Question

Organizations that interact with medical patients are subject to HIPAA compliance.

a. Briefly describe, in your own words, what HIPAA compliance means in terms of cybersecurity policy compliance.

b. Make the case – Yes or No: Organizations that do not have patients, and are not subject to HIPAA compliance, would be better off holding to those standards anyway.

Answer 1

a. HIPAA compliance in terms of cybersecurity policy compliance:

Network security breaches wreak havoc on healthcare organizations. One hole in a hospital’s cyber security can leave private patient data wide open for those with malicious intent to take and use to their advantage; Electronic Health Records (EHRs) can be encrypted and made useless by hackers demanding a ransom in exchange for their encryption key; and sensitive data can be sold to ill-intentioned entities all over the world.

For a healthcare business to remain compliant with the guidelines and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), it must safeguard its patients’ and clients’ personal information. In a world of computers and networks, sensitive patient data must be protected against the unwelcome eyes of hackers, identity thieves, spammers, and other malefactors of that ilk.

Because of this growing threat, healthcare organizations everywhere are stepping up their cyber security game by increasing their IT budget and hiring professionals trained with a bachelor’s degree in cyber security. These newly hired security specialists will be responsible for keeping vast amounts of patient information safe and accessible only to authorized staff members and affiliates.

While EHRs contain sensitive patient information out of necessity (doctors can hardly be expected to follow a patient’s progress without a record of treatment), healthcare data now stretches far beyond EHRs into the realm of Big Data analytics. This shared data requires strict compliance with HIPAA’s Privacy Rule, which states that identifying information must be either removed from shared data or de-identified (made anonymous or encrypted).

Before discussing the elements of our HIPAA compliance checklist, it is best to answer the question “What is HIPAA compliance?” HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Typically the question following “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague. This is so HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI). For the sake of clarification.

b.

Case: Yes

HIPAA compliance requirements can be complicated, but at a minimum, you’ll need to do the following:

• Only access PHI information when you need to and/or when you have permission. First, you’ll need to comply with all former iterations of HIPAA by not accessing PHI data unless you have the patient’s explicit, written permission to do so, or if it’s required to treat your patient adequately.
• Have an emergency plan to access PHI. In some cases, you may not be able to get your patient’s permission, and you may not have the account access necessary to retrieve it. What happens then? To be HIPAA-compliant, you’ll need to have an emergency plan in place.
• Limit and secure email transmissions of PHI. At times, you may need to transmit patient information via email. Avoid these situations when possible, and make sure you’ve upgraded your email platform to be HIPAA-compliant when transmitting via email becomes necessary.
• Back up all patient data. This should be common sense, but have a backup in place for all patient data, preferably, a HIPAA-compliant source of cloud storage. Don’t risk the damage or destruction of patient data.
• Give role-based permissions to staff. Your staff members shouldn’t have universal access to patient records. Establish multiple roles, with varying types of permissions, so staff members can access only the data they need.
• Take precautions against malware. Malware can bring your entire system down, so make sure you have a strong antivirus platform in place, and keep all your apps updated.
• Maintain different passwords, and change them routinely. Every staff member should have a unique password, and be prompted to change those passwords regularly.
• Maintain activity logs and audit controls. Your digital systems should keep track of activity, noting when records are accessed or changed. That way, you can audit them in event of a breach or other suspicious activity.

Case: No

HIPAA compliance entered the public eye in 1996 when the Health Insurance Portability and Accountability Act was passed. For organizations dealing with any facet of healthcare, it revolves around the protection of private information of patients. Any health information stored, accessed, or transmitted electronically falls under this protection. Penalties for violating HIPAA compliance come in many shapes. Monetary fines start as low as $100 for each violation and reaching as high as $1.5 million.

The punishment does not stop at a company’s pocketbook, however. More severe violations can result in jail time up to five years. Since HIPAA violations are made public record, failing to comply will cost your organization dearly in brand trust and the ability to land future clients as well as quality employees.

When HIPAA non-compliance occurs, it is often because of mistakes or a lack of knowledge of company employees and is done accidentally, without malice. Regardless of how it occurs, organizations must install the proper protocol to get violations down to a rate of zero. The best way to do this is to combine best practices with recurring training to ensure employees not only understand what needs to happen to ensure HIPAA compliance but also grasp the importance of it, to the organization and most importantly the patients.