinning of the security rule. From training to reporting and everything in between, successfully maintaining HIPAA compliance starts with a cultural mindset of security within an organization. If the mindset of leadership and employees is to satisfy just the bare minimum to remain in good standing, you’re setting yourself up for failure.
Security and compliance are a continuous commitment. Company risk profiles are ever-changing, so the risk assessments, frameworks and protocols put in place to mitigate potential threats should follow suit. Often, we see organizations conducting HIPAA training with employees, but only covering what’s required by the regulations, as opposed to outlining company policies that align with HIPAA mandates.
Since its implementation in 1996, HIPAA has undergone several updates, including the addition of HITECH in 2009 and introducing the breach notification rule. These updates were a vast improvement and helped to accurately depict today’s relevant landscape. However, for a truly roboust and state-of-art security program, organizations should continually evolve and understand the threats they are up against, and then amend their program to reflect these changes. By doing so, they’ll not only remain within compliance but begin to establish a security-first mindset.
One of the best ways to do this, and maximize an organization’s chance of being HIPAA compliant, is to have an implementation framework in place – which is where HITRUST, NIST 800-53 and ISO 27001/2 come into play. These examples provide a seamless opportunity that all but guarantees you’ll pass an audit. It is significantly more effective for ensuring HIPAA compliance than simply knowing the basic ins-and-outs of the regulations.
Protecting patient data under HIPAA requires much more than checking boxes; it calls for a complete mindset overhaul of what it truly means to be secure.
Gerry Miller, Founder & Chief Technology Officer, Cloudticity
Sarah Badahman, CEO & Founder, HIPAAtrek