What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. Congress passed the act in 1996. The act focuses on health care reform, security, and coverage. HIPAA Title II requires businesses to adhere to national standards on healthcare data protection and privacy. Failure to comply with HIPAA Title II leads to punitive fines up to $1.5 million and prison sentences depending on the severity of the violation.
HIPAA Title II: Administrative Simplification (From SearchHealthIT)
- National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
- Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
- HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.
Protected Health Information (PHI) (From SearchHealthIT)
- Social Security Number
- Mental and Physical Health Conditions
- Any care provided to an individual
- Information concerning the payment for care provided to the individual that identifies the patient
- Information for which there is a reasonable basis to believe that it could be used to identify the patient
Administrative requirements (from SearchHealthIT)
The Privacy Rule lays out certain administrative requirements that covered entities must have in place.
These requirements include the following:
- A privacy official must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
- Employees, including volunteers and trainees, must be trained on policies and procedures.
- Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
- A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
- If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate, to the furthest extent actionable, any harmful effects.
Why It Matters for my Business?
Often businesses fail to comply with HIPAA without realizing it. The HIPAA act requires strict adherence and even the smallest deviation from protocol counts as compliance failure. The government mandates that health plans, healthcare clearinghouses, healthcare providers, and entities that provide data transmission of PHI comply with HIPAA. The obvious HIPAA compliant businesses like medical practices and healthcare providers know their HIPAA compliance needs but lose track of the electronic security and protection aspect of HIPAA compliance. The information technology industry changes daily so the security requirements for electronic data also changes. Failure to implement these changes leaves your business vulnerable. With so many other important decisions and tasks, these professionals often neglect to keep their tools and systems operating at HIPAA standards. Plus, HIPAA holds health organizations accountable for ensuring that their business associates and subcontractors follow HIPAA.
Other non-health related companies surprisingly must comply with HIPAA. For instance, Dell, as a data storage company, needs to remain HIPAA compliant in order to sell their data storage services to HIPAA compliant customers. If your business handles PHI at all, you need to remain HIPAA compliant to protect yourself and your business associates.
With the growth of cybercrime over the past decade, the electronic data protection aspect of HIPPA compliance rapidly became the most important part of the act. Almost all health organizations use some form of cloud-based storage for their records. Cloud-based storage necessitates enhanced security. Failing to protect your network with the best defensive measures, increases the likelihood of a successful cyber-attack drastically. Security starts with device encryption, password management, strong firewalls, updated software, and consistent monitoring. You set yourself up for inevitable failure if you use outdated equipment, software, and passwords.
How to Comply?
Device Encryption – Use professional software to encrypt all devices that handle PHI. Encryption encodes files so that only authorized users may access that information. Without the proper authorization password or code, the files remain scrambled and unreadable by other devices. Device encryption protects your data from offline attacks like robberies or unauthorized users attempting to access confidential information.
Email Encryption– Using email encryption add-ons protects secure information when sent via email. For instance, if you send billing information or receipts to customers, or they request a digital version of the medical files, encrypted emails protect that information. Sending unencrypted emails increases the chances of a third party illegally accessing it and HIPAA compliance failure.
Provide Internal Vulnerability Scanning – Internal vulnerability scans help identify potential security risks within a network. They search for things like open ports or missing security patches and identify those vulnerabilities to fix before a hacker exploits them.
External Penetration Testing – External Penetration tests probe the defenses of your firewall and network. A penetration tester plays the role of a malicious hacker and attacks your network, trying to breakthrough. The results determine the hacking risk level and provide a benchmark for the strength of your network. Although costly, penetration testing offers the best insight into network security and strength. Experts recommend penetration testing once a year at the minimum.
As a company, perform an audit on your business practices, electronic and non-electronic. This blog post focuses primarily on the handling of electronic PHI and the compliance with that aspect of HIPAA, but HIPAA requires complete compliance from your business, not just in electronic data security. Performing an audit works similarly to internal vulnerability scanning. It alerts you to issues that need fixing before someone takes advantage of your incompetence. Hiring a credible third-party company to perform the audit allows for a neutral honest opinion of the state of your security and HIPAA compliance.
Make electronic compliance a priority, especially with most PHI now stored in the cloud. The constantly evolving technological industry forces continuous updating and patching. Keep all software, hardware, and security updated. Outdated software offers a prime target for hackers.
For electronic compliance, Origami Technology Group offers device encryption, email encryption, internal vulnerability scanning, and external penetration testing packages. We also set up your network, firewall, and help you select the right software to best protect your information. We want to set you up to comply with HIPAA, so you avoid hefty fines or criminal punishment that ruin your business and life. Contact our owner and compliance expert Bill Gayle at his email, firstname.lastname@example.org for more information on how to start ensuring your business is HIPAA compliant.
**** The description of HIPAA and what it entails comes from SearchHealthIT****