Many of our clients have been asking questions about the Health Insurance Portability and Accountability Act (HIPAA), and no wonder! Despite the fact that HIPAA was passed into legislation in 1996, advances in technology and cloud infrastructure have brought a new wave of questions surrounding electronic-protected health information (PHI) storage and access.

In this article, I aim to answer the following questions: Does your organization need to be compliant with the standards set forth in HIPAA, and if so, what are the next steps?

Does my organization need to be HIPAA compliant?

The first thing that you have to determine is whether your organization is a “Covered Entity”, meaning that the Health Insurance Portability and Accountability Act of 1996 (HIPAA for short) applies to you. Unfortunately, ignorance of your organization's responsibility to protect client health information will not protect you from a HIPAA violation and accompanying fine. Fortunately, the Center for Disease Control makes it very easy to determine whether you are a “Covered Entity” under HIPAA.

Your organization is considered a “Covered Entity” if it meets any of the following criteria set forth by the CDC:

• Healthcare Providers 

“Every healthcare provider, regardless of the size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.

• Health Plans 

“Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.

• “Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.”

• Healthcare Clearinghouses 

“Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.

• Business Associates

“A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.”

In other words, if your organization collects, uses, or discloses Protected Health Information (PHI), then you are considered a “Covered Entity”, and must meet or exceed the expectations set forth by HIPAA so that you are not found to be in violation of HIPAA.

You can learn more about HIPAA and other Public Health Laws at CDC.gov.

What is a HIPAA Violation?

A HIPAA violation is any time that your organization has failed to adequately protect the privacy, security, or availability of ePHI (electronic Protected Health Information). There are many ways an organization can fail to protect ePHI ranging from inappropriate employee access and snooping, to simply failing to have a sufficient risk management process in place. You can also violate HIPAA by failing to provide medical records to patients within 30 days, overcharging for records, or otherwise making it unnecessarily difficult for patients to see the medical information that you are storing.

What are the expectations set forth by HIPAA (the Health Insurance Portability Act of 1996)?

The HIPAA Security Rule, which is a rule within HIPAA that particularly focuses on ePHI, requires organizations to protect ePHI using reasonable administrative, physical, and technical controls. The security rule requires that all covered entities assess their security risks, recognize what risks exist to their organization and the integrity of their ePHI, and remediate to an acceptable level of risk. Let’s take a look at the three areas of controls in more detail.

What is an Administrative Control?

Administrative Controls refer to the training, policy, procedure, or other implementations aimed at informing and altering the behavior of people, rather than protecting the ePHI directly. Administrative controls play an important role in the security of your ePHI by helping to train and inform your employees about what is and is not permissible behavior.

An example of an Administrative control would be an IT Policy that states that “remote workers must use a virtual private network (VPN) while accessing ePHI”. In this example, the control isn’t the VPN, but rather the policy that says that employees must use a VPN. Policies must usually be signed by employees to verify that they have read and understood the requirements.

What is a Physical Control?

Physical controls refer to the implementation of physical barriers, systems, or other protections between an unauthorized individual and sensitive data. Physical controls include things such as security checkpoints or doors, security guards, and security camera systems. Physical controls could also include security measures such as photo IDs and biometric access to a facility. Generally speaking, if a control obstructs the ability of a perpetrator to access sensitive data or PHI in person, it is physical control.

As an example, say that you have a policy that states that “employees must use NFC (near field communication) photo-id cards in order to access the office”. In this example, the Policy itself is an administrative control, and the real NFC Photo ID cards are the physical control. This means that if the door was left open for anyone to walk through, this would be a breach of both the physical and administrative controls (a physical breach for anyone walking through the door, and a breach of the policy for the individual who left the door open knowing that they should not have (assuming that it has been outlined in the policy).

What is a Technical Control?

A technical control is a hardware or software solution that detects or prevents unauthorized digital or cyber access to data. Technical controls include controls such as a network firewall, an IDS (intrusion detection system) or IPS (intrusion prevention system), drive encryption, VPN, and user-based access controls. An easy example of a technical control would be the antivirus software that you have installed on your computer.

