How to Comply with HIPAA Regulations – 10 Steps
There is a tremendous amount of data in the world of healthcare. That data includes personal healthcare information (PHI), which is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's initial purpose was to allow patients to carry health insurance from one employer to another; however, it soon morphed into a way to streamline and protect medical records.
HIPAA is meant to safeguard PHI as it relates to the privacy. This means any PHI that must be treated differently than other forms of data. Most PHI information is now digital, as more healthcare providers use electronic medical records (EMR), and how healthcare uses the data and how it's transferred are vital parts of HIPAA compliance. It also mandates that any breaches of such data be reported. HIPAA compliance of digital data means that anyone who touches the data must not expose it, and that it should have technical, physical and administrative safeguards.
Implementing HIPAA Controls
From secure messaging apps used by clinicians to the storage of EMR data, healthcare organizations have many platforms and channels through which PHI flows. Because of this flow, there are multiple steps required to meet compliance regulations. HIPAA isn't something that anyone can ignore, either, because findings of non-compliance often result in steep fines. Let's look at how you can comply with HIPAA in 10 steps.
10 Steps to HIPAA Compliance
Step One: Privacy Policy
Before jumping into the technical aspects of HIPAA compliance, an organization must have a privacy policy. This policy has to be established and implemented, and this implementation includes all privacy and security policies. Policies must also be documented and note what steps should be taken in the case of breach event.
Step Two: Privacy Officers
Someone must be accountable for the adoption of security policies. This may include a privacy and security officer, although it can be the same person. Having a responsible party in the HIPAA compliance is important for internal controls; whoever is in this role must have extensive knowledge of HIPAA.
Step Three: Risk Assessments
Many healthcare organizations don't understand their risks or degrees of exposure. That's why it's necessary to have regular risk assessments. This helps identify weaknesses before any would-be cybercriminal does. After assessments, the findings should be used to make adjustments in policy or practice to mitigate risk.
Step Four: Email and Smartphone Texting Policies
Healthcare communication, whether internal or to the patient, must be secure if PHI is included. HIPAA does not prohibit the use of email or texting; the platforms just have to be secure. For email, that means using a secure server with encryption. HIPAA doesn't mandate these security practices, but most in the healthcare community understand this can be a vulnerability.
For secure texting, this must be done on a specially-designed, HIPAA-compliant application. Standard SMS won't do. The secure texting app should include encryption and ensure that messages or imagery isn't stored on the clinician's personal device — all the information flows through the app.
Communication is key in healthcare. As communiques often contain PHI, any communication tool must meet HIPAA guidelines. These guidelines deal with how PHI is handled and shared. There are several possibilities for breaches in the use of email and secure texting, so each organization should refer to that robust plan should a breach occur. Healthcare organizations do not have to ban mobile devices while on the job. HIPAA compliance can work well with a Bring Your Own Device (BYOD) program as long as the apps or email systems have the necessary safeguards.
Step Five: Educate All Employees
HIPAA training for all those that touch PHI is necessary, as it proves that compliance with the regulations is in place and that all parties understand their obligations. HIPAA training should not be a one-and-done type of thing, because the regulations are still evolving in the world of mobile devices and social media.
Employees need to fully understand their responsibilities and the consequences of errors or breaches. Beyond the initial training, organizations should offer refresher classes, especially if the regulations have changed.
Step Six: Privacy Policy Notices
The Notice of Privacy Policies is an important document that must be provided to all patients. It should be provided in written form to patients but also be accessible online. Organizations must also obtain a signed notice from each patient.
The Privacy Policy form is how patients receive information on how their PHI may be used. They can also decide if any other person or entity should have access to this information. And if any changes occur to the Privacy Policy, this must be communicated to patients.
Step Seven: Agreements with Other Businesses
Each healthcare organization needs to have agreements with partners and vendors regarding PHI security and compliance with HIPAA. Anyone that might touch the PHI at a hospital or doctor's office must agree to abide by HIPAA regulations.
Step Eight: Breach Protocols in Place
This step is one that healthcare organizations hope that don't have to face. But it's more like when not if. In fact, in the first quarter of 2018, 1.12 million records have been exposed in 110 healthcare data breaches.
This means you absolutely must have a breach protocol ready. This protocol may include:
- When to report
- Investigation of breach and findings
- Who needs to know
- Finding the root cause and mitigating it
Step Nine: Privacy Policy Implementation
Privacy policies not only have to be documented and shared, they also need to be implemented. This means that all parties need to be on the same page. It's also about consequences: if someone violates these, then they should be sanctioned.
Step 10: Technical Safeguards for Implementation
These safeguards must be in place to protect PHI while also granting access to the data. Per NIST standards, records must be encrypted once they travel outside of the organization's firewall servers. With this in place, a breach of PHI causes the data to be unreadable, indecipherable and unusable. The following are other implementation actions:
- Access Control: Assign each individual their own username and password. Establish procedures to dictate the disclosure of PHI
- Authenticate PHI: This action determines if PHI data has been altered or destroyed, or if unauthorized use has occurred
- Encryption and Decryption Tools: Any authorized users, when sending PHI information outside the firewall, must have it encrypted
- Audit Controls: This measures any attempted access to PHI and what actions were taken on the records.
- Auto Log-Off Devices: This would log off any authorized user's device should it be stolen or lost.
Conclusion
Now that you know the framework of HIPAA compliance relating to technical requirements, your organization should be better-prepared for handling PHI. And, of course, prepared for the worst: in the case of a breach, there are notifications that have to take place. Find out what to do if this happens
here.
Sources
1.13M Records Exposed by 110 Healthcare Data Breaches in Q1 2018, HealthITSecurity
Implementing HIPAA Controls
Standards and Guidelines Tested Under the CAVP, NIST
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- How to Comply with HIPAA Regulations – 10 Steps
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- 5 Security Awareness Tips for HIPAA Compliance
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Security Risk Assessment in Health Care
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Genetic testing "hottest" new form of health insurance fraud, FBI warns
Healthcare information security
Healthcare data security issues: Best security practices for virtual healthcare sessions
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security