HIPAA Compliant: What Does Being Compliant Mean To Your Business
Health Insurance Portability and Accountability Act (or HIPAA, for short), was signed into law on Aug. 21, 1996 by then-president Bill Clinton. If you were of working age, you might remember the news coverage of this law. The HIPAA law specifies that an employee can retain their employer-paid insurance even after leaving the company. The cost of the insurance was something the employee was responsible for.
Besides offering portability, the law instituted protection regulations for patient privacy, usually noted in three ways:
- Protected Health Information (PHI)
- Electronic Protected Health Information (ePHI)
- Individually Identifiable Health Information (IIHI)
PHI encompasses any IIHI that’s sent or maintained electronically. For PHI in electronic format to be protected effectively, IT professionals must understand HIPAA – what it is and who it affects.
Is Your Business Supposed To Be HIPAA Compliant?
There are two kinds of businesses that HIPAA encompasses:
- Covered Entity
- Business Associate
Any IT professional that produces, maintains, sends or get PHI or ePHI for a Business Associate or Covered Entity is a Business Associate and is legally bound by the HIPAA law. Therefore, these Business Associates must abide by HIPAA and are subject to all liabilities and penalties as well as changes in the law known as Omnibus Rule of 2013.
This is extremely important for all IT professionals working with a Business Associate or Covered Entity.
Your Business Might Need To Become HIPAA Compliant
It’s important you understand that signing the Business Associate Agreement doesn’t automatically you become HIPAA compliant even though it’s included in the compliance requirements. Even if you use something that’s compliant with the HIPAA law, that compliance doesn’t automatically transfer to you.
For your company to become HIPAA compliant, there are a few things that need to be done:
Step 1 – Security Risk Assessment
You need to do a Security Risk Assessment on the business – a must regardless of who you are. The key goal of the assessment is to find out how data or ePHI is produced, maintained, sent and given in the business.
What if you don’t have access to the ePHI? If you’re an IT professional and working on the business network, chances are you still have administrative access to the systems, even if it’s remote access. The law states that as long as you HAVE access ePHI, even if it’s encrypted, you must be HIPAA compliant.
What are some of the common ways in which you may touch the data without even realizing it?
- Onsite Support – Have you been given administrative rights to servers, workstations, etc.?
- Remote Support – Has the business given you permission to provide remote support, meaning you can access customer data and view it?
- Restore/Backup Services – Are you backing the systems’ information up, which also includes the ePHI? IT professionals are often responsible for backing up data and then restoring it. Where will the data be stored and is the backups done in-house?
As an IT professional, you are touching ePHI or exposed to it in some form or fashion.
Step 2 – Risk Management Plan
Once you’ve completed a security risk assessment, you need to use the information to come up with a risk management plan. This is where you alleviate the problems learned in the assessment.
HIPAA Protections For Your Business
Although HIPAA offers some level of privacy protection, it’s the policies and procedures that come about that make give the data you hold the protection required.
Once you’ve carried out a risk management assessment, your business must come up with HIPAA-related policies and procedures (also called Security Rule). The Security Rule is divided into three subcategories.
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
What do the administrative safeguards entail?
- Security Management Process
- Risk Analysis (Required)
- Management Of Risk (Required)
- Sanction Policy (Required)
- Information System Activity Review (Required)
- Assigned Security Responsibility
- Workforce Security
- Authorization and/or Supervision (Addressable)
- Workforce Clearance Procedure (Addressable)
- Termination Procedures (Addressable)
- Information Access Management
- Isolating Health Care Clearinghouse Functions (Required)
- Access Authorization (Addressable)
- Access Establishment and Modification (Addressable)
- Security Awareness and Training
- Security Reminders (Addressable)
- Malicious Software Protection (Addressable)
- Log-in Monitoring (Addressable)
- Password Management (Addressable)
- Security Incident Procedures
- Response and reporting (Required)
- Contingency Plan
- Data Backup Plan (Required)
- Disaster Recovery Plan (Required)
- Emergency Mode Operation Plan (Required)
- Testing and Revision Procedures (Addressable)
- Applications and Data Criticality Analysis (Addressable)
- Business Associate Contracts And Other Arrangements
What do the physical safeguards entail?
