Last month we talked about the background of the Health Insurance Portability and Accountability Act (HIPAA.) If you’re in healthcare IT, then you’re well aware of HIPAA’s importance when it comes to protecting your ePHI and staying compliant and secure. But you might not be entirely clear on how HIPAA compliance plays out in your organization in terms of specific practices – so I’d like to spend some more time talking about that today.
Remember, HIPPA impacts every aspect of your business. All stakeholders are involved so you’ll need to look beyond just the IT team. And don’t forget that you should approach every compliance initiative from a security standpoint. HIPAA, in fact, embraces a risk-based approach to security, so let’s start by talking about risk assessments.
Risk Assessments and Security Programs
If you’re familiar with HIPAA’s Security Rule, then you know it requires organizations to periodically conduct a thorough risk analysis. In this case, “thorough” means not only evaluating your risk and vulnerabilities but implementing adequate safeguards against those risks. It’s worth noting that when the Office of Civil Rights (OCR) conducted a series of audits in 2012, they found a pattern of inadequate assessments or a complete lack altogether.
Your first step is analyzing what kind of ePHI your organization is receiving, storing and transmitting – the sources and flows of the data. You also want to identify possible threats, be they natural threats, intentional human attacks or environmental threats, then check security policies and system vulnerabilities for system flaws or incorrect configurations.
Next you’ll want to evaluate the impact and likelihood of threats and vulnerabilities being exploited, then assess the impact of these occurrences on your cloud environment. After that, assign risk levels to them based on the likelihood and frequency of the potential occurrence, and the severity of the impact. Finally, you should identify mitigation options. Determine which options to implement – and of course, remember to extend these corrective actions to any Business Associates.
So that’s your basic risk assessment – but you’re not done yet. Remember, compliance is just part of your larger security posture. After selecting controls that address the identified risks in your assessment, you’ll want to compare them to industry standard framework like NIST or ISO. Do your controls address key areas within those frameworks? Are you protecting your entire organization? While risk assessments are critical for HIPAA compliance, they ultimately can deliver a secure and smarter cloud environment.
Business Associates and Covered Entities
Before we go, let’s take a minute to define Covered Entities and Business Associates. These are terms frequently referenced in HIPAA and it’s important to understand what they mean.
A Covered Entity is the healthcare organization, such as hospitals, clinics and insurance carriers; the Business Associate, or BA, is the vendor or service provider. While BAs were once only accountable for the compliance terms dictated by their contracts, BAs and Covered Entities are now directly accountable to OCR. This means you should work with providers who can clearly articulate their security controls program and are transparent on division of responsibilities.