HIPAA and HITECH Compliance Basics

“What is HIPAA compliance?” That is the question that office managers are asking.  HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its amendments, and any follow-on legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2013.  The HITECH Act added many new security and privacy requirements to information systems.

For IT teams and office managers seeking a highly qualified HIPAA and HITECH compliance consultant, Eleven Dimensions Technologies offers a team of compliance specialists with deep expertise and extensive experience in managing risk management and compliance in the healthcare industry. Don’t wait for a breach or an audit.

Our Services Include

A HIPAA and HITECH compliance consultant from Eleven Dimensions Technologies can transform your HIPAA and HITECH efforts into a competitive advantage through better decision-making. Our expertise and experience with healthcare organizations of all sizes enables us to implement programs and solutions that enhance access while demonstrating compliance with HIPAA, HITECH, HITRUST and other regulatory frameworks.

Our services include: • Healthcare security Controls Assessment, healthcare Policy Review and Development, HIPAA Compliance Consulting, HIPAA/HITECH Risk Analysis, HIPAA/HITECH Gap Analysis, information systems security training and testing

Our HIPAA Checklist

Free Security and Compliance Consultation

Typically the question following “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague.  The information on the HHS website is authoritative, but very vague. This is so HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI).

The Importance of Computer Security Training in Protecting ePHI

The majority of ePHI breaches today occur when untrained or unwise employees fall victim to a phishing, vishing or other external scam.  Employees are often the weakest link in the protection of ePHI. Scammers and fraudsters on the outside will often target medical practices with cleverly crafted emails or phone calls and trick your employees into clicking on a link or even worse letting the scammer share a screen.  The data breach can happen when the scammers install software that siphons off your patient data. They can also infect servers with malware that will transmit your patient data to the “dark web” where it is scraped for identifying information and then resold to other scammers.  There are many stories about this in the news.  A computer security training program combined with a regular testing program is what your practice needs to bolster the weakest link in your HIPAA compliance program.  Eleven Dimensions Technologies is a partner with several computer security training companies and can manage the training programs as part of your HIPAA compliance program.

Don’t get thrown under the HIPAA bus

What is a Covered Entity?

A covered entity is a health care provider, a medical practice or a health care vendor (i.e. pharmacy, dental lab, diagnostic lab, etc…) who, in its normal activities, creates, maintains or transmits PHI. There are exceptions. For example health care providers employed by a hospital are not covered entities. The hospital is the covered entity and responsible for implementing and enforcing HIPAA complaint policies. Furthermore, employees of a medical practice are not covered entities, but the practice would be.

What is a Business Associate?

A “business associate” is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. Examples of Business Associates include  IT contractors, billing companies, cloud storage services, email encryption services, etc. We wrote a great blog article about that subject.

Before having access to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or destroyed once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.  There are many examples of BAA documents out there. Here’s a particularly suitable one at the AOAA.

General HIPAA Requirements

Despite the intentionally vague HIPAA requirements described by the IHS, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.

All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened. Each of the HIPAA requirements is explained in further detail below. Businesses that are unsure of their obligation to comply with the HIPAA requirements should seek professional advice.

HIPAA Security Rule

The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual (for an explanation of “personal identifiers”, please refer to our “HIPAA Explained” page).

There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist.

Technical Safeguards

The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:

Implementation Specification Required or Addressable What Does it Mean and How to Implement
Implement a means of access control Required This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.  Furthermore, this requirement prohibits group accounts or common logons.
Introduce a mechanism to authenticate ePHI Addressable This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner. Again, group accounts are prohibited.
Implement tools for encryption and decryption Addressable This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.  Computers could be protected by using bitlocker or Sophos disk encryption.
Introduce activity logs and audit controls Required The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed. This requirement can be implemented by using Windows Active Directory to setup a group policy.  Desktop computers could be audited. So called “cloud” and SAS applications should have their own built in logging function.
Facilitate automatic log-off of PCs and devices Addressable This function causes authorized personnel to logoff the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended. Also includes the requirement that screensavers kick in after a prescribed time, and require a password to unlock.

Physical Safeguards

The Physical Safeguards focus on physical access to ePHI regardless of its physical location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how these servers, workstations, applications and mobile devices should be secured against unauthorized access:

Implementation Specification Required or Addressable What Does it Mean and How to Implement
Facility access controls must be implemented Addressable Controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft. Physical barriers such as locked doors and filing cabinets are the key to implementation.
Policies for the use/positioning of workstations Required Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
Policies and procedures for mobile devices Required If users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
Inventory of hardware Addressable An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.

The administrative safeguards include:

Implementation Specification Required or Addressable What Does it Mean and How to Implement
Conducting risk assessments Required Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
Introducing a risk management policy Required The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
Training employees to be secure Addressable Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
Developing a contingency plan Required In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
Testing of contingency plan Addressable The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
Restricting third-party access Required It is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
Reporting security incidents Addressable The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.

The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.

That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based.

What Should a HIPAA Risk Assessment Consist Of?

Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities and complexity. However, OCR does provide guidance on the objectives of a HIPAA risk assessment:

  • Identify the PHI that your organization creates, receives, stores and transmits – including PHI shared with consultants, vendors and Business Associates.
  • Identify the human, natural and environmental threats to the integrity of PHI – human threats including those which are both intentional and unintentional.
  • Assess what measures are in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurring.
  • Determine the potential impact of a PHI breach and assign each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
  • Document the findings and implement measures, procedures and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
  • The HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.

As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist, and should be reviewed regularly when changes to the workforce, work practices or technology occur.

Depending on the size, capability and complexity of a Covered Entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no “one-size-fits-all solution.

The Importance of Data Encryption

Many ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks.

Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed.  Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft.

Here’s a Great Video from the Compliancy Group. And Here’s another great video about FDA compliance and CFR.