Regulations create the rules of engagement for many industries, and perhaps none more so than the Health Insurance Portability and Accountability Act, known as HIPAA, does for the healthcare industry. For anyone in the medical field, HIPAA sets the standards for how medical records are stored and shared and impacts every organization across the healthcare ecosystem, whether they’re interacting with patients or not.
As the name might imply, HIPAA initially dealt with the ability to port insurance coverage in between jobs. Through an update called HIPAA Title II, additional regulations were added to help protect medical information as well, making it much like many other regulations that aim to keep PII (personally identifiable information) from misuse. With the move from paper-based to electronic medical records encouraged by a related regulation called HITECH Act, HIPAA was updated to ensure that those medical records received the same sort of protections in the electronic age as they did in the paper one.
Hemorrhaging private health information
However, breaches of medical information, called ePHI/PHI (Protected Health Information, electronic or otherwise), seem to make the headlines quite frequently– clearly companies fail at this regularly. One factor that drives this frequency is this: just like financial data gives access to bank fraud, medical data allows for medical fraud. As a result, there are significant financial incentives for gaining access to medical information.
Even limiting our search to the recent months, many breaches have made the headlines recently, using a variety of different methods:
- 2.6 million records breached in an attack on a health system’s billing vendor
- 7000 medical records breached through a phishing attack that compromised an email account
- Untold medical records left vulnerable due to a web application vulnerability for eight months
- 870 records breached with the theft of a laptop
As discussed in our blog post on asset management, Healthcare data seems particularly prone to this latter breach: lost or stolen equipment, with “laptops and other portable devices, and paper documents consistently [going] missing from healthcare organizations each year” according to the 2018 Verizon DBIR report.
The Office of Civil Rights (OCR), the regulatory agency responsible for HIPAA, does not take these breaches lightly. Although the penalty can vary by case, lack of compliance to HIPAA has the potential to significantly impact a business: failure to comply is costly, both concerning fines and even ability to continue business. Clearly adhering to HIPAA is no longer just an obligation, but contains significant consequences with total OCR settlements in 2018 approaching $30 million.
Fleshing out the HIPAA regulation
To protect health information, HIPAA created rules around the following key areas:
- Privacy – the rights of the individual to access their medical records and stipulate other healthcare providers that have access
- Security – the protection of digital and physical assets that contain medical information from misuse or unintended exposure
- Breach Notification – stipulations regarding how and how fast notifications must be made to impacted parties following a breach
- Enforcement – gives the OCR the ability to audit and levy penalties
HIPAA was not born in one piece with each of the following pieces above, but rather (like most regulations) came about through a series of additions as privacy and security concerns developed. As a result, even the “simplification” of the HIPAA regulations spans 115 pages
To further simplify, the following steps could be a potential roadmap when approaching HIPAA compliance.
Determining covered entities
HIPAA chiefly concerns medical data so determining where health data resides defines the starting point of where HIPAA applies. This may not be as easy as it seems, especially for highly federated and distributed organizations.
Ideally, this process begins with an asset classification initiative to understand where health information resides. By allowing employees across the organization to self-report what kind of information is stored on devices, you can understand where the specific HIPAA regulations might apply and further detail is necessary.
Incorporate training and awareness
Along with determining entities, creating awareness of the need for such compliance helps everyone see the purpose behind such admittedly time-consuming efforts. Justifying both the effort needed to complete the task as well as security awareness training across the organization helps set the right expectations for the regulatory road ahead.
For areas determined to have health information in the previous step, HIPAA requires specific security awareness training. Phishing exploits are a significant factor in information security incidents & breaches and often opens the door for malware and eventual exfiltration of data. With phishing becoming a common way to gain access to records, phishing simulation training helps inoculate the organization from succumbing to this simple yet effective cyber attack.
Conduct a risk assessment
Finally, we come to the heart of planning toward HIPAA compliance: the risk assessment. Put simply, the risk assessment measures how well an organization measures up with the HIPAA standards before the OCR comes around with an audit.
As mentioned in our primer on regulations in general, a risk assessment should not be confused with an external audit. Using an analogy apt for the topic at hand, it doesn’t make sense to visit a specialist (costly, highly technical) if you haven’t had a visit to your family physician (less costly, less technical). The risk assessment is the doctor’s checkup and the external audit is the specialist. Nobody needs to visit a specialist for a runny nose – the risk assessment helps you resolve the low hanging fruit of a runny nose and prepares the way for an expert to give better input through a third-party audit.
A risk assessment will focus on covered entities (using the scope defined by the asset classification step above) to measure two specific things:
- The types of confidential data present on specific devices and infrastructure
- The general adherence to specific requirements in the regulation.
The first part, covered in depth in our asset classification article, dives deeper into the specific devices that store ePHI (or physical places such as filing cabinets) to classify the types of data present on a device level.
The second part involves asking questions that gauge whether the specific requirements of the regulation are in place. For example, “Are formal, current documented policies and procedures in place that decrease or limit the chance that PHI can be viewed inappropriately?”.
For both of these steps, checklists or spreadsheet are a good place to start, but can quickly become hard to manage if you have a number of devices or a distributed organization. An important feature of whatever method you use should be an audit trail so that you can document your efforts and progress along the way.
If you haven’t started or are looking for a way to streamline the process of both asset classification and regulatory compliance, ISORA offers workflow functionality designed to help you simplify your risk assessment and compliance process.
Understand results and create a remediation plan
With a risk assessment completed, you’ll have the information to know how you’re doing and what needs to be done. A good risk assessment should show you what areas of your organization need to make changes, both organizationally such as specific departments/devices or operationally such as specific procedures. Based on the pattern of recent OCR settlements, common areas of concern include business associate agreements, audit controls, risk management, and the data breach notification processes.
Like a regular physical at your family physician, a periodic risk assessment helps keep your organization running smoothly according to the standards set by HIPAA. Based on the results, changes can be made to correct the highest risk or non-compliance areas and progress can be measured over time. You can then utilize an external third-party audit, internal audit or an additional risk assessment a few months out to correct the egregious gaps before OCR finds these particularly virulent strains of errors and gives you only a few months to live.
If you’re a covered entity, hopefully you’ve already been doing a HIPAA assessment. If so, it’s not going away anytime soon so make sure you’ve created a process and acquired the tools necessary for minimal impact to your day to day operations. Either way the incentives are myriad from OCR audits to the threat of breaches. However, the greatest incentive involves keeping the people served by your organization from undue harm of exposed medical information, thereby keeping everyone in the healthcare ecosystem in alignment with the medical profession’s specific oath to “do no harm”.