HIPAA Compliance – The Moving Finish Line

The overarching goal of HIPAA compliance is to protect the individual; both the patients’ health and their finances. Protection of the patients’ health is ensuring their medical records are not corrupted or lost, and readily available when needed. The financial protection is prevention of identity theft and other cyber-crimes.

moving-hipaa-finishlineHIPAA began as a law to enable an individual to maintain health insurance when changing jobs but with the addition of federal and state regulations, and the HITECH act, it has evolved into the front-line defense against cyber criminals. Thus the compliance “finish line” has moved significantly over the past decade. And the government will continue to move the compliance finish line because of the growing and increasingly sophisticated cyber threats from China, Russia and other rogue nations and entities.

Statistics show that a covered entity has a 20 percent chance of being breached each year! The FBI believes the number is actually higher as a large percentage of breaches are not reported. Electronic Protected Health Information (ePHI) is the most sought after identity information by cyber thieves as it is the most complete and therefore the most valuable on the black market. If you are breached, you will be audited which can result in substantial fines, significant remediation costs, lawsuits, and negative social media; any of which can destroy your business.

So, what is a small to medium sized practice to do? Here are the steps needed to significantly improve your compliance rating, and thereby your security and privacy capabilities.

1. Focused HIPAA Training – regular training of employees based on your practice’s policies and procedures reduces common mistakes and improves overall security awareness. Specific additional training is required for the Security and Privacy Officers.

2. Perform a Risk Assessment – this process is designed to identify potential threats to your Practice from all areas and their likelihood of occurrence, so that you proactively address and counter these risks. I recommend a third party perform the Risk Assessment as there is a tendency to score oneself “optimistically” or anticipate never-to-be-made corrections due to the lack of time and funds. Your staff has full time jobs already and they aren’t trained in risk assessments. In the long run it will be much less expensive, with less disruption and more accurate if an independent team conducts the assessment.

3. Develop a Risk Management Plan – as an outcome of the Risk Assessment, a Risk Management Plan should be developed and implemented to help integrate risk management into the business and create a culture of security and patient privacy. As part of the plan you will record security events and track changes to become more intimate with the security “profile” of you Practice.

4. Create and Implement Policies and Procedures – policies and procedures define how your Practice operates so they must be tailored to your company. These are the “recipes” of how your staff protects your business and your customers. Properly written policies and procedures will remove ambiguity and confusion and make your business more efficient.

5. Perform a Complete Inventory of All Networked Devices and their Vulnerability – computer networks are subject to constant change as new systems are added, old items removed, software updated almost daily. It is essential to have a complete understanding of what is connected to your networks, what has access, and their specific vulnerabilities to cyber threats. Sampling is not adequate as it takes only a single ill-configured device on your network to enable access by a cyber-thief.

6. Implement HIPAA Compliant Email and Data Encryption – with each new convenience that enters our lives, there seems to be an equal and opposite effect on our personal security! None is more evident than the Internet. So much information and convenience yet so much risk. Emails that contain ePHI must be encrypted with recipients verified.  All off-site backups and mobile devices that contain ePHI should also be encrypted.

7. Develop a Contingency Plan – no doubt this is a painful and time-consuming effort, but you need a plan to better ensure your company will survive and your patients are protected in the event of a natural or man-made disaster. Patient care cannot stop because of a pipe burst that flooded your computer server room, or a hacker who corrupted your Practice’s database.

8. Realign Your IT Strategy – the next step is to revisit and realign your IT strategy based on the completed compliance efforts. The IT plan should be aligned to incremental security upgrades and cost effective performance improvements. Older equipment can be repurposed to less demanding tasks as new systems take on those roles.

9. Continuous Network Vulnerability and Compliance Monitoring – with the ever-increasing sophistication of cyber-threats, the Government is strongly encouraging continuous monitoring of your networks for possible breaches and vulnerabilities. Unfortunately, antivirus software is not sufficient to fully protect the information backbone of your business. Once they breach your network, it takes very little time to search, locate and steal your business’s ePHI and proprietary information. Fortunately these services and tools are very affordable today.

A daunting task, especially when we know the “finish line” will continue to move further towards increased cyber security. But the cyber threat will not fade, if anything, it will increase. To substantially reduce credit card thefts, the U.S. will convert to the “chip on card” technology later this year. Where will the cyber thieves turn to fill that hole? You guessed it; ePHI will be increasingly targeted as a source for ID theft. Now is the time to make significant strides toward HIPAA compliance to protect your practice and livelihood.

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: