Achieving compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA) can be a challenge for healthcare organizations and their business associates. The HIPAA Rules were developed to cover healthcare organizations of different types and sizes, so the Rules needed to be flexible to accommodate this diversity. They also needed to be capable of standing the test of time without requiring regular updates in response to changing technology and operating practices.
While HIPAA sets standards for privacy, security, and administrative processes, the Rules can seem complex and often lack important details and they do not include an easy-to-follow HIPAA compliance checklist, so it’s no surprise that achieving and maintaining HIPAA compliance can be a daunting prospect. One of the biggest challenges for compliance professionals is interpreting the HIPAA Rules and applying those requirements to their organization. For smaller healthcare organizations with limited resources, achieving and maintaining compliance can be harder still.
If HIPAA compliance is causing you headaches or keeping you up at night, it is worthwhile considering partnering with a compliance company and getting advice on how to achieve and maintain compliance for peace of mind. For those considering going it alone, there are three pillars of HIPAA compliance that you need to get right.
Pillar 1: Implement a HIPAA Compliance Program
HIPAA-regulated entities need to implement an effective HIPAA compliance program, covering all standards and implementation specifications of the HIPAA Rules. HIPAA-compliant policies and procedures must be developed and implemented, and staff trained on those policies. While compliance responsibilities can be split between multiple individuals – such as a Privacy and Security Officer – one individual should have overall responsibility for compliance throughout the entire organization. You should also consider forming a compliance committee that meets regularly to discuss the state of compliance with HIPAA and other federal and state regulations.
One of the first things the Department of Health and Human Services’ Office for Civil Rights (OCR) will seek to establish when investigating complaints and data breaches is whether the entity has implemented a formal HIPAA compliance program and is taking its HIPAA compliance obligations seriously. Proving your organization takes HIPAA compliance seriously and has not ignored its obligations means compliance efforts must be thoroughly documented.
The first stage of an OCR investigation involves a document request. OCR will contact a covered entity and ask for specific documentation relative to the complaint or data breach, and that information needs to be provided promptly. If there a HIPAA-regulated entity is unable to prove they have a HIPAA compliance program in place, then a financial penalty is all but guaranteed. If you have invested time and effort into complying with the HIPAA Rules and can provide documentation demonstrating your good faith effort, the HHS is more likely to provide technical assistance than impose a financial penalty. OCR says the vast majority of investigations are resolved through voluntary compliance or technical assistance, and financial penalties will be avoided if entities can demonstrate satisfactory compliance.
When investigating data breaches, organizations will be asked to provide evidence that comprehensive, accurate risk analyses have been conducted. You may be asked to provide evidence of risk analyses for the past 5 or 6 years. If you can’t provide that documentation, it doesn’t matter whether those risk analyses have been conducted or not, from OCR’s perspective, at best they were incomplete and at worst were not conducted at all. Both are likely to result in a fine.
If a complaint is investigated about an alleged employee HIPAA violation, OCR will want to see evidence that a HIPAA training program is in place and proof that employees have received appropriate training. The sanctions policy may be requested, along with evidence of any ongoing corrective actions and sanctions, further training that has been provided to the workforce in response to discovered violations, and samples of breach notifications.
It is therefore imperative that you maintain accurate, detailed records of all of your compliance efforts and store that documentation in a central data repository with your policies and procedures. That will ensure that you can respond quickly to any request and provide evidence of compliance. The failure to provide the requested documentation could trigger a much more extensive review of your compliance program.
Pillar 2: Develop a Security Awareness and HIPAA Training Program
Policies and procedures must be developed on all aspects of HIPAA but not just to allow boxes to be ticked in a HIPAA compliance checklist. That may be sufficient to pass a very basic document review, but policies alone will not make an organization HIPAA compliant. All members of the workforce must be provided with the policies and must receive training relevant to their role. Every individual in a healthcare organization has a role to play in making their organization HIPAA compliant and must be trained to allow them to perform their duties in a HIPAA-compliant way.
Employees should not have to guess how HIPAA applies. In addition to training, employees must be made aware of the sanctions policy and the repercussions of HIPAA violations and the sanctions policy must be enforced.
HIPAA calls for training to be provided during the onboarding process, regardless of whether a new hire is a seasoned healthcare professional or is new to the industry. It is the responsibility of the compliance officer to ensure that appropriate training programs are developed and that all members of the workforce receive adequate training. While HIPAA violations can take many different forms, most HIPAA violations are due to mistakes by employees and a lack of appropriate training is often the cause.
It is unreasonable to expect employees to gain the knowledge of a compliance professional from HIPAA training provided during the onboarding process. The goal is to ensure that everyone is aware of how HIPAA applies to their role, the rules regarding uses and disclosures, and how to protect patient data. Training needs to be an ongoing process, so refresher training should be provided annually to ensure standards do not slip. HIPAA calls for the staff to be trained on internal policies relative to their role and for all members of the workforce to receive security awareness training.
