The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including:
Any healthcare facility that wants to keep its customers happy must have patient portals. It is easy to create these portals, but keeping the data safe from hackers can be tough. In the US, at least half of the healthcare consumers are using patient portals. About 80 percent of these patients have expressed their satisfaction with the level of ownership they have with their health data and the convenience of its accessibility.
Because of the security issues involved, the Affordable Care Act and meaningful use regulations have worked towards incentivizing the healthcare industry to make health records digital and more accessible to the patients. The portal allows patients to manage their personal details including medication lists and lab test results as well as financial information. This is enough data to set a patient up to hackers. Because the use of patient portal will keep rising, the risk will only get bigger, which means a better approach towards protecting this information needs to be realized.
How to Stay Compliant
The 1996 Health Insurance Portability and Accountability Act (HIPAA) highlighted the protection of the rights of patients. It compels health providers to keep customer data confidential. HIPAA also introduces a measure of safety and imposes precise compliance standards. Breaches carry hefty penalties. Here are a few tactics to help you keep customer data safe:
1. Foster Security Mindset in Your Organization
Protected health information (PHI) according to HIPAA means more than just electronic records. Whether you are speaking on the phone or working on a physical file, the principles apply. Regulatory compliance in healthcare organizations means that every health facility must store customer data securely. The most ideal tool is remote access software. This software does not restrict a user to approved databases and desktop logins.
2. Focus on the People and Not Just the Data
EHRs- electronic health records can only be kept private when only the people permitted to see them are allowed to access. That means giving access to involved parties such as the lab, doctor, and the insurance provider. Breaches and lapses occur when too many people are involved. This is why categorizing them by persona is essential. If, for instance, the patient is at a critical condition, different labs may be involved. It is, therefore, crucial to customize the profile for each user.
3. Give Patients Full Access to Their Records
Patients want to be sure their personal data is stored safely and securely. This is why healthcare providers need to allow patients to view their medical records. Some patients download and send the details to a third party, which is inherently insecure. Instead of giving the data to patients in different copies, it is crucial that the EHR be stored in one database. Because the idea is to have the data accessed remotely, a single EHR version can be shared by different devices.
Healthcare providers are among the long list of service providers that have embraced the mobile technology revolution. Some healthcare providers are supplying mobile healthcare devices to their staff, and others have introduced the Bring Your Own Device (BYOD) program that allows their staff to bring their devices and use them at work. Whichever the case, mobile technology enables staff to work remotely, which presents several benefits to healthcare providers.
Risks Associated
with Use of Mobile Devices for PHI
While there’s no
denying that mobile technology has revolutionized how people work, healthcare
providers cannot turn a blind eye on the risks that come with the use of mobile
devices. Owing to their small size and portability, mobile devices are at a
greater risk of being stolen or lost compared to their immobile/fixed
counterparts.
In the unfortunate
event that a mobile device containing unsecured electronic protected health
information (ePHI) is lost or stolen, there’s an increased risk of a data
breach that can trigger HIPAA breach notification obligations for a
HIPPA-covered entity and/or their business associates.
HIPAA Standards for
Securing ePHI Data Secure on Mobile Devices
The HIPAA in 1996 mandated
the Secretary of the U.S. Department of Health and Human Services to come up
with regulations that would protect the security and privacy of certain health
information in the year 1996. In compliance with this requirement, HHS
published the HIPAA Security Rule and the HIPAA Privacy Rule.
The HIPAA Privacy
Rule establishes national standards for the protection of individually
identifiable health information that can be linked to a particular person. The
HIPAA Security Rule, on the other hand, establishes national standards for
protecting ePHI, particularly how it’s transmitted, maintained, or stored.
For your healthcare
facility to be HIPAA-compliant, you must fulfill specific requirements. For the most part, you must ensure that
physical, administration, and technical safeguards are put in place and adhered
to, as follows:
Technical
Safeguards
Require User Authentication
User authentication
is the process of verifying the identity of a user before accessing a mobile
device and the information stored in it. One of the ways to secure ePHI is to
ensure that mobile devices are configured to require user passwords, passcodes,
or personal identification number (PIN) to gain access. Doing so can help to
prevent unauthorized users from gaining access to devices, which can help to
restrict access to ePHI.
Enable Encryption
It’s vital that you
buy and install an encryption tool for mobile devices that are used to access
ePHI. In the event that any of the devices is stolen or lost, encryption makes
it impossible to read the information stored on the device. With some devices,
it is recommended to enable encryption on device backups as well.
Update Your Security
Software Regularly
Hackers usually
take advantage of vulnerabilities in common applications such as browsers and
operating systems. To keep your network safe, it’s vital that you keep your
security software and operating systems up to date. By doing so, you’ll also
prevent unauthorized access to ePHI on or through your mobile devices.
You must implement facility access controls to limit access to facilities where ePHI is stored.
You must implement policies that restrict the use of workstations.
You must implement policies and procedures o manage how ePHI is removed from mobile devices after a user leaves the organization.
You must maintain an inventory of all hardware before its relocated, and a retrievable precise copy of ePHI must be made before the move.
Administrative Safeguards
You must conduct risk assessments to establish ways in which breaches of ePHI can occur.
You must introduce a risk management policy to ensure employees comply with HIPAA regulations.
You must train employees to raise awareness of the policies and procedures governing ePHI.
You must develop a contingency plan that can be rolled out in case of an emergency.
You must restrict 3rd-party access to ePHI.
You must report any security incidents once they occur.
Besides adhering to
the above HIPAA requirements for compliance, there are various other best
practices for keeping ePHI data secure on mobile devices. They include:
Install and activate remote disabling and/or remote wiping to ensure that all ePHI is removed from the device in case it is stolen or lost.
Avoid using file-sharing applications and make use of MDM software that helps to containerize ePHI and prevents data copy.
Research mobile applications thoroughly before downloading.
Avoid using public Wi-Fi network when sending and receiving ePHI and only use a Virtual Private Network instead.
The implementation
of mobile devices will undoubtedly add a lot of value to your organization on
the condition that the proper balance between usability and security is
achieved. Taking the right measures to keep ePHI data secure shouldn’t be a
matter of meeting compliance only. It should also be a matter of safeguarding
the integrity of your patients and your organization at large.
For decades now, hackers have been cashing in on financial data. The routine has been constant. A hacker finds their way into a site, steals financial information belonging to the site’s visitors then uses their personal information to create fake credit cards. These are then used to steal money from unsuspecting individuals. However, this trend hit a snag once financial institutions found ways of stopping such activities. This was frustrating to these intruders considering that most times, their efforts were rendered futile after the cards they made are blocked.
These people then discovered a new cash cow that allows them to reap money from insurance companies. Typically, hackers get as little as $1 for one credit card, which is a meager payment for such a dangerous job. However, healthcare information pays well in that they create counterfeit health insurance cards, then make cash claims in fabricated hospitals. Considering that the demand for this data is high, healthcare data attacks have been on the rise, targeting several hospitals, and they have managed to affect over 11 million people.
How do you keep your data safe from these online breaches?
With such high stakes, each hospital needs to come up with security measures that ensure their data is always safe. Look at some of the possible ways you can secure your information.
Asses the risks
You cannot solve a problem if you are not aware that it even exists in the first place. Check for loopholes that leave your hospital vulnerable to these attacks. For instance, a hospital with few employees leaves specific sectors such as the IT section unmanned, which makes them susceptible to being attacked. You must approach this by looking at the most sensitive areas of a company and find out the consequences that you may face if your data is stolen.
Appraise all agreement with business partners, vendors and client every year
Know the type of information that the people and entities you interact with access. Learn what your contract entails and review the speculations regularly. Long before new laws were formed, third-party companies never had any agreements with any of their partners. Whenever they got a hold of information, it was up to them to know what they wanted to do with such intel. In this era, such loopholes can lead to massive scandals, which is why you need to evaluate every past action and put stringent measures to ensure anyone who encounters sensitive information knows the implications of going against the agreement. Do not give a lot of authority to vendors and ensure that they sign privacy policies that bar them from sharing or using private data.
If your organization handles protected health information (PHI) or electronic Protected Health Information (ePHI), you should be well aware of the Healthcare Insurance Portability and Accountability Act known commonly as HIPAA. The HIPAA compliance is regulated by the federal government and failure to comply with it can attract penalties. Additionally, non-compliance may have severe consequences!
What are the penalties for HIPAA non-compliance?
Congress enacted HIPAA in 1996 with the primary intention of safeguarding sensitive information as people switched jobs. Additionally, the United States’ Department of Health and Human Services (HSS) established HIPAA Privacy Rule in 2003.
The privacy rule defines PHI as any information handled by a covered entity that concerns the health, treatment, or payment information associated with an individual. As technology related crimes increased, HIPAA focused on ePHI where they created three safeguards in 2005. They include:
Administrative safeguards concentrate on all the policies and procedures that demonstrate protection of ePHI by a given entity
Physical safeguards which revolve around controls instituted to limit access to ePHI storage devices
Technical safeguards which focused on safeguarding all the communication channels used to transmit ePHI over open networks
Definition of covered entities and business associates
According to HIPAA, covered entities are all the bodies that are involved in the handling of a patient’s data. They include healthcare providers such as clinicians, doctors, nurses, pharmacists, dentists, and chiropractors as well as all healthcare plans providers such as the HMOs, health assurance entities, and government programs.
