How to Achieve Reliable HIPAA Compliance by Manhattan Tech Support
Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.
In recent years, regulators have aggressively increased efforts to enforce HIPAA and HITECH, the two most common regulations for the healthcare industry. Yet despite continued vigilance and awareness, HIPAA non-compliance is still very common throughout the healthcare industry.
The U.S. Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, found HIPAA violations in 70% of the cases it investigated.[i]
78% of healthcare employees showed some lack of preparedness with common privacy and security threats, which is 8% higher than the average among all industries. [ii]
Lack of employee preparedness keeps the total number of data breaches in the healthcare industry high. There were 32 million records breached in the first half of 2019, double the number of breaches in all of 2018.[iii]
The Path to Strong HIPAA Compliance
HIPAA wasn’t designed to be a one-size-fits-all regulation. Instead, it gives organizations some leeway to determine how they should best protect their systems and data. Any healthcare organization that stores and manages electronic protected health information (ePHI) should protect that data with three types of safeguards:
- Technical Safeguards
This category includes all the ways an organization can use technology to automatically protect ePHI as it flows through their network.
- Administrative Safeguards
Administrative safeguards specify the responsibilities of human staff members. They make up over half of the HIPAA text.
- Physical Safeguards
HIPAA also requires that physical office space and network endpoints are secured against tampering and intrusion.
The Five Technical Requirements of HIPAA Compliance
Although organizations have difficulty with the administrative and physical safeguards, it’s often the five technical safeguards that challenge them the most.
HIPAA has five technical safeguards to protect ePHI.
- Access Controls – These limit ePHI access to authorized personnel.
- Audit Controls – Organizations must use the right mix of hardware, software, and process to monitor and log data access.
- Integrity control – These ensure that data is not altered or destroyed by unauthorized personnel
- Transmission security – This set of controls is used to ensure that ePHI is protected when in transit across a network.
- Authentication – Verifies the identity of individuals accessing sensitive information.
Making sure that you’ve implemented the five technical safeguards on all your systems is just one part of achieving HIPAA compliance. It’s just as important to maintain compliance as your systems evolve, which requires on-going vigilance.
Common HIPAA Stumbling Blocks
Due to HIPAA’s complexity, there are several different ways in which healthcare organizations can get compliance wrong. Here are some of the most common errors that organizations make.
The OCR maintains a “wall of shame,” where it posts HIPAA violations that are under investigation. Attacks that originate in a company’s email system make up a significant proportion of those attacks. [i]
HIPAA email best practices include:
- Obtain patient’s written consent before sending information via email
- Never including ePHI in subject lines
- Always confirming the accuracy of email addresses
- Encrypting emails whenever possible
Mobile devices can help keep doctors and nurses in better communication, but they’re often a major compliance liability.
Four out of five doctors are using their personal smartphone for work
Three out of five nurses are using their personal smartphone for work[ii]
Using personal devices contributes directly to employees, inadvertently leaking electronically protected healthcare information. To mitigate this problem, mobile devices must be secured using an enterprise mobility management (EMM) solution.
Proper Vendor Management
A business associate is any person or organization that interacts with your ePHI. HIPAA requires that you have a business associate agreement with each of those vendors. This includes:
- Medical billing service providers
- Data back-up and disaster recovery services
- Software-as-a-service (SaaS) and cloud service providers
For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. But having a signed business associate’s agreement isn’t enough for compliance.
Delegate BA management responsibility -> Perform technical due diligence on each vendor -> Control vendor access to ePHI with the rule of least privilege -> Regularly audit vendors -> Manage and review contracts
Lay a Foundation for HIPAA with the NIST Cybersecurity Framework
The National Institute for Standards and Technology (NIST) Cybersecurity Framework was developed by the Federal Government to help improve the security of the national-level infrastructure.
Because of its detailed prescriptions, it can also be used as a valuable reference for achieving HIPAA compliance.
The NIST process has five major high-level functions.
Identify – Gain full visibility of your physical and digital assets, and their vulnerabilities
Protect – Control access to those assets with appropriate safeguards
Detect – Possess visibility over your network and identify threats quickly
Respond – Contain cybersecurity events with a response plan and clear lines of communication
Recover – Effectively recover any damaged services with clear action points
Manhattan Tech Support can help guide you through every stage of the NIST implementation process, achieving strong HIPAA compliance, and better cybersecurity in the process.
Manhattan Tech Support – NYC’s Trusted HIPAA Consultant
We’ve been serving the security and compliance needs of NYC’s healthcare community for two decades, and during that time, have helped a wide variety of healthcare organizations, from small doctor’s offices and clinics to large hospitals and insurance companies, navigate the complex road to dependable HIPAA compliance.
Do you have HIPAA questions for your experts? Contact us any time at 212-299-7673 or firstname.lastname@example.org! We’re always happy to help.
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC