Share this article on:
Questions and Answers to Improve Security and Avoid Penalties
By Bill Becker
Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties.
For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions.
Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been resolved.
OCR enforces HIPAA Rules by applying “corrective measures,” including ether settlement or a civil cash penalty.
Only 47 cases have resulted in a settlement, although the total monetary penalty is still an eye-opening $67,210,982.00. Most compliance issues, OCR reports, stem from improper use or disclosure of electronic protected health information (ePHI); poor health information safeguards; inadequate patient access to their ePHI; and the absence of administrative safeguard for such information.
In other words, there is a fundamental failure in developing and maintaining appropriate security management processes. Which is ironic because one of the very first stipulations in HIPAA § 164.308 (a)(1) calls for organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.
There are several required specifications to implement these management safeguards. These include the following:
Risk analysis – Accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity (or its business associate/s).
Risk management – Security measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.”
Sanction policy – Workforce members who do not comply with the security policies and procedures must be sanctioned according to a standard policy applied to violations.
Information system activity review – Procedures to review records of information system activity, including audit logs, access reports, and security incident tracking reports.
Before any of that, however, organizations must use best practices to get their arms around the protected information under their control, and to apply some common sense thinking to managing access to that information.
Let’s look at some of these best practices.
Identify relevant information systems – It seems obvious, but here’s where many organizations fail. You have to be able to identify all information systems that house ePHI. Moreover, you have to be able to analyze business functions and verify the ownership and control of those information systems.
Ask yourself the following questions:
- Does the hardware and software in your information systems include removable media and remote access devices?
- Have you identified the types of information you manage?
- Have you identified and evaluated the sensitivity of each type of information?
Conduct a risk assessment – You have to have an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
To ensure accuracy and thoroughness, ask yourself the following questions:
- Is the facility located in a region prone to any natural disasters?
- Have you assigned responsibility to check all hardware?
- Have you analyzed current safeguards and identifiable risks?
- Have you considered all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information?
Acquire IT systems and services – After identifying your systems and exposure to risk, you may find that you’ll need additional hardware, software or services to adequately protect information such as:
- Multi-Factor Authentication
- Data-at-Rest Encryption
- Data-in-Transit Encryption
- Cryptographic Key Management
When planning for new systems or services, ask yourself the following questions:
- Will new security controls work with the existing IT architecture?
- Have you conducted a cost-benefit analysis to make sure the investment is reasonable when measured against potential security risks?
Create and deploy policies and procedures – This is the crux of any working set of management processes. You have to have policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. Does your formal system security and contingency plan stand up to that kind of scrutiny?
In both the public and private sectors, hospitals, clinics, and other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times. The best practices presented here can help ensure that data isn’t stolen or compromised, and that your organization doesn’t face steep fines for being out of compliance.
Bill Becker is Technical Director of SafeNet Assured Technologies. He can be reached at Bill.Becker@SafeNetAT.com