INFOGRAPHIC - How to Achieve Reliable HIPAA Compliance

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

February 25, 2020Manhattan Tech Support

Cloud ServicesIT Consulting & StrategySecurityTech Support & Managed IT ServicesHealthcare

HIPAA infographic

How to Achieve Reliable HIPAA Compliance by Manhattan Tech Support

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

In recent years, regulators have aggressively increased efforts to enforce HIPAA and HITECH, the two most common regulations for the healthcare industry. Yet despite continued vigilance and awareness, HIPAA non-compliance is still very common throughout the healthcare industry.

The U.S. Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, found HIPAA violations in 70% of the cases it investigated.[i]

78% of healthcare employees showed some lack of preparedness with common privacy and security threats, which is 8% higher than the average among all industries. [ii]

Lack of employee preparedness keeps the total number of data breaches in the healthcare industry high. There were 32 million records breached in the first half of 2019, double the number of breaches in all of 2018.[iii]

The Path to Strong HIPAA Compliance

HIPAA wasn’t designed to be a one-size-fits-all regulation. Instead, it gives organizations some leeway to determine how they should best protect their systems and data. Any healthcare organization that stores and manages electronic protected health information (ePHI) should protect that data with three types of safeguards:

  • Technical Safeguards
    This category includes all the ways an organization can use technology to automatically protect ePHI as it flows through their network.
  • Administrative Safeguards
    Administrative safeguards specify the responsibilities of human staff members. They make up over half of the HIPAA text.
  • Physical Safeguards
    HIPAA also requires that physical office space and network endpoints are secured against tampering and intrusion.

The Five Technical Requirements of HIPAA Compliance

Although organizations have difficulty with the administrative and physical safeguards, it’s often the five technical safeguards that challenge them the most.

HIPAA has five technical safeguards to protect ePHI.

  1. Access Controls – These limit ePHI access to authorized personnel.
  2. Audit Controls – Organizations must use the right mix of hardware, software, and process to monitor and log data access.
  3. Integrity control – These ensure that data is not altered or destroyed by unauthorized personnel
  4. Transmission security – This set of controls is used to ensure that ePHI is protected when in transit across a network.
  5. Authentication – Verifies the identity of individuals accessing sensitive information.

Making sure that you’ve implemented the five technical safeguards on all your systems is just one part of achieving HIPAA compliance. It’s just as important to maintain compliance as your systems evolve, which requires on-going vigilance.

Common HIPAA Stumbling Blocks

Due to HIPAA’s complexity, there are several different ways in which healthcare organizations can get compliance wrong. Here are some of the most common errors that organizations make.

Unsecured Email

The OCR maintains a “wall of shame,” where it posts HIPAA violations that are under investigation. Attacks that originate in a company’s email system make up a significant proportion of those attacks. [i]

HIPAA email best practices include:

  • Obtain patient’s written consent before sending information via email
  • Never including ePHI in subject lines
  • Always confirming the accuracy of email addresses
  • Encrypting emails whenever possible

Mobile Devices

Mobile devices can help keep doctors and nurses in better communication, but they’re often a major compliance liability.

Four out of five doctors are using their personal smartphone for work

Three out of five nurses are using their personal smartphone for work[ii]

Using personal devices contributes directly to employees, inadvertently leaking electronically protected healthcare information. To mitigate this problem, mobile devices must be secured using an enterprise mobility management (EMM) solution.

Proper Vendor Management

A business associate is any person or organization that interacts with your ePHI. HIPAA requires that you have a business associate agreement with each of those vendors. This includes:

  • Medical billing service providers
  • Data back-up and disaster recovery services
  • Software-as-a-service (SaaS) and cloud service providers

For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. But having a signed business associate’s agreement isn’t enough for compliance.

Delegate BA management responsibility -> Perform technical due diligence on each vendor -> Control vendor access to ePHI with the rule of least privilege -> Regularly audit vendors -> Manage and review contracts

Lay a Foundation for HIPAA with the NIST Cybersecurity Framework

The National Institute for Standards and Technology (NIST) Cybersecurity Framework was developed by the Federal Government to help improve the security of the national-level infrastructure.

Because of its detailed prescriptions, it can also be used as a valuable reference for achieving HIPAA compliance.

The NIST process has five major high-level functions.

Identify – Gain full visibility of your physical and digital assets, and their vulnerabilities

Protect – Control access to those assets with appropriate safeguards

Detect – Possess visibility over your network and identify threats quickly

Respond – Contain cybersecurity events with a response plan and clear lines of communication

Recover – Effectively recover any damaged services with clear action points

Manhattan Tech Support can help guide you through every stage of the NIST implementation process, achieving strong HIPAA compliance, and better cybersecurity in the process.

Manhattan Tech Support – NYC’s Trusted HIPAA Consultant

We’ve been serving the security and compliance needs of NYC’s healthcare community for two decades, and during that time, have helped a wide variety of healthcare organizations, from small doctor’s offices and clinics to large hospitals and insurance companies, navigate the complex road to dependable HIPAA compliance.

Do you have HIPAA questions for your experts? Contact us any time at 212-299-7673 or info@manhattantechsupport.com! We’re always happy to help.

 

[i] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

[ii] https://www.ncbi.nlm.nih.gov/pubmed/27925381

[iiii] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html

[iv] https://www.prnewswire.com/news-releases/new-report-7-in-10-employees-lack-the-awareness-needed-to-prevent-common-cyber-incidents-300529125.html

[v] https://www.prnewswire.com/news-releases/32-million-breached-patient-records-in-first-half-of-2019-double-total-for-all-of-2018-300894237.html

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

How Powerful IT Solutions Can Make Companies More Efficient and Resilient in a Post-COVID World

calendar July 10, 2020

author Manhattan Tech Support

Cloud Services IT Consulting & Strategy Security Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

How Powerful IT Solutions Can Make Companies More Efficient and Resilient in a Post-COVID World

After months of quarantine and social distancing, COVID-19 cases are on the decline in New York. With businesses now planning to re-open and bring employees back to the office, the question becomes, is having staff in-house always the best solution?

Read More
How A Trusted IT Partner Can Help Your Business Through Crisis

calendar June 5, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

How A Trusted IT Partner Can Help Your Business Through Crisis

The COVID-19 crisis has stressed businesses across New York City, forcing them to depend on their technology systems in a way they wouldn’t have anticipated just a few weeks ago. Unfortunately, during this period many businesses have discovered that their

Read More
Is Your Business Prepared for the California Consumer Privacy Act?

calendar May 13, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

Is Your Business Prepared for the California Consumer Privacy Act?

At the end of last year, California passed the California Consumer Privacy Act (CCPA), a landmark piece of legislation that defines a new standard for an individual’s data rights. The law provides three major forms of protection for consumers: Right

Read More