- Facility access controls
- Contingency Operations (Addressable)
- Facility Security Plan (Addressable)
- Access Control and Validation Procedures (Addressable)
- Maintenance Records (Addressable)
- Workstation Use
- Workstation Security
- Device and Media Controls
- Disposal (Required)
- Media Re-Use (Required)
- Accountability (Addressable)
- Data Backup and Storage (Addressable)
What do the technical safeguards entail?
- Access Control
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
- Audit Controls
- Person or Entity Authentication
- Transmission Security
- Integrity Controls (Addressable)
- Encryption (Addressable)
Special Note: Keep in mind that these are just some of the things the technical aspects entail.
Being an IT professional, the technical safeguards are generally nothing you’ll have issues with. After all, they are the best practices in technology that protect systems and information. No matter what kind of client, you must have technical safeguards in place for all clients – not just companies that must be HIPAA compliant.
Review the physical safeguards once again. You can easily tell the physical ways in which to protect systems and their information.
It’s the administrative safeguards that may have you a bit perplexed, as they’re written to cover every type of HIPPA entity. Some sections of the administrative safeguards don’t apply to you. What do the elements addressable and required mean?
- Required – elements that must be imposed on.
- Addressable – elements that you have to deal with and how you’ll do it.
For instance, you’re a lone IT professional (no employees that you must fire). You don’t bypass the element but come up with ways to handle it in your procedures and policies.
Special Note – Bear in mind that there are many rules to HIPAA. The article is focused more on the Security Rule aspect of the law.
You Must Document Everything From Start To Finish
Compliance is all about documentation
When it comes to being HIPAA compliant, it’s all about documentation. In fact, one HIPAA compliance expert said there are three key actions behind HIPAA documentation:
- What you will do
- What you’re currently do
- What you have done
Think of it this way: if you don’t keep documentation about something, that something never took place.
There have been several entities that have been faced with severe fines and penalties for not having or following a policy. 60% of the breaches have occurred within the Business Associates category – IT Professionals and MSPs. Thus, it appears the breaches healthcare providers are experiencing at the result of their Business Associates.
How IT Professionals Handle HIPAA Compliance
Besides the importance of the Security Rule, there are other rules you remember as well – Breach Rule and Privacy Rule. Do you feel overwhelmed by all this information? If so, know you are not alone. IT Professionals have three paths to choose from:
- Ignoring the HIPAA, saying the rules to apply to them. This is a risk they take to when working with HIPAA Covered Entities and Business Associates.
- They realize the scope of HIPAA and the penalties and liabilities associated with it, refusing to work with any client that is HIPAA compliant.
- They work with clients who are HIPAA compliant, doing the work themselves or hiring help.
If you need a little more help with HIPAA and its rules, HIPAAforMSPs.com was designed to address the problems that MSPs and IT professionals face. When it comes to HIPAA, there is no middle ground. You’re either all in or all out. One violation of the HIPAA rules and the penalties and fines are stiff. In fact, they’re so stringent that you could lose your business or, unfortunately, worse.
What IT Professionals Should Understand About HIPAA and Being Compliant
What does being HIPAA compliant mean for you the IT professional? In essence, you’ve done the following:
- Completed work that meets the Security Rule elements
- Addressed the elements in your own policies and procedures
- Understand HIPAA and what it means to your business
- Written and recorded everything
- Developed a constant training program
- Came up with a set of principles for the business to be compliant
When it comes to HIPAA, there’s not a checklist you can go thrown and cross of “done” items. It’s a never-ending process of how you handle your business with those that must be HIPAA compliant.
The scene of HIPAA compliance is always changing, and even though it’s been in effect for decades, the opportunities for being involved with it are new.
In the world of business, it’s all about differentiating yourself from others. If you decide to become HIPAA compliant, you’d be differentiating the business from companies that refuse to face the hard work and become compliant. That can lead to your success!