The year 2020 saw significant data breach incidents and cyber attacks, especially against healthcare systems. Healthcare organizations are one of the main targets for many cyber-criminals as it is the most sensitive sector exposed to privacy risk.
A prominent example includes the Blackbaud Ransomware attack case, where over 10 million patients had their data leaked. Cybercriminals can encrypt or corrupt electronic health records and demand a ransom in return for the encryption key.
The United States Federal government enacted the Health Insurance Portability and Accountability Act,1996 (HIPAA), aiming to increase efficiency and effectiveness of the national health care delivery system by standardizing the exchange of electronic, administrative, and financial data. It also protects the security and privacy of protected health information (PHI).
As the times changed, HIPAA broadened its focus area to cover matters related to privacy and security.
How does HIPAA Relate to Cybersecurity and Data Protection?
To strengthen the HIPAA and make it more secure, the US Congress also incorporated privacy protection provisions into HIPAA that mandated the adoption of Federal privacy protections for individually identifiable health information.
HIPAA restricts uses and disclosures to health care operations, the provision of treatment, or payment for healthcare unless the patient agreed to provide information to a third party, and HIPAA gave authorization.
Hence, HIPAA compliance is an essential step for healthcare organizations to protect themselves from cyberattacks.
Steps to Meet HIPAA Requirements
The Health and Human Services (HHS) department included a series of HIPAA rules to protect patient privacy and data. To be HIPAA compliant, a covered entity must follow the rules stated above. A summary of the compliance requirements is as follows:
1. Security rules (Technical Safeguards)
- Access control – to ensure unique user identification, encryption and decryption, etc.
- Audit controls – to examine hardware, software, and procedural mechanisms for recording and examining activities.
- Integrity controls – to provide mechanisms designed to authenticate electronic personal health information.
- Transmission security – to regulate integrity controls and safeguards against unauthorized access of health records during transmission.
2. Security rules (Administrative safeguards)
- Security management process.
- Workforce security – authorization and/or supervision, workforce clearance procedures, and termination procedures.
- Information access management.
- Security awareness and training – security reminders, protection from malicious software, login monitoring, and password management.
- Contingency plans – data backup, disaster recovery, and emergency mode operation plans.
3. Security rules (Physical Safeguards)
- Facility access controls
- Workstation use and security
- Device and media controls
4. Privacy rules
A covered entity must provide training to employees to ensure they are aware of the information sharing protocol. They must ensure appropriate steps are taken to maintain the integrity of patient information and the individual personal identifiers of patients.They must ensure that a written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising, or research.
5. Breach Notification Rules
A covered entity must know the breach notification process given in HIPAA and must make sure that breach notiﬁcation message contains the following elements: A description of the patient records and personal identiﬁers involved in the breach; Who gained unauthorized access to patient records or related information; Whether details were simply seen or taken; The degree to which risk mitigation has succeeded.
6. Omnibus rules
A covered entity must amend Business Associate Agreements and privacy policies. They must ensure that the staff is aware of all Omnibus Rule adjustments by conducting thorough training. Notice on Privacy Practice must be updated to cover the types of information that require an authorization, the right to opt-out of correspondence for fundraising purposes and must factor in the new breach notiﬁcation requirements.
Who in my Company is Responsible for Ensuring HIPAA Compliance?
HIPAA makes it mandatory for a covered entity to appoint an employee as HIPAA Compliance Officer. This may be an existing employee, or companies can opt to create a new position to meet this requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.
The duties of a HIPAA compliance officer will vary depending on the size of the covered entity and the volume of the protected health information. A HIPAA Compliance Officer must follow the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program.
Once a HIPAA compliance program has been developed, the Compliance Officer should document progress towards its implementation. To achieve this, a system should be created that enables the Officer to monitor the organization’s HIPAA compliance status. The system should allow the HIPAA Compliance Officer to prioritize efforts towards compliance and communicate priorities. The Officer is also responsible for developing training programs and executing training courses to help employees understand HIPAA compliance and how any changes will affect their specific duties. He is also in charge of monitoring HHS and the state’s regulatory requirements.
Once the HIPAA Program is set, how to Ensure my Employees are Aligned with it?
Once a HIPAA enforcement officer is assigned, this person should set standards for the rest of the employees to work up to. They can run routine checks to ensure that all the employees are performing according to the standards set.
As their capabilities would restrict a team, you would probably need to automate this training and increasing awareness procedure.
Right-Hand’s Compliance Readiness solution relies on a Machine Learning engine that automates and customizes the ability of your security information management team to develop, store, disseminate, increase awareness and drive behavior change for corporate policies. Combined with Training Readiness’s customized bite-sized learning approach, you will have everything you need when dealing with the HIPAA requirements.