Frequently Asked HIPAA Compliance Questions

HIPAA compliance shouldn’t be a mystery. Learn about the intricacies of this standard with our Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance in the cloud frequently asked questions (FAQ).

Passed by congress and signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations handling protected health information (PHI) to develop internal policies and procedures to safeguard the confidentiality and security of that patient data.

All organizations that transfer, store, receive or in any way handle PHI – whether orally, written or electronically – are required by law to comply with HIPAA regulations.

Most organizations today handle PHI in a cloud environment. The road to compliance in the cloud is unique to every organization – not only because every business is different, but because HIPAA rules are more guidelines than a set of prescriptive steps or tactics.

Therefore, an organization doesn’t become HIPAA compliant, but rather needs to comply with the following HIPAA compliance rules:

  • The HIPAA Privacy Rule: As the name indicates, the purpose of this rule is to protect the privacy of patients by limiting the disclosure of patient information without patient permission. That includes all identifiable information like name, address and social security number, as well as health specific information like diagnosis and treatments. In addition, the Privacy Rule allows patients access to their own medical records.
  • The HIPAA Security Rule: Under this rule, entities are required to develop and maintain appropriate administrative, technical and physical measures to mitigate the risks associated with how the entity handles PHI and that ensure the confidentiality, integrity and security of electronic PHI (ePHI).
  • The HIPAA Breach Notification Rule: Entities are required to notify patients and the U.S. Department of Health & Human Services (HHS) within 60 days if PHI is breached.

Entities are required to appoint both a privacy officer and a security officer. These can be the same person and they can handle compliance responsibilities themselves or manage those who ensure compliance. Most organizations with cloud-based ePHI assign this responsibility to a high-ranking IT staffer like the director of IT.

Whoever is assigned should have the following qualities:

  • A thorough understanding of HIPAA requirements.
  • Experience with risk assessment and understanding of cyber security and the organization’s electronic record handling.
  • The empowerment to implement policies and ability to enforce them among employees.

Since there is no specific standard or independent audit framework, HIPAA compliance is a self-certification that your organization believes it has met the relevant requirements. The best way to achieve this is by instituting a data security strategy that strives for security of your overall system, rather than focusing on HIPAA regulations alone, which dictate security for just PHI.

To address both security and compliance, a solution should include the following:

A Comprehensive Risk Management Program – Risk assessment and management are at the heart of the HIPAA security rule and an annual requirement.  Without properly identifying the risks associated with how your organization handles PHI, you will not be able to justify the security controls program you implement to protect it.  Having a documented risk assessment and using that to develop your security controls program is the fundamental building block of a HIPAA compliance program.

Security Policy:  First and foremost, your organization should have a clear policy that is documented and distributed to staff to detail what is and is not acceptable, what is required and who is responsible for what.

Access Control: Who should have access to what information and in which situations?  Your first line of security is at the access point. Make sure your policy dictates which employees can access certain types of information and that you appropriately establish access privileges.

Comprehensive Security Controls: In addition to access controls, your solution must include additional data protection which may include, but shouldn’t be limited to, encryption of data, the authentication of data received and the constant monitoring of your system for vulnerabilities and breaches.

Breach Response Plan:  Despite all best intentions and planning, breaches do happen.  When they do, it’s essential that your organization can do the following:

  • Rapidly detect the breach
  • Quickly stop threat actors
  • Patch vulnerabilities
  • Restore lost data
  • Notify appropriate parties in a timely manner

There are no consequences for not being compliant unless your organization suffers a breach and loses PHI records.  The consequences of breaches can be severe. Organizations face steep fines from the Department of Health and Human Services’ Office for Civil Rights. 2016 alone saw HIPAA settlements reach more than $23 million1. Specific fines are based on the number of patient records involved in the violation and how severe the neglect is found to be. For example, if you’re in violation of a rule, but didn’t realize it, your fine may be lower than if it’s found that you knew you were in violation of a rule and didn’t do anything about it.

Of course, the impact of non-compliance goes beyond financial measures. The loss of patient trust can have devastating effects on an organization’s future. If violations can be linked to specific employees, jail time might even be involved.

It’s no secret that managing PHI electronically is far more efficient that maintaining paper-only records. However, digitizing data and implementing secure electronic solutions can be complex and expensive. That’s why, in 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created. President Obama signed HITECH into law as part of the American Recovery and Reinvestment Act (ARRA).

HITECH was meant to encourage those in the healthcare industry to adopt electronic health records (EHR) to reduce spending on health services by increasing efficiency. Initially, HITECH offered financial incentives for those organizations that were early adopters.  In addition, HITECH requires that those in the healthcare industry adopt certain levels of EHR usage.

Because of the complexity involved in HIPAA compliance, a group of industry leaders came together to develop the Health Information Trust Alliance (HITRUST). In 2009, the HITRUST alliance released a Common Security Framework (CSF) as a framework specifically for the protection of ePHI.  The framework is based on the HIPAA security rule for compliance but is also easily scalable to accommodate the needs of organizations of varying sizes with solutions of any degree of complexity.

In order to be compliant in the cloud, you build a security program that does the following:

  • Ensures the confidentiality, integrity and availability of all ePHI created, received, stored or shared.
  • Identifies and protect against threats to the security of ePHI
  • Protects against impermissible uses or disclosures of ePHI
  • Enforces compliance by everyone who handles the ePHI

There’s no doubt that compliance is important, but it’s only one outcome of cloud security and shouldn’t be the driver.

It’s possible to be compliant without being secure. The threat landscape is ever changing and HIPAA requires that you keep up with new threats and risks and evolve your security program to defend against new risks.  Compliance standards are static and don’t evolve as rapidly as the threats, often making compliance the lowest common denominator of security requirements. If you’re finding it challenging to dedicate the time and resources just to be compliant, you’re probably leaving your data vulnerable to sophisticated threats.

The act of being secure isn’t about checking compliance boxes, it’s the process of employing a multilayered web of protection to all infrastructure, applications and processes that touch your data.

Protecting critical data in the cloud requires a different or additional set of tools than protecting the information stored in your legacy, on-premises resources.

  • If you have your own data center, you’re responsible for establishing physical access controls, including a log of who enters that data center and when.
  • As technology advances, hardware must be updated more frequently, which means, you need to update the physical hardware of your data center.
  • If your legacy systems are running on outdated or unsupported hardware it might not have the ability to be updated to keep pace with modern threats.

And while being able to see and touch your data center may give you a feeling of control, you also have to consider the cost, scalability and accessibility of the information stored there.

Simplified cloud compliance is a key benefit of entrusting your cloud data workloads and applications with Armor. Our solutions are purpose-built to meet the specific needs of organizations subject to HIPAA compliance.

Need proof?

  • Healthcare organizations of all kinds trust our security talent to protect their customers’ health-related data at all costs.
  • Our blend of intelligence, defense and control ensures HIPAA compliance, reduces threat actor dwell time to near zero and protects ePHI data, applications and intellectual property.
  • Armor is certified against the Health Information Trust Alliance (HITRUST) CSF. This framework was developed by a trusted group of industry leaders formed to help create standards in the complex HIPAA environment.