- University of Texas MD Anderson Cancer Center fined $4.3 million for HIPAA violations.
- Memorial Healthcare System paid $5.5 million because employees shared PHI data incorrectly.
- Advocate Health Care Network paid $5.5 million after failing to protect the data of over four million patients.
- Anthem fined $16 million for a significant data breach that exposed the health information of almost 80 million people.
Key HIPAA TerminologyYou already know what HIPAA, OCR, and ePHI are, but some of the terms used within HIPAA can be confusing. Before going any further, you need to understand the following three terms:
HIPAA RequirementsThis section covers three key areas: administrative, technical, and physical safeguards. These areas all tie together ultimately, but looking at them individually will give you a better understanding which, in turn, will enable you to use your resources and teams more effectively.
Administrative SafeguardsOftentimes, the importance of this area is downplayed, perhaps because it seems less tangible or is deemed to have less impact than technical and physical safeguards. Nothing could be farther from the truth, however; the policies, practices, and procedures defined here help you establish an effective governance and operational framework within your organization.
Conduct Risk Assessments: Your security officer must conduct regular security assessments that identify and assess any places where PHI might be at risk.
Create a Risk Management Policy: This defines how often you perform a risk assessment along with the steps you use to reduce risks to PHI. It should include a section that outlines penalties for employees who break the rules to reinforce the fact that your organization takes HIPAA compliance seriously and keeps its employees up to date on expected roles and behaviors.
Prepare a Contingency Plan: This is your backup plan and policies for managing incidents. It outlines how you will continue to operate and protect PHI during an incident. It also defines your plan for backing up and restoring data that may get lost in a natural disaster along with plans for any conceivable emergency.
Test Your Contingency Plan: Test your contingency plan to make sure it works and to keep it updated. This plan should always be evolving. By testing it frequently, any technical or procedural changes that may have occurred over time in the Contingency Plan itself will be taken into account, and the more you’ve tested your plan, the more efficiently you’ll be able to carry it out.
Restrict Third-Party Access: This governs who has access to PHI in addition to your employees. It keeps unauthorized contractors and vendors from gaining access to PHI indirectly and helps ensure that you have BAAs with anyone who gets access to PHI.
Train Employees: This outlines training programs you put in place to make sure your employees follow the rules and understand them. As a best practice, it should include training on how to identify phishing attempts, avoid malicious software, and browse the web safely, along with training on each policy that affects an employee. Training must be well documented. A good training program is conducted at least once a year to ensure that all affected employees are up to date, and it will address any changes in your security or compliance programs.
Report Security Incidents: This rule is different from the Breach Notification Rule. Incidents are not breaches since an incident is defined as a security flaw or severe risk that was found and fixed before a breach occurred or data was misused. You still require a policy on recording and reporting them.
Technical SafeguardsThis area governs the technology used to store, transmit, or otherwise use PHI and ePHI. HIPAA doesn’t supply a list of accepted software or frameworks; you can use any technology you choose provided it works. However, any PHI that is transmitted beyond your network must be encrypted using NIST protocols.
Control Access: Develop policies and procedures that define who has access to PHI. Every user needs a unique identifier, and credentials cannot be shared. You need to know who accessed any part of your network or systems. This policy should also include information on how access is granted or maintained during an emergency. Remember that a good access policy is based on the concept of least privilege, and only grant access to PHI to those who need it.
Maintain Access Logs: Technically, this is an audit control meant to help you see who tried to or gained access to PHI. It can also be an early warning sign that some nefarious person is attempting to gain access to PHI. Logs, especially logs that contain incidents, need to be saved in an organized manner. Also, if you centralize the logs, it will allow you to easily see who has accessed PHI by using a single tool and can allow you to put monitoring in place to scan the logs for any unusual access that might need investigation.
Authenticate ePHI: You need some method to check the integrity of PHI to make sure it hasn’t been altered or gone missing. Data can be leaked as a result of disasters, mistakes, or malicious activity, and therefore, you need a detection and monitoring mechanism to ensure that there is no unauthorized leakage of PHI.
Encrypt Data: Data at rest and in transit (that is, data coming into and going out of your network) must be encrypted. In addition, you must be able to show how data is encrypted, what software and methods are used, and how the data is decrypted. If you outsource encryption to a third party, they must have a BAA.
Use Automatic Logoffs: Any computer that an authorized individual uses to access PHI must use a predefined logoff timer to ensure that the computer is locked if an authorized user walks away and forgets to logout. You should train employees to stay logged out of a machine unless they are using it and to lock it immediately or to logout when they walk away. Typically, an employee is completely responsible for any activity that happens on their computer, whether it was done by them or by someone pranking or intending harm. But mistakes happen, and this is one way to prevent an incident.
Physical SafeguardsWhether you store ePHI onsite, in the cloud, or on servers in a third-party data center, you must make sure that the data is protected. This may come down to using a BAA where the vendor agrees to maintain the locks and alarms you use onsite to protect the data. No matter where the data is stored, it’s in a physical location on physical devices that must meet specific standards.
Workstation Policies: The policies and procedures defined by this rule govern how you place physical devices like computer monitors. They must be positioned in a way that prevents unauthorized users from seeing ePHI that may be on the screen while an authorized user is working.
Mobile Devices: If users can access or work with ePHI on mobile devices, you must have a policy that outlines the security measures you use to protect the data and how the data is cleaned off the mobile device. Avoid using personal mobile devices, but if you do allow them, you must have a plan for cleaning ePHI off the equipment if the employee is fired or quits.
Facility Access: This policy defines who has access to physical locations from janitorial staff to third-party IT contractors. Define who has keys, keycards, PINs, and what the plan is for emergencies if no one is available to unlock the facility. If you use electronic access controls, make sure they log users and monitor doors to make sure they close within an appropriately short time after they’re opened.
Inventory: You must keep an updated inventory of every device and piece of hardware used to access ePHI on your network. The log should record the movements of the hardware along with who is responsible for it. Data on a device must be verified before it leaves your facility and when it returns in order to guarantee the integrity of the ePHI on the hardware.