Understand HIPAA Privacy and Security Rules, and how they apply to your organization.

Tod Ferran, CISSP, QSA
By: Tod Ferran
When you think about Health Insurance Portability and Accountability Act (HIPAA) compliance, you may think of carefully guarding patient information from outsiders, privacy practice documentation, breach response policies, and individual patient rights surrounding patient health information (PHI).

SEE ALSO:What Are Addressable HIPAA Requirements?
HIPAA privacy
What you might not consider is the more technical side of HIPAA, which contains rules about privacy and protecting patient data through the use of ‘reasonable and appropriate’ technologies. These technologies consist of firewalls, disk encryption, remote access, two-factor authentication, internal/external vulnerability scans and other applications and systems that may be required for your unique environment.

So, has your office implemented or considered technological safeguards? Many think they have…until a breach or audit provides an expensive education.

Privacy vs. security

The healthcare industry is extremely familiar with the HIPAA Privacy Rule, but the same rules, regulations and policies that regulate it do not necessarily extend to the Security Rule. The Security Rule revolves around safeguarding the systems that house or transmit electronic PHI, and has many technical requirements that even competent IT departments may not be qualified to complete.

SEE ALSO: HIPAA Security Rule: Fulfilling Requirements and Addressing Healthcare Security Issues

While policies generated by lawyers or CPAs that outline data safeguarding practices are essential, the implementation of those policies is even more important. A HIPAA privacy or HIPAA security policy itself doesn’t cover a business from the effects of data loss or breach, but through policy implementation, an organization stands a much better chance against data thieves.

Because HIPAA security rules and implementation requires advanced/technical knowledge, many don't know where to begin.

SEE ALSO: Balance MobileConvenience and PHI Security

HIPAA compliance best practices

Here is a list of recommendations I usually give to small healthcare practices regarding their HIPAA compliance. Following the tips on this list will help you avoid potential audits, patient data compromise, or breach fines.
  • Acknowledge that you may not have the required training or time to pursue true HIPAA compliance (not just HIPAA Privacy Rule compliance). Find a provider and advisor who can personally guide you through the process.
  • Identify the person who holds assigned responsibility for the HIPAA Security Rule in your organization. If you don’t have someone, assign a HIPAA Security officer to be company liaison to the HIPAA advisor.
  • Conduct a preliminary risk analysis to discover the security risks at your organization
  • Mitigate the findings of the preliminary risk analysis
  • Create a detailed PHI data flow diagram and/or description
  • Perform a full risk analysis with input from both internal and external resources
  • Update your current policy and procedure documentation and ensure employees are appropriately trained
  • Set HIPAA requirement goals and milestones
  • Implement the plan and begin improving your security profile
SEE ALSO: Is Working From Home HIPAA Compliant?

Did this post help you? If so, please share!

Follow blog.securitymetrics.com for more HIPAA compliance tips

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Healthcare security lessons from the field