HIPAA Compliance as a Service

If your business deals with Protected Health Information (PHI) than it is vital that you are HIPAA Compliant. If you are to ignore the compliance standards you face fines, criminal charges, and civil action lawsuits.

What is HIPAA Compliance

HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is designed to implement the standard for protecting confidential patient information. It is extremely important that any company dealing with Protected Health Information (PHI) ensures that all access points to confidential patient information, physical or online, is protected. However, HIPAA,  by definition, can be confusing and is often vague. This is so that it can be applied to all different kinds of Covered Entities or Business Associates that deal with Protected Health Information.

What is a Covered Entity

A covered entity is any health care provider, health plan, or health care clearinghouse, which develops, maintains, or transmits Protect Health Information. However, Hospitals, for instance, are not to be considered “Covered Entities”. Instead, hospitals are responsible for implementing and enforcing HIPAA complaint policies. Employers, even though they may maintain health care information regarding their employees, are not considered to be “Covered Entities”. Unless the business provides self-insured health coverage or benefits (Employee Assistance Program (EAP)) are they to be considered a “Covered Entity”.

What is a Business Associate?

A “Business Associate” is a person or business that provides that service or performs an activity for a covered entity that requires access to PHI maintained by the covered entity. Business Associates can be lawyers, IT contractors, cloud storage services, accountants, billing companies, or email encryption services. However, before the “Business Associate” can gain access to PHI they must sign a Business Associate Agreement with the Covered Entity stating exactly what PHI they will be accessing, how the information will be used, and that it will either be returned or destroyed once that stated task has been completed. While the PHI is in the Business Associates possession, that Business Associate has to meet the same HIPAA obligations as a Covered Entity.

HIPAA Security Requirments

If you are in charge or maintaining HIPAA complaint information there must be physical, technical, and administrative safeguards in place, stated by the U.S. Department of Health and Human Services.

Hammett Technologies believes your technology should always improve the way you do business. That’s why we offer SimpuCare – IT leadership to help you see the bright side of your IT. Interested in learning more?

Physical Safeguard:

Any and all access to physical electronic Protected Health Information (ePHI) regardless of location. This information could be stored on the cloud, or on serves located at the HIPAA covered entity. This also entails how both workstations and smartphones should be lockdowned and secured against any unauthorized access.

Implementation SpecificationRequired or AddressableFurther Information
Facility access controls must be implementedAddressableControls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
Policies for the use/positioning of workstationsRequiredPolicies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
Policies and procedures for mobile devicesRequiredIf users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
Inventory of hardwareAddressableAn inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.

Source: https://www.hipaajournal.com/hipaa-compliance-checklist/

Technical Safeguards:

Dealing more with the technological side, this safeguard aims to protect electronic Protected Health Information (ePHI). It states that all ePHI regardless of whether the information is being transported or is being stored must be encrypted to NIST standards once it has gone past the business’s firewall. This encryption ensures that, if a breach should happen, all patient confidential information is unreadable and useless.

Implementation SpecificationRequired or AddressableFurther Information
Implement a means of access controlRequiredThis not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
Introduce a mechanism to authenticate ePHIAddressableThis mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
Implement tools for encryption and decryptionAddressableThis guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
Introduce activity logs and audit controlsRequiredThe audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
Facilitate automatic log-off of PCs and devicesAddressableThis function logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.

Source: https://www.hipaajournal.com/hipaa-compliance-checklist/

Administrative Safeguards:

This safeguard pairs the Security Rule and Privacy Rule together and requires that both a Security Officer and Privacy Officer be assigned to put the policies in place to protect ePHI.

Implementation SpecificationRequired or AddressableFurther Information
Conducting risk assessmentsRequiredAmong the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
Introducing a risk management policyRequiredThe risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
Training employees to be secureAddressableTraining schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
Developing a contingency planRequiredIn the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
Testing of contingency planAddressableThe contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
Restricting third-party accessRequiredIt is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
Reporting security incidentsAddressableThe reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.

Source: https://www.hipaajournal.com/hipaa-compliance-checklist/