HIPAA Compliance in 2019 – A Mix of Challenges and Opportunities for Healthcare Providers to Become and Remain Compliant

Healthcare organizations must take the right steps to avoid big fines and stay current of the latest technologies.

March 12, 2019Manhattan Tech Support

Cloud ServicesIT Consulting & StrategySecurityTech Support & Managed IT ServicesHealthcare

hipaa blog post head 0319

In recent years, The Department of Health and Human Services Office of Civil Rights Management (OCR), has aggressively increased efforts to make sure that healthcare providers are properly implementing the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). Although the total number of penalties has plateaued from its 2016 peak, in the last two years the OCR has increased the size of HIPAA violation fines, which includes the headline-making penalty for Anthem Inc. of $16 million, the largest HIPAA fine ever.

With a renewed vigor for enforcing HIPAA compliance, and with data breaches on the rise in the healthcare industry, it’s essential that providers have a clear idea of what’s required of them, especially as new technologies continue to shape the healthcare landscape in 2019.

The Five Technical Requirements of HIPAA Compliance

There are five main dimensions in which the HIPAA standard protects digital information; these are referred to as the “technical safeguards.”

  1. Access Controls – These limit access to electronic personal health information (ePHI) to authorized personnel.
  2. Audit Controls – Organizations must use the right mix of hardware, software, and procedures so that all systems storing ePHI are monitored and data access is properly logged.
  3. Integrity control – This set of controls ensures that data is not being altered or destroyed by unauthorized personnel
  4. Transmission security – This set of controls is used to ensure that electronic personal health information (ePHI) is protected when in transit across a network.
  5. Authentication – Verifies the identity of individuals accessing sensitive information.

Although HIPAA has been around for over twenty years, many healthcare organizations still struggle to maintain strict control over their data. Why is that?

Part of the problem is the sheer volume of data that the healthcare industry produces. Not only is there EHR data to manage, but there may also be external data collection efforts to supervise, as well as supply chain or vendor data that must be processed securely. In other situations, there just isn’t the IT manpower to ensure that data is being protected throughout the entire network.

There are several areas that could be potential sources of trouble for healthcare organizations in 2019; let’s look at a few.

Securing Mobile Devices for HIPAA Compliance

Studies have shown that over four-out-of-five physicians, and three-out-of-four nurses, use their personal smartphone at work. To make sure that you receive all the benefits that mobile devices can provide, without putting ePHI at risk, healthcare providers must take vigorous steps to ensure that their HIPAA controls are securing mobile data as effectively as possible.

First, this means ensuring that best practices are being uniformly enforced. Don’t allow your employees to “jailbreak” devices and ensure that applications and operating systems are getting regular updates. Also, make sure that any mobile device connecting to your EHR is doing so through a virtual private network (VPN) or using multi-factor authentication. These first-line measures are mandatory and should be considered a foundation for further steps.

Next, make sure that your email and messaging applications are secure. While HIPAA doesn’t lay out explicit requirements for data encryption, it does say that encryption should be implemented if it will help ePHI. Because the decision to not encrypt data must be accompanied by a documented alternative, this effectively means that encryption is required for all data in transit over mobile networks.

When looking for solutions, remember there’s a big difference between those that are HIPAA capable and those are built HIPAA compliant. In order to make sure that data is encrypted while in transit, and stays encrypted while at rest, you will likely need to combine several solutions to ensure that all your emails and instant messages are sent securely. Developing this type of comprehensive solution is often best handled by an outside expert who has experience building and deploying HIPAA-compliant mobile solutions.

hipaa blog post body 0319

Finding Greater Confidence in the Cloud

Another focal point for HIPAA compliance experts in recent years has been cloud computing. While cloud adoption rates in the healthcare industry continue to soar, providers still face great ambiguity when making a commitment to cloud technology, or expanding their existing cloud services. This includes concerns like, how do I properly vet my cloud service providers (CSPs)? How do I ensure that cloud data is HIPAA compliant throughout its entire lifecycle?

Any CSP that stores ePHI for your patients is subject to the same HIPAA controls that you are. To determine the HIPAA compliance of a potential CSP, you should begin by analyzing the quality of their solutions and if they provide the required levels of security and uptime. In the event of downtime, do they have procedures in place to allow you to access data? You should consider all these elements of their compliance services before signing on with them. The next step in verifying a CSP involves a thorough risk analysis of their administrative and technical controls to ensure that the CIA triad of confidentiality, integrity, and availability will properly apply to all the data they’ll be storing or processing for you.

Here, as with mobile devices, encryption will play a significant role. The industry standard for at-rest data is AES 256-bit encryption. This should be employed on both local and cloud file systems. However, at-rest data is just one piece of the puzzle. To ensure that data is secured while in transit, healthcare providers need to implement secure sockets layer (SSL) encryption, so that data moving between web browsers and cloud services, or mobile devices and cloud services, is adequately protected.

The Benefit of Having NYC’s HIPAA Expert at Your Side

There’s nothing like having an expert at your side to help you deal with the many complexities involved in achieving strong HIPAA compliance. Manhattan Tech Support has been helping organizations in the healthcare industry build and maintain HIPAA compliance strategies for decades and can guide you through every step of the process. Have a question for our experts? Call us anytime at 212-299-7673.

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

Why Outsourced IT Help Desk is NOT a Risky Strategy

calendar October 31, 2019

author Manhattan Tech Support

Cloud Services IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

Why Outsourced IT Help Desk is NOT a Risky Strategy

An IT help desk can boost productivity and ensure that your technology infrastructure stays functioning optimally. But, building an internal IT help desk team is an expensive, resource-intensive project that involves finding and hiring qualified desktop support technicians, training them

Read More
How Elite Managed IT Service Providers Price Their Offerings

calendar October 15, 2019

author Manhattan Tech Support

IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

How Elite Managed IT Service Providers Price Their Offerings

There are several factors that separate elite IT managed service providers (MSPs) from average ones, like technical ability and a deep dedication to customer service. With its team of NYC-based engineers certified by leading technology vendors — as well as

Read More
5 Common Cybersecurity Myths That Endanger Small Businesses

calendar October 4, 2019

author Manhattan Tech Support

IT Consulting & Strategy Security Construction Education Finance Healthcare Legal Real Estate

5 Common Cybersecurity Myths That Endanger Small Businesses

Because it’s so complicated, cybersecurity is a difficult topic for small and midsized businesses to engage in. There are many things that go into good cybersecurity, like malware protection, network, and server security, application security, and the management of mobile

Read More