Understanding HIPAA compliance is addressable, but not optional.
The HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Rule is enforced by the United States Department of Health and Human Services (HHS) to safeguard PHI (Protected Health Information) – the private data of patients. Compliance of these rules with those in or involved with the healthcare industry has long been seen as inconvenient, but they are necessary. With the HHS cracking down with larger fines and more, and more cyber attacks targeting businesses and hospitals, HIPAA compliance is vital to your business.
Understanding Required and Addressable HIPAA Controls
HIPAA documentation is dense and can be hard to understand without an expert. Let us walk you through the required and addressable HIPAA controls, and what those two terms mean for HIPAA compliance.
The specifications of HIPAA are either required or “addressable.” Required controls are firm – the government does not allow you to avoid them. However, it’s important to understand that addressable controls are not optional. As the HHS documents:
“A covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
This means that with each addressable specification, you must document any reasons you do not think it is reasonable or appropriate. We often see medical practices ignoring both required and addressable HIPAA controls – up until a cyberattack or HHS audit happens.
HIPAA Controls – Required and Addressable
HIPAA Risk Analysis – Required
The first requirement of the HIPAA Security Rule, businesses must get a risk analysis done on their business. The National Institute of Standards and Technology (NIST) has a free 95-page guide. However, without professional assessment and compliance, organizations are much less likely to stand up to review.
HIPAA Risk Management – Required
Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them, a critical step that needs to be documented professionally and completely.
Healthcare Data Disaster Plan – Required
What’s your plan in the case