HIPAA also considers all healthcare clearinghouses as covered entities that should comply with its regulations. These bodies process nonstandard health-data that they obtain from the covered entities to transform it into standard data.
Business associates are all the institutions that can access the PHI or ePHI since they are contracted by the covered entities to execute specific activities on their behalf. HIPAA demands that your organization have a written contract that elaborates the responsibility of the business associates in upholding the integrity and confidentiality of the PHI that they handle.
Governing of HIPAA
The privacy and security regulations by HIPAA are enforced by the Office for Civil Rights (OCR) which serves under the Department of Health and Human Services (HSS). OCR provides a platform where you can air your complaints against covered entities as well as their business associates. If you feel that there is a data breach, you should visit the OCR website and submit your claims there for evaluation. Alternatively, you can use their portal, mail, fax, or email services.
The Health Insurance Portability and Accountability Act (HIPAA) applies to all companies in the United States. Healthcare providers, covered entities and their business associates should understand HIPAA and take compliance steps to avoid monetary fines and even prison time. HIPAA violations in the workplace can occur in any organization but especially those that provide healthcare benefits to their employees or require health information to process disability benefits or workplace compensation.
Understanding HIPAA violations in the workplace
HIPAA was enacted in 1996 and aimed to protect the health information of individuals as they moved from one job to another. Since then, the Act has been refined to include more coverage and protections.
In 2003, the Privacy Rule, which defines Protected Health Information (PHI), was passed by the US Department of Health and Human Services. In 2005, HIPAA was updated with the Security Rule, which focuses on electronically stored PHI (ePHI). Today, employers must adhere to HIPAA and related regulations, including the Security Rule and the Privacy Rule, as required by industry regulators and the federal government.
What information qualifies as PHI or ePHI
The Privacy Rule defines PHI as any health information that concerns the payment of healthcare, provision of healthcare or health status of an individual, which is held by a covered entity.
In the workplace, any employee health plans or medical records that are collected by the employer for the purposes of administering healthcare plans are PHI or ePHI information. Health information that is gathered but not intended for use in administering healthcare plans is not considered PHI or ePHI.
When an employee provides health information to document workers’ compensation or sick leave, the information is not considered PHI or ePHI. On the other hand, if you contact an employee’s healthcare provider, the information that the provider will give you falls under the Privacy Rule. Employment records do not fall under PHI or ePHI even they may include health-related information.
What HR should know about HIPAA
If your organization offers employees a covered health plan, it’s critical to determine whether you need to be HIPAA compliant.
Agile companies do things faster and efficiently. In agile development, lean startup models apply agile methods to build high-quality systems that meet any industry, regulatory and other relevant standards such as HIPAA and remain “audit ready.”
Agile companies focus on quick wins, external focus, ruthless prioritization, and continuous development. Agile development relies heavily on constant testing to ensure improvement.
Agile compliance management
Lean development refers to a set of principles that are designed to eliminate waste, build-in quality, create knowledge, deliver fast results, defer commitment, respect people and optimize the whole process. At their core, both agile and lean development focus on efficiency, sustainability, speed, quality and communication.
Companies can deliver software faster when they eliminate inefficient processes. Agile development follows the following 12 principles:
Customer satisfaction
Harnessing change to gain competitive advantage
Delivering working software frequently
Bringing together business and development departments
Supporting talent
Conveying information efficiently
Measuring progress by working software
Promoting sustainable development
Focusing on technical excellence
Maximizing the amount of undone work
Using self-organizing teams to build the best designs, architectures, and requirements
Reflecting and adjusting
How Agile development applies to cybersecurity
Agile development methods align well to cybersecurity because they focus on harnessing change, readjustment and reflection. You see, malicious actors (think black hat hackers) have excelled in agile development. They continuously re-adjust their attacks to maintain superiority and remain one step ahead of defensive mechanisms employed by organizations by improving the quality of their software. To combat these threats, you need to come up with a similar agile security-first approach to protect your information and systems.
What is Agile compliance?
Agile compliance also focuses on the 12 principles of agile development; however, it focuses on threat mitigation and not product development. Furthermore, agile compliance prioritizes customer data security as well as stakeholder satisfaction as the primary product as opposed to customer satisfaction, which is the main focus of agile development.
When it comes to cybersecurity governance, risk and compliance (GRC), data integrity and availability leads to customer satisfaction and confidence. With compliance’s security-first approach, you create an iterative process that includes mitigation, monitoring, and review, which is aligned with your controls and protects your data.
In cybersecurity, an agile compliance program is a security-first strategy that is put in place to protect data. This strategy focuses on your data controls’ quality and ensures that even when industry regulations and standards lag behind threat vectors, your company maintains a secure data environment. Here are the 12 principles:
By Ken Lynch, founder, Reciprocity.