HIPAA, an acronym of the Health Insurance Portability and Accountability Act was signed into law by President Bill Clinton back in 1996. Initially, HIPAA has meant to reform the healthcare industry for two reasons. One was to ensure employees that were between jobs would still have healthcare coverage (P meaning portability). The second was to ensure the security and confidentiality of health information (the first A meaning accountability). As with any policy, HIPAA has changed throughout the years and has added many new rules that healthcare organizations must follow to protect and inform patients.
Here are some 11 of the most frequently asked questions regarding HIPAA security and compliance.
1. What does our organization need to do to become HIPAA compliant?
Although there is no concrete answer for this, our research indicates that the Office of Civil Rights will consider favorably on organizations who make a “good faith” effort to do the following:
- Implemented an active ongoing risk management process
- Performed recent security risk analysis
- Developed policies and procedures that define how patient information and data is secured
- Have signed business associate agreements
- Proof that employees are trained annually
- Filed HIPPA compliance program documentation evidence of all the above.
It is important to note that according to the HIPAA Journal, “ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR).”
2. What Are Explicit HIPAA Requirements?
HIPAA calls these requirements, “safeguards”. There are three safeguard categories, physical, technical and administrative. Physical focus on physical access to information at any location whether it is on site, a remote data center or in the cloud. Technical focus on the technology that is used to protect private information and provide access to the data and administrative focus on the policies and procedures that tie the Privacy Rule and the Security Rule together. Risk Assessments are suggested so organizations can improve and align these safeguards.
3. Do We Need a Business Associate Agreement? A Business Associate is a vendor that needs access to electronic protected health information (ePHI) like technology providers, billing companies, etc. The Privacy Rule lists other activities and services that have access to protected health information where an official agreement is required.
4. Is Annual Employee Training Required? Training employees guarantees that everyone on your team is updated on HIPAA requirements. Training policies should be included and documented in your organization’s Risk Assessment and considered an important, ongoing process. Remember, “ignorance of HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR).”
5. Can Our Organization Send Emails? The majority of ePHI breaches result from unencrypted data and the transmission of unsecured ePHI over open networks. Communicating by email is acceptable only if the email is encrypted or the person signs a release giving their permission to send them emails. The best policy and practice is to communicate with a patient through encrypted email to securely records the communication trail.
6. Should We Report Ransomware? Ransomware, or malware, is a form of cyber attack when the hacker threatens your organization, preventing you from accessing your data.” They demand a ransom (money) to restore it. First and foremost, your organization should take all precautions so this doesn’t happen. Make sure all systems are protected and train your employees to recognize phishing emails. But if a cyber attack does happen, it is possible that an investigation would be necessary.
7. What is the Difference Between a Security Incident and a Security Breach? Anytime the security officer suspects that any ePHI was disclosed by anyone who is not authorized to see the information is a security incident. The security incident must turn into an investigation before a security breach is determined.
8. How Often Should We Perform Risk Assessments? There is no “one size fits all” policy regarding performing HIPAA Risk Assessments. Risk Assessments should be done on a regular basis to ensure ongoing compliance. HIPAA regulations allow organizations to perform them as they feel necessary, but to meet HHS standards, all organizations should perform them on an annual basis.
9. Should We Perform Vulnerability Scans? Absolutely. A vulnerability assessment or scan is an examination of an organization’s technology, equipment, and software to check for weaknesses that could be used by unauthorized people (hackers) to damage the network. Identifying vulnerabilities is a requirement of HIPAA Security rules and states, ” The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.” The time frame is not specified but is a conversation and policy to plan with your IT provider for your organization’s overall technology security.
10. Should We Encrypt Our Laptop Computers? As mentioned above, encrypting emails and other private information offers protection from hackers and it is recommended as a best practice for all organizations, not just HiPPA covered entities. If an encrypted laptop computer is lost or stolen and you have documentation stating the information was encrypted, then it is not considered a breach.
11. How Should We Train Our Team? Training is an ongoing process to keep everyone in your organization informed and aware. Short, consistent pieces of training we refer to as Micro trainings are helpful. They are short informational videos overviewing relevant topics that can be incorporated into a regular workday policy enforcing that everyone is responsible for safeguarding information. Micro trainings, combined with intentional randomly sent simulated phishing emails from the IT department will reinforce the importance of awareness and policy compliance. Ongoing training prepares everyone in the event of a data breach.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.