The Health Insurance Portability and Accountability Act (HIPAA) were enacted in 1996 with the purpose of protected health information (PHI). HIPAA was enacted because there was a growing need for generally accepted standards to govern how healthcare information is handled, processed and stored. The improvement in technology leads to HIPAA focusing on hoe Electronic Protected Health Information (ePHI) should be treated. Healthcare facilities and personnel collect a vast amount of confidential information annually from patients. This information is referred to as Health Information it is associated with the health status of a patient, how they pay for healthcare and what healthcare service they received.
HIPAA compliance is for healthcare providers, covered entities and business associates. Healthcare providers are people who are certified and authorized to provide healthcare services in the state. They include doctors, nurses, surgeons, psychiatrist among many other medical practitioners. A covered entity is any business that transmits healthcare information electronically. They include healthcare providers, healthcare clearinghouses and health plans. A business associate is any person who handles PHI in the cause of providing a service or on behalf of a covered entity. This is a broad area that aims to regulate the entities that have access to PHI but are not healthcare providers or covered entities. These include auditors and accountants who act in a consultancy capacity, third party service provider or administrative assistants.
Risk Assessment Checklist
Risk assessment is a vital part of achieving HIPAA compliance in an organization. It is the first step to setting up policies and procedure necessary to ensure you are HIPAA compliant. The risk assessment will give you a fair perspective of the current level of compliance and the areas that are vulnerable. Doing risk assessment will assist an organization when developing administrative, physical and technical safeguards for the common risks that the organization faces.
Administrative safeguards are the policies and procedures developed to achieve compliance. Technical safeguards are strategies set to ensure that networks and ePHI transmission are done securely. Physical Safeguards are put in place to ensure that data is stored in a secure location and access to the data is granted depending on employee clearance levels. The guidelines for these safeguards are cleared stated in ePHI updates in HIPPA done in 2005.
Here’s a checklist to help assess the compliance of your organization with regards to the HIPAA security rule. The checklist involves activities that an organization can do to develop safeguards and be HIPAA compliant.
- Risk Assessment
Risk assessment should be done in every aspect concerning ePHI to establish potential risk areas. A record of all available electronic devices and information systems in the organization should be set up. Identifying possible data storage and transmission devices will assist greatly in identifying vulnerabilities in the organization. Once the risks are assessed policies and procedures need to be developed to address the potential harm. The policies and procedures should clearly define their purpose, covered areas, the processes involved, how the procedures will be implemented and facilitated. Once these parameters are defined, they should be recorded for reference purposes. Regular reviews should be done to monitor the emergence of new risks.
- Security Awareness Policy
This policy should seek to establish a clear plan of ensuring that the workforce is aware of the security issues facing the organization. A security awareness policy seeks to train personnel in the appropriate processes and procedures to handle ePHI securely. Employees need to be aware of potential threats like cyber-attacks, malicious email attachment or unauthorized access. The workforce should be trained to protecting their workspaces to prevent internal threats. The management should create security awareness among their business associates by letting them know the risks that they pose on ePHI. Security awareness training should be carried out periodically to mitigate new threats and share knowledge of new strategies.
The management should invest in a high-quality monitoring software to keep track of the HIPAA compliance requirements and detect or report potential risks, unauthorized access and new security vulnerabilities in the handling of ePHI. Clear ramifications should be defined for the noncompliance of the security awareness policy.
- Security Plan and Policy
A security plan establishes policies that govern how physical and technical security should be handled. The physical area where data is stored should be well protected. The data storage should have authorization requirements before it is accessed like passwords allocated to authorized personnel only. The plan should clearly define what steps should be taken in case of a breach, disaster or emergency. The security plan should be audited to confirm whether or not it serves the purpose it was set up for. The audit should also offer recommendations on how to improve the security plan and policy.
- Segregation of Duties
Segregation of duties is an important measure to restrict access to ePHI and monitor workforce activities. This policy should define the job description of the employees stating their purposes and targets. Access controls should then be established according to the roles of the employees. Sensitive information should only be accessed by the senior employees and management in an organization. The lower the number of people who access the ePHI the lower the risks involved. Authorized persons should be trained on the importance of protecting their access codes and passwords. In case an access code is stolen and used wrongfully, the employee responsible for the any of the damage or harm arising from the access of ePHI. Access controls should be established to limit the information third parties can access to minimize risks.
- Incident Response Plan
This plan establishes how suspicious activity, security incidences and other reported security matters should be mitigated. The plan stipulates the protocols that should be followed in case of an incidence and the people responsible for mitigating the risk. The protocols should involve analyzing the incident, mitigation strategies, eradication and damage management. The incidents handled should be recorded and stored appropriately to act as a reference point during future incidences.
- Contingency Plan
This plan is a failsafe in the event all the other measures to protect ePHI fail. It includes data backup stored in a secure location only to be accessed physically, damage control measures for ePHI exposed to unauthorized people, data recovery strategies, strategies to deal with security breaches just to name a few. A contingency plan is only good if it has not been hacked or tampered with.
All these plans should put into consideration the access that third parties have in the organization. The penalties for illegal disclosure of ePHI by third parties should be hefty to avoid any attempts. Access to third parties should be restricted to what is relevant to the activities of the third parties. Vigorous training should be done to the workforce so that they are able to maintain a high level of HIPAA compliance during the day to day activities. All the policies, procedures, risk assessment results, audits and any other fact relating to ePHI HIPAA compliance should be meticulously recorded and stored for administrative purposes. This information can be used in times of crisis or emergencies or disputes to map out a solution.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.