The Health Insurance Portability and Accountability Act (HIPAA) established by the U.S. Department of Health and Human Services (HHS) has been around since 1996. The components of HIPAA cast a wide net over regulations involving insurance coverage, medical records and tax rules. However, rapidly advancing technology and security threats are pointing a spotlight on the Privacy and Security rules that apply to electronic protected health information (ePHI).
In a nutshell, the HIPAA Privacy and Security rules require organizations that handle ePHI in any way to implement appropriate administrative, physical and technical safeguards to:
1. Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce
The regulation is intentionally flexible and scalable to allow companies of all sizes and IT budgets to implement processes based on their specific environments. However, the use of the word “reasonably” might make the rules more open to interpretation for how much privacy and security are actually necessary.
Given the complexity of technology and the extent of all the HIPAA regulations that require compliance, it’s easy to fall back on just checking boxes to meet the requirements for compliance and forget why privacy and security really matter in the digital world. Consequently, facilities aiming for only HIPAA compliance could be putting their organizations at risk.
HHS has made it clear that nonconformance with any part of HIPAA can lead to costly fines. However, a security breach can be even more costly because it can impact finances, reputation and customer trust. Therefore, ePHI handlers are urged to pursue more than “reasonably” anticipated threats and impermissible use of confidential data.
The significance of data security cannot be underestimated. It’s important to recognize that equal effort must be applied to HIPAA compliance as well as privacy and security measures surrounding confidential information. Giving these components the attention they need involves performing a thorough risk assessment.
HHS agrees. The Summary of the HIPAA Security Rule cites “Every organization that creates, receives, maintains or transmits ePHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with 164.308 of the HIPAA Security Rule.”
The HIPAA security rule does not prescribe a specific risk assessment method or technology. Risk assessments are a core part of an overall risk management process. Risk assessments are unique to each environment and vary based on the organization’s size, complexity and capabilities.
Furthermore, according to the HHS “Guidance on Risk Analysis,” there is no single risk management strategy that fully guarantees a risk-free environment. That said, HHS does provide an objective of what should be accomplished with a risk assessment: “Identify potential risks and vulnerabilities that can compromise the confidentiality, availability and integrity of all protected health information.” Resources such as the National Institute of Standards and Technology (NIST) “Guidance for Conducting Risk Assessments” and HIPAA Journal contain some helpful ideas for taking a holistic approach to achieving this objective:
Identify where all PHI is stored, received, maintained and transmitted – Document the location of all servers, internal and external data centers, workstations, mobile devices, etc. that handle ePHI.
Identify all potential security vulnerabilities and threats relevant to your environment – This can include clarifying the following:
Evaluate current security strategies for protecting ePHI – Some of the areas you might assess for this objective include:
Assign risk levels for vulnerabilities and impact combinations – As cited in the “Guidance on Risk Assessment,” a risk-free environment does not exist. Use your risk assessment to define risk tolerance levels to help you focus on the most critical and high-impact vulnerabilities.
HHS asserts that a HIPAA risk assessment is not a one-time exercise. Technology, regulatory guidelines, standards and processes all continue to evolve, which creates a moving target for risk assessments. Organizations need to create a risk management plan, which includes performing routine risk assessments. There is no guidance on the frequency, but organizations should follow a consistent schedule, especially as new technology is introduced.
Technology continues to present opportunities for more innovative health care, which creates an ongoing need to integrate more systems and devices to keep pace with new trends. This, along with the exponential rise in cybersecurity attacks, further complicates the process of achieving compliance. More and more organizations are implementing automated risk management technology to set up an easier way to oversee and complete all risk management tasks and keep HIPAA compliance within reach.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.