The importance of the latter was highlighted in the 2022 Verizon Data Breach Investigations Report, which revealed the human factor was involved in 82 percent of data breaches. Security awareness training is concerned with teaching security best practices, making the workforce aware of security threats, and training employees on how to recognize and report those threats. Through training, organizations can eradicate risky practices and significantly reduce the risk of a successful cyberattack and data breach.
Training programs should be tailored to each role and include the specific threats those individuals are likely to encounter. Given the extent to which healthcare employees are targeted with phishing attempts and BEC attacks, there needs to be a particular focus on identifying, avoiding, and reporting these threats to the security team.
Security awareness training is a requirement of the HIPAA Security Rule but the frequency of training is left to the discretion of each regulated entity. HIPAA-regulated entities should go above and beyond the minimum requirements for training and should implement an ongoing security awareness training program, with training delivered throughout the year. The goal should be the creation of a security culture, which is unlikely to happen with infrequent training. As with all aspects of HIPAA compliance, training must be documented. One of the first things OCR will seek to establish when investigating data breaches is whether a security awareness training program is in place.
Pillar 3: Develop, Implement, and Continuously Improve an Information Technology Security Program
There are 20 standards in the HIPAA Security Rule, but within each standard are many more implementation specifications. There are more than 60 implementation specifications that must be considered and implemented, including required and addressable specifications.
HIPAA Security Rule compliance primarily involves developing and implementing a comprehensive information security program that incorporates administrative, technical, and physical safeguards to protect against reasonably anticipated threats and hazards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The information security program must incorporate access controls to protect against internal and external unauthorized access to ePHI, continuous evaluation of security controls, monitoring information systems for unauthorized activity, security awareness training, and developing and implementing contingency and incident response plans.
The risk analysis is one of the fundamental implementation specifications of the HIPAA Security Rule, and one of the main areas where mistakes are made. Risk analyses must be accurate, comprehensive, and organization-wide, and should identify all potential risks and vulnerabilities to ePHI. Those risks must then be subjected to a risk management process and be reduced to a low and acceptable level. Risks must be documented, assessed for criticality, prioritized, and managed, and the process must be fully documented, including how the risks were addressed, when they were resolved, ongoing unresolved issues, and the time frames and steps for addressing any unresolved issues. Risk analyses should be conducted annually and in response to any material change in policies, procedures, or new technology.
When investigating data breaches, OCR seeks to establish the underlying cause of a data breach and will require evidence of risk analyses and risk management. OCR will look for the mitigations in response to a data breach, the actions taken to prevent further incidents, and the entity’s compliance prior to the breach. Recognized security practices will also be considered as a mitigating factor, so these must be thoroughly documented.
HIPAA Security Rule compliance will ensure a baseline level of security is achieved but given the extent to which the healthcare industry is targeted, organizations should look beyond HIPAA Security Rule compliance and should continue to develop the information security program. Adopting a cybersecurity framework such as the NIST Cybersecurity Framework or HITRUST CSF will greatly improve an organization’s security posture and will be considered a mitigating factor by OCR when investigating data breaches and HIPAA Security Rule violations.
Organizations unable to take this step should consider adopting the HHS 405(d) Program, which serves as a stepping stone between HIPAA Security Rule compliance and the full implementation of a cybersecurity framework. The HHS 405(d) Program documentation outlines the main current cybersecurity threats to the sector, offers best practices for mitigating those threats, and technical assistance tailored to the size and capabilities of small, medium, and lar-sized healthcare organizations.
HIPAA Compliance is a Continuous Process
There is much more to HIPAA compliance than developing and documenting policies, training staff, and developing an effective information security program, but if you get the basic structure in place, achieving HIPAA compliance will be much more straightforward and you will be able to demonstrate that you are taking your obligations seriously.
Adopting a methodical checklist-style approach to HIPAA compliance will help to ensure compliance with all HIPAA standards, but becoming compliant is just the start. Maintaining compliance requires regular internal audits, updates to policies and procedures to account for new HIPAA requirements and changing technology, and ensuring that safeguards remain effective in a rapidly changing threat landscape.
Signing up to receive updates from the HHS 405d Program is a good place to start, a plan should be developed for adopting a cybersecurity framework to improve the maturity of your cybersecurity program, and there are advantages to be gained from using HIPAA compliance software, especially for healthcare organizations and business associates that feel a little overwhelmed about HIPAA compliance.
Steve Alder, Editor-in-Chief, HIPAA Journal
The post Editorial: The Three Pillars of HIPAA Compliance appeared first on HIPAA Journal.