5 Security Awareness Tips for HIPAA Compliance
Introduction
The Healthcare field generates a lot of information that is very private. To address this issue, Congress passed what was originally known as the Kennedy-Kassebaum bill but was later changed to Health Insurance Portability and Accountability Act, or HIPAA. HIPAA was intended to help people carry their health insurance from one company to another, as well as to streamline the movement of medical records from one health care institution to another.
At the micro level, HIPAA covers "'individually identifiable health information' held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information". Protected health information, or PHI, and electronic PHI, or ePHI is the heart of what HIPAA is intended to protect. An example of PHI would be fax containing, and an example of ePHI would be an electronic record on a computer that contains PHI. It should be noted that with the prevalence of computers in the healthcare field, ePHI is the most common form.
Implementing HIPAA Controls
With this said, a covered entity or its business associate must protect against the misuse of both forms of PHI. This article details 5 security awareness tips that will help covered entities better protect PHI and maintain compliance with HIPAA.
What is a Covered Entity?
According to HIPAA, a "covered entity" is defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Basically, these transactions concern billing and payment for healthcare services or insurance coverage. These covered entities include hospitals, academic medical centers, physicians, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. General examples of covered entities include institutions, organizations, or persons who work with PHI or ePHI.
Security Awareness Tips
-
Security Awareness and Training
Security Awareness and training is essential in maintaining HIPAA compliance. Security awareness and training is a required administrative safeguard that a covered entity must employ to meet HIPAA compliance. The subsection of the HIPAA law dealing with security awareness and training is §164.308(a)(5) and states that at a minimum, a covered entity must cover security reminders, malware protection, log-in monitoring, and password management. Security awareness and training should be conducted on a regular basis, annually or more frequently if possible.
Although HIPAA has stated a minimum regarding security awareness and training, it is just a minimum. Covered entities can beef up their security awareness and training by requiring employees to keep a record of possible security violations and how they handled them. The records should be discussed at their annual security awareness and training session.
-
Encryption
Encryption is standard in Information Security generally, and it would be smart for a covered entity to implement encryption in their environment. However, what does HIPAA say about encryption? While it is not explicitly mandatory for a covered entity to deploy encryption in their environment, what HIPAA does say is there are only two ways to safeguard against the misuse of PHI: Encrypt it or burn it. Since burning is not the most secure method of data management, to say the least, encryption is definitely the way to go for covered entities. This can be accomplished by encrypting all computers that handle ePHI which normally means all employee workstations and servers that store or process PHI.
-
Securing Copy/Fax Devices/Scanners with a PIN
Printers, fax devices, and scanners can provide an on-ramp/off-ramp between digital healthcare systems and physical documents. However, these devices produce documents that normally contain PHI and could open a floodgate of HIPAA violations for the covered entity if a third party were to view them. Covered entities can solve this problem by configuring their printers, fax devices, and scanners to require a PIN be entered by the employee who is using the device to retrieve their documents. This easy solution could prevent an unintended violation of HIPAA if a member of the nightly cleaning crew were to view a fax in the fax machine containing PHI.
-
Physical Safeguards
Physical safeguards are essential for a covered entity to meet HIPAA compliance. Some tips for physical safeguard would include:
- Ensure that covered entity employees lock their computers when they leave their desk, go to break/lunch, and go home. Covered entity employees often deal with a high volume of ePHI, and if a computer with ePHI is unattended and unlocked, anybody can see it whether intended or not.
- The covered entity should use door locks with either PIN codes or key cards. This will keep out individuals with no lawful right to view PHI/ePHI and will secure physical documents and computers.
-
Clean Desk Policy is a great method to enforce PHI/ePHI security. Often employees at a covered entity will have documents and notes on their desk containing PHI. By simply requiring that employees keep their desks cleaned and locked when they are not at their desk effectively solves this issue.
-
Keep a Tight Password Policy
Keeping a tight password policy will go a long way in helping to protect PHI/ePHI. Passwords are frequently used to perform most common tasks in a HIPAA regulated office, including logging into computers and accessing emails. By requiring passwords to be at least 8 characters (including capital and lowercase letters, numbers, and symbols) long, it will be nearly impossible for hackers and HIPAA violators to break in. These passwords should be changed at the most every 90 days. Covered entities should instruct their employees to not use their names, birthdays, or any other identifying information in their passwords.
References
https://www.recordnations.com/articles/history-hipaa/
https://healthitsecurity.com/news/maintaining-hipaa-compliance-across-digital-paper-records
https://www.sookasa.com/resources/HIPAA-encryption/
Implementing HIPAA Controls
https://privacyruleandresearch.nih.gov/pr_06.asp
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- 5 Security Awareness Tips for HIPAA Compliance
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- How to Comply with HIPAA Regulations – 10 Steps
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Security Risk Assessment in Health Care
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Genetic testing "hottest" new form of health insurance fraud, FBI warns
Healthcare information security
Healthcare data security issues: Best security practices for virtual healthcare sessions
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security