HIPAA Compliance Checklist
12 Feb, 2020 15:06
Author: TIM KEARY
Regulatory compliance is a phrase that sends a shiver down the spine of even the most experienced network administrator. Ever since the Health Insurance Portability and Accountability Act or HIPAA was introduced in 1996, enterprises holding protected health information (PHI) or electronically protected health information (ePHI) have been under pressure to keep it safe.
Organizations that fail to keep this data safe face severe financial consequences. Potentially a fine can cost up to $50,000 per day for poor practices with an annual cap of $1.5 million. Unfortunately, complying with the regulations isn’t a matter of filling out a few forms. The use of cloud computing has opened up a range of vulnerabilities that need to be proactively managed.
In this article, we’re going to examine the HIPAA regulations and provide you with a HIPAA compliance checklist to help you stay on the right side of the regulations and protect patient data.
What is HIPAA?
HIPAA was put in place to regulate the handling of medical data. The act created industry-wide standards for data handling, cybersecurity, and electronic billing. One of the most important regulations to emerge from the rules was that medical data must remain confidential.
In other words, any records that you hold on patients must be kept protected from unauthorized individuals. The idea behind this rule is that patient data should be protected from fraudsters and other malicious entities. In the age of cloud computing; the range of entry points makes protecting this data a complex issue.
All of your physical and virtual resources need to be secured against cyber attackers to protect patient data. Being HIPAA compliant is not just a question of implementing certain practices but actively constructing a water-tight network infrastructure as well.
The HIPAA Privacy Rule
The HIPAA Privacy Rule dictates how ePHI can be accessed and handled. The rule states that all healthcare organizations, health plan providers, and Business Associates of covered entities must have procedures in place to protect the privacy of patient data. In other words, every entity from the original provider to the data centers that hold the data and the cloud service providers that process it must protect the data.
Beyond the basic requirement to protect patient data, enterprises also have to support the rights that patients have to that data. There are three rights outlined in HIPAA that all patients have the right to:
- authorize disclosure of their ePHI
- request access to a copy of their health records at any time
- request corrections to their records
To break it down further, the HIPAA Privacy Rule states that consent is required from the patient in order to disclose ePHI data. In the event that a patient requests access to their data, organizations have 30 days to respond. Failing to respond on time can leave an enterprise open to legal liabilities and potential fines. The communication method you choose to reach out to the patient also has to be HIPAA compliant, with this in mind, most practices opt for email.
The HIPAA Security Rule
The HIPAA Security Rule is part of the HIPAA Privacy Rule that outlines how ePHI should be managed. The rule stipulates that enterprises should “implement the necessary safeguards” to protect patient data. The ambiguous nature of what constitutes “necessary safeguards” makes this rule one of the most complex areas to manage.
To help simplify the requirements, HIPAA breaks down the safeguards into three main sections:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
The HIPAA Security Rule defines administrative safeguards as “administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information.” It also states that managing the conduct of the workforce comes as part of that responsibility.
Administrative safeguards suggest that enterprises must implement administrative processes that control access to patient data and provide additional training to enable employees to interact with information securely. To manage workforce conduct an employee should be appointed to manage HIPAA policies and procedures.
The physical safeguards requirement is about securing the facilities where patient data is located and the resources used to access the data. Controlling access to these areas is one of the major take-away messages of this section.
You need to have measures in place to control access to where patient data is processed, protect devices against unauthorized access (using methods such as two-factor authentication), and control/record the movements of devices in or out of the facility.
‘Technical safeguards’ is a term used to refer to the technical policies and procedures that protect patient data. Authentication, audit controls, audit reports, record keeping, access controls, and automatic logoffs are all measures that enterprises can implement to fulfill these criteria. There must also be measures in place to make sure that data is safe, whether it’s being stored in a device or being moved between locations.
You should also complete a risk assessment to identify risk factors and threats to the security of ePHI data. You must then take measures to address these specific threats. The technical safeguards requirement is one of those areas where hiring a qualified HIPAA consultant will pay dividends as they will make sure there aren’t any gaps.
The Breach Notification Rule
The Breach Notification Rule specifies how enterprises should respond to data breaches. The rule states that organizations must notify individuals, the media or the HHS Secretary in the event of a data breach. A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”.
After a breach, you have up to 60 days to notify the necessary parties. When writing up the notification you will need to state: what personal identifiers were exposed, the individual who used the ePHI, whether the ePHI was acquired or viewed, and whether the risk of damage has been mitigated.
Reporting is another integral component of The Breach Notification Rule. Smaller breaches affecting less than 500 individuals need to be reported through the HHS website annually (if more than 500 individuals are affected you need to contact the media as well). Monitoring breaches closely on a case-by-case basis to assess the damage and respond accordingly is the key to success.
To help you stay compliant with HIPAA, we’ve compiled a brief list of steps you can take below. Please note that we recommend you enlist the assistance of an experienced HIPAA consultant to keep your data protected. Your consultant will be able to perform a full evaluation of your current security practices and identify areas to improve.
- Complete a Risk Assessment
The first thing you need to do when preparing for HIPAA compliance is to assess the overall readiness of your enterprise. What you need to do to comply with the regulations depends on your current cybersecurity processes. Conducting a risk assessment that assesses how PHI and ePHI data is being managed will show you the gaps in your cybersecurity policy.
For the best results, work with a HIPAA compliance consultant. The consultant will assess your current practices against the requirements of the OCR Audit Protocol, and provide you with a list of recommendations to help achieve compliance. They will also tell you when you’re ready to start the certification process.
Working with an expert is beneficial because you will be able to rely on their experience to find vulnerabilities you may have overlooked. An experienced consultant will have a comprehensive grasp of HIPAA requirements and give you the best chance of achieving your certification.
- Remediate Compliance Risks and Refine Processes
When the results of the initial assessment show that you have risk factors to address, it is time to change your processes. If you work with advisors to help you with the assessment, then they can provide you with specific guidance on the policies and procedures you need to implement.
To start with you will want to address smaller compliance issues before trying to follow through on larger targets. Implementing basic measures like training employees on cybersecurity practices and how to use two-factor authentication on devices can help to start off on the right foot.
From there on you can start to set more complex remediation targets that will tell you which processes you need to prioritize. For example, if you don’t have compliance reporting then you will want to purchase a tool that offers automated compliance reporting. Once again a HIPAA consultant will be able to provide you with other recommendations on what changes you need to implement to comply with the regulations.
- Manage Risks Long Term (With Network Monitoring Tools)
Achieving HIPAA compliance isn’t a one-time effort but a consistent challenge. Your long term strategy will revolve around continually managing risks to make sure that patient data has been kept safe. To manage these risks effectively you will need to deploy a network monitoring tool.
In particular, you want to use a tool that uses vulnerability scans, detects network events, analyzes audit logs, visualizes HIPAA components with a topology map, monitors logons, automates event analysis, and automates compliance reporting.
While you can attempt to monitor HIPAA risks with multiple software products it is much easier to use a unified platform so you can manage everything in one place. Keep in mind that it only takes one vulnerability for an attacker to gain access to confidential data.
Conditions of compliance
Problems arise when businesses outsource part of their data processing or data storage to external companies. Under these circumstances, the company is dependent on those managed service providers (MSPs) also being HIPAA compliant. Compliance, therefore, needs to be a condition in any contract signed for outsourced IT services.
The requirement of a chain of trust between a company under HIPAA obligations and the companies that serve it puts a great responsibility on MSPs. Without the ability to demonstrate HIPAA compliance, MSPs will not be able to bid for work from companies in the health sector. This creates san imperative for MSPs to become HIPAA compliant.
As discussed above, the easiest way to comply with HIPAA regulations is to buy in a platform of software products that already conform to HIPAA specifications.
MSPs need remote access utilities and system administration tools. They also require Help Desk platforms for both user access and technician support. The technician utilities in an MSP platform are collectively called a remote monitoring and management (RMM) system. The RMM tools have access to the entire client system and are responsible for backing up and archiving data and so they must be designed with HIPAA standards in mind.
The tools needed by the MSP to run its business include team management client management, and contract management. This category of utilities also requires a password vault to keep the access account details for each client – and keep them separate and secure. The MSP business management tools are known as “professional services automation” (PSA). As the PSA system includes access rights and sensitive information about client companies, this also needs to be compliant with HIPAA requirements.
Atera is an example of a fully HIPAA compliant MSP support platform that includes both RMM and PSA systems. The service has been certified as HIPAA compliant since December 1st 2016. The company can even supply a signed business associate agreement (BAA) to its subscribers, which is a requirement of HIPAA.
Consult an Experienced HIPAA Consultant
The challenges that come with complying with HIPAA are steep. A small oversight can potentially result in thousands of dollars in fines. Reading up on the rules of the regulations and consulting the help of an experienced HIPAA consultant will help you to implement the best protection for your enterprise and your patients.
Remember that some HIPAA requirements are relatively ambiguous, so if you choose to go it alone you run the risk of misinterpreting what protections you need in place to safeguard patient data. It is worth investing in a HIPAA consultant if that closes the door to financial liabilities.