Understanding your DNA enables you to take proactive measures in defense of your health and well-being. Similarly, an organization must carefully examine its enterprise to ensure that it is protected from the multitude of threats posed by cyber criminals, employee/staff incompetence and/or malicious intent. In this article, we focus on two key challenges for organizations. First, what does HIPAA compliance mean? What must it address? And second, how can an entity address HIPAA compliance and the risk associated with cyber-attacks on a continual basis? We identify options for security frameworks to address this second question.
HIPAA violations and fines are mounting like never before, as evidenced by the following examples:
A $2.75 million settlement with a covered entity (Covered Entities defined under HIPAA are providers of healthcare services to patients, as well as health plans or clearinghouses) was the result of a breach affecting about 10,000 individuals that led to a HIPAA investigation by Office for Civil Rights (OCR). Another $2.7 million settlement with a covered entity was also the result of a multiple reported breaches. The breaches related to EPHI of over 3,000 individuals on a cloud-based server with no Business Associate Agreement (BAA).
Further, a recent $650,000 fine on a business associate (business associate defined under HIPAA as a company that provides services to healthcare organizations and who may come into contact with confidential patient information), was the result of a theft of an unencrypted smartphone that exposed information on 412 patients. This was the first such fine assessed to a business associate. A two-year corrective action plan, or CAP, included with the resolution agreement requires the organization to conduct a comprehensive risk analysis and establish a credible risk management program. To lower the risk to business, organizations impacted by the HIPAA regulation, including both covered entities and business associates, must ensure that compliance is baked into the enterprise DNA.
HIPAA compliance requires a systematic and disciplined approach that starts with an in-depth understanding of the mandates. It requires a life cycle approach that results in the HIPAA gene that is actively managed within the enterprise DNA. The key words here are life cycle approach and active management – these are essential to establish a credible HIPAA compliance program.
HIPAA compliance is not a one-time security risk assessment exercise, nor an occasional review of the organization’s policies; neither is it assigning the role of the Security Officer to an IT or MIS Director who has no time to devote to this responsibility.
What does it mean to comply with HIPAA? HIPAA compliance at a minimum requires addressing the following regulatory mandates:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HITECH Breach Notification Rule
For many covered entities, HIPAA compliance also requires meeting the requirements for HITECH’s Meaningful Use of an Electronic Health Record.
Let us next focus on the risk from cyber attacks. HIPAA compliance is a sub-set of, not a super-set of, your enterprise cyber security program. Subsequently one must determine which security framework an organization should adopt to help establish a credible and vibrant cybersecurity and HIPAA compliance program.
The security framework upon which you base your HIPAA compliance program will have a direct impact on factors such as lowering risk, increasing efficiency, and ensuring continual compliance. The security framework an organization adopts should be scalable and comprehensive to enable addressing multiple federal, state and other mandates.
Options for such frameworks include the ISO 27001 standard (a global standard for information security), the NIST security control framework (NIST has developed standards and guidance documents that are used by federal government agencies and others) and the HITRUST CSF.
Healthcare organizations will find the HITRUST CSF as a credible option for the following reasons:
- Tailored for the healthcare environment
- Based (founded) on ISO 27001
- Comprehensive – addresses several additional mandates which organizations may also need to comply with (perform once, address several mandates)
- Referenced as a resource by OCR for conducting a HIPAA risk analysis
Finally, organizations should implement their selected framework with HIPAA compliance in mind. In other words, the organization’s information protection program should always be “audit-ready”. What this means is ensuring that your organization has:
- Developed and updated policies and procedures
- Conducted a comprehensive risk analysis exercise that is inclusive of a technical vulnerability assessment
- Appropriately manage your business associates and their agreement
- Deploy and actively monitor security controls
- Delivering security training to members of your workforce that reinforces enterprise security priorities regularly
- Establish a foundation for a risk management program (risk management is a required HIPAA Security implementation specification)
- Evaluate the selection of a security framework that addresses HIPAA mandates, as well as additional compliance requirements with which your organization must comply
The implementation of an appropriate information protection program as described here will help you establish the foundation for a mature HIPAA compliance program that truly is an integral part of your organization’s DNA.