How the Three Types of Controls Work Together to Protect Your Data

Let’s assume that there is a laptop containing ePHI or other sensitive data. Firstly, administrative controls would protect this device through a policy called a “Clean Desk Policy” which would state that the laptop is not to be left out on your desk, and must be placed into locked storage when not in use. Let’s say that there is a breach in this particular control, and the laptop is left on an employee’s desk. The laptop is still being protected by physical controls, given that it is safely inside the building. A perpetrator would have to get past the locked doors, security guards, photo ID cards, and security cameras in the building to successfully steal the laptop undetected.

But for the sake of the example, let’s say that the perpetrator does indeed bypass all physical security controls. Even then, the data on the laptop is still protected by technical controls, in particular, drive encryption, which means that the thief cannot simply remove the hard drive from the laptop to read the data, as it is encrypted, and could only be read as random characters. The use of encryption on the device would successfully stop data exfiltration from taking place. You can see from this example how the three areas of security controls work together to create a safe environment for your ePHI and other sensitive data.

We meet the CDC’s criteria for “Covered Entity”, what are the next steps?

1. Find a tool that can help reduce the time, money, and energy you spend on compliance.

If you have determined that you are a “Covered Entity” under HIPAA, you must make sure that you are complying with the guidelines for protecting ePHI. Our recommendation is to use a tool like Vanta to kickstart your compliance process. Vanta is helpful because it can recommend advisors and auditors that will help you through the process of becoming HIPAA compliant. Vanta is our recommended vendor because they have been our biggest cost saver when it comes to our internal SOC2 compliance, and we are confident and comfortable with recommending them for HIPAA compliance as well.

Vanta actually provides a wonderful Compliance Checklist that can help to guide you.

2. Perform Your First HIPAA Risk Assessment

If you peeked at the Vanta Compliance Checklist linked earlier in this article, you’ll notice that the next step is to complete a “Readiness” or “Risk Assessment” in order to determine what risks threaten your organization's ePHI. I’ll begin by saying that we have an in-depth guide dedicated to walking you through your first risk assessment, which is one of the many free resources you can access on our website. For the sake of this article, however, it is enough to say that your risk assessment should help to identify threats to your ePHI so that you can unify your team around a remediation plan. Risk assessments are vital to the HIPAA provisions and must be performed even if you are confident in your security posture. 

At Jones IT, we recommend conducting risk assessments on at least an annual basis so that you are always aware of the threats that your organization (and your ePHI) face. When it comes to security, preparation and planning go a long way towards both preventing disasters and minimizing any damage that might result from a breach.

3. Remediation

Once you have identified the risks to your organization, the last step is to remediate those risks. An example of remediation might include a technical control such as the implementation of Multi-Factor Authentication on your accounts in order to protect your users and ePHI from phishing attacks. You might also implement administrative controls, such as IT Policy documents that help define and govern your business practices in accordance with your security goals. These policies might cover areas such as Asset Management, Bring Your Own Device (or BYOD), and Acceptable Use of company resources. Implementing all three areas of Security Controls (Administrative, Physical, and Technical) is vital to protecting your ePHI, and to meeting or exceeding the expectations set forth by HIPAA. 

Where does Jones IT come in?

At Jones IT, we work with our clients as if we were their very own in-house IT Department, meaning that we want to partner with you to help navigate the entire HIPAA lifecycle. In addition to implementing and configuring any compliance tools that you may have, our primary job as your internal IT department is to remediate any issues that arise as part of the risk assessment process. That means helping you in assessing your systems, implementing administrative, physical, and technical security controls, and monitoring your systems on an ongoing basis to ensure that your security posture meets the latest standards for ePHI security so that you can rest easy.

If you need IT support and consulting to help manage your HIPAA lifecycle, you can reach out to us by clicking the button below.

If you liked the blog, please share it with your friends