HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as HITECH.
Typically the question following what is HIPAA compliance is what are the HIPAA compliance requirements? That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague. This is so the HIPAA rules are equally applicable to every type of Covered Entity or Business Associate that creates, accesses, processes, or stores PHI.
Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened. Each of the HIPAA requirements is explained in further detail below. Business unsure of their obligation to comply with the HIPAA requirements should seek professional advice.
Many vendors would love to develop apps, software, or services for the healthcare industry, although they are unsure how to become HIPAA compliant. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls.
Until vendors can confirm they have implemented all the appropriate safeguards to protect ePHI at rest and in transit, and have policies and procedures in place to prevent and detect unauthorized disclosures, their products and services cannot be used by HIPAA Covered Entities. So, what is the easiest way to become HIPAA compliant?
You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates the relevant technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.
Get anything wrong and fail to safeguard ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS’ Office for Civil Rights, state attorneys general, and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can therefore be daunting, although the potential benefits for software vendors of moving into the lucrative healthcare market are considerable.
To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification.
HIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA IT compliance checklist are covered.
Risk assessment and management is a key consideration for HIPAA IT security. One way to help ensure risks are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework. The NIST Cybersecurity Framework will help prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur.
HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure its confidentiality, integrity, and availability.
One element of the HIPAA compliance checklist that is often low down on the priority list is monitoring ePHI access logs regularly. Inappropriate accessing of ePHI by healthcare employees is common, yet many Covered Entities fail to conduct regular audits and inappropriate access can continue for months or sometimes years before it is discovered.
In addition to the rules and regulations that appear on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to increase the security of ePHI.
Potential lapses in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow authorized personnel to communicate ePHI – and send attachments containing ePHI – via encrypted text messages that comply with the physical, technical, and administrative HIPAA safeguards.
Email is another area in which potential lapses in security exist. Emails containing ePHI that are sent beyond an internal firewalled server should be encrypted. It should also be considered that emails containing ePHI are part of a patient´s medical record and should therefore be archived securely in an encrypted format for a minimum of six years.
As medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter.