INFOGRAPHIC - How to Achieve Reliable HIPAA Compliance

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

February 25, 2020Manhattan Tech Support

Cloud ServicesIT Consulting & StrategySecurityTech Support & Managed IT ServicesHealthcare

HIPAA infographic

How to Achieve Reliable HIPAA Compliance by Manhattan Tech Support

Many healthcare organizations struggle with HIPAA, but the right guidance can put you on track to dependable compliance.

In recent years, regulators have aggressively increased efforts to enforce HIPAA and HITECH, the two most common regulations for the healthcare industry. Yet despite continued vigilance and awareness, HIPAA non-compliance is still very common throughout the healthcare industry.

The U.S. Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, found HIPAA violations in 70% of the cases it investigated.[i]

78% of healthcare employees showed some lack of preparedness with common privacy and security threats, which is 8% higher than the average among all industries. [ii]

Lack of employee preparedness keeps the total number of data breaches in the healthcare industry high. There were 32 million records breached in the first half of 2019, double the number of breaches in all of 2018.[iii]

The Path to Strong HIPAA Compliance

HIPAA wasn’t designed to be a one-size-fits-all regulation. Instead, it gives organizations some leeway to determine how they should best protect their systems and data. Any healthcare organization that stores and manages electronic protected health information (ePHI) should protect that data with three types of safeguards:

  • Technical Safeguards
    This category includes all the ways an organization can use technology to automatically protect ePHI as it flows through their network.
  • Administrative Safeguards
    Administrative safeguards specify the responsibilities of human staff members. They make up over half of the HIPAA text.
  • Physical Safeguards
    HIPAA also requires that physical office space and network endpoints are secured against tampering and intrusion.

The Five Technical Requirements of HIPAA Compliance

Although organizations have difficulty with the administrative and physical safeguards, it’s often the five technical safeguards that challenge them the most.

HIPAA has five technical safeguards to protect ePHI.

  1. Access Controls – These limit ePHI access to authorized personnel.
  2. Audit Controls – Organizations must use the right mix of hardware, software, and process to monitor and log data access.
  3. Integrity control – These ensure that data is not altered or destroyed by unauthorized personnel
  4. Transmission security – This set of controls is used to ensure that ePHI is protected when in transit across a network.
  5. Authentication – Verifies the identity of individuals accessing sensitive information.

Making sure that you’ve implemented the five technical safeguards on all your systems is just one part of achieving HIPAA compliance. It’s just as important to maintain compliance as your systems evolve, which requires on-going vigilance.

Common HIPAA Stumbling Blocks

Due to HIPAA’s complexity, there are several different ways in which healthcare organizations can get compliance wrong. Here are some of the most common errors that organizations make.

Unsecured Email

The OCR maintains a “wall of shame,” where it posts HIPAA violations that are under investigation. Attacks that originate in a company’s email system make up a significant proportion of those attacks. [i]

HIPAA email best practices include:

  • Obtain patient’s written consent before sending information via email
  • Never including ePHI in subject lines
  • Always confirming the accuracy of email addresses
  • Encrypting emails whenever possible

Mobile Devices

Mobile devices can help keep doctors and nurses in better communication, but they’re often a major compliance liability.

Four out of five doctors are using their personal smartphone for work

Three out of five nurses are using their personal smartphone for work[ii]

Using personal devices contributes directly to employees, inadvertently leaking electronically protected healthcare information. To mitigate this problem, mobile devices must be secured using an enterprise mobility management (EMM) solution.

Proper Vendor Management

A business associate is any person or organization that interacts with your ePHI. HIPAA requires that you have a business associate agreement with each of those vendors. This includes:

  • Medical billing service providers
  • Data back-up and disaster recovery services
  • Software-as-a-service (SaaS) and cloud service providers

For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. But having a signed business associate’s agreement isn’t enough for compliance.

Delegate BA management responsibility -> Perform technical due diligence on each vendor -> Control vendor access to ePHI with the rule of least privilege -> Regularly audit vendors -> Manage and review contracts

Lay a Foundation for HIPAA with the NIST Cybersecurity Framework

The National Institute for Standards and Technology (NIST) Cybersecurity Framework was developed by the Federal Government to help improve the security of the national-level infrastructure.

Because of its detailed prescriptions, it can also be used as a valuable reference for achieving HIPAA compliance.

The NIST process has five major high-level functions.

Identify – Gain full visibility of your physical and digital assets, and their vulnerabilities

Protect – Control access to those assets with appropriate safeguards

Detect – Possess visibility over your network and identify threats quickly

Respond – Contain cybersecurity events with a response plan and clear lines of communication

Recover – Effectively recover any damaged services with clear action points

Manhattan Tech Support can help guide you through every stage of the NIST implementation process, achieving strong HIPAA compliance, and better cybersecurity in the process.

Manhattan Tech Support – NYC’s Trusted HIPAA Consultant

We’ve been serving the security and compliance needs of NYC’s healthcare community for two decades, and during that time, have helped a wide variety of healthcare organizations, from small doctor’s offices and clinics to large hospitals and insurance companies, navigate the complex road to dependable HIPAA compliance.

Do you have HIPAA questions for your experts? Contact us any time at 212-299-7673 or info@manhattantechsupport.com! We’re always happy to help.

 

[i] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

[ii] https://www.ncbi.nlm.nih.gov/pubmed/27925381

[iiii] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html

[iv] https://www.prnewswire.com/news-releases/new-report-7-in-10-employees-lack-the-awareness-needed-to-prevent-common-cyber-incidents-300529125.html

[v] https://www.prnewswire.com/news-releases/32-million-breached-patient-records-in-first-half-of-2019-double-total-for-all-of-2018-300894237.html

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

INFOGRAPHIC – The Pandemic & Cybersecurity – What’s the Damage?

calendar November 23, 2020

author Manhattan Tech Support

IT Consulting & Strategy Security Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

INFOGRAPHIC – The Pandemic & Cybersecurity – What’s the Damage?

Cybercrime has been on the rise for the last few years. Not only has there been an increase in attacks, but the cost has gone up, as well.

Read More
A Primer on Cybersecurity Awareness Month and What You Could Be Doing to Stay Safe Online

calendar November 16, 2020

author Manhattan Tech Support

IT Consulting & Strategy Security Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

A Primer on Cybersecurity Awareness Month and What You Could Be Doing to Stay Safe Online

What is National Cybersecurity Awareness Month? For the last 17 years, October has been National Cybersecurity Awareness Month (NSCAM). It started back in 2004 as a joint effort between government bodies, the U.S. Department of Homeland Security and the National

Read More
Microsoft EA vs CSP: Why it’s better (and wiser) for your company to get Microsoft business licenses from an elite cloud solution provider

calendar November 5, 2020

author Manhattan Tech Support

Cloud Services IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

Microsoft EA vs CSP: Why it’s better (and wiser) for your company to get Microsoft business licenses from an elite cloud solution provider

If you’ve ever used software for your business, you’ve had to deal with software licenses. These licenses are a legal agreement that establishes the rules for using a piece of software. Licenses are used instead of ownership because if you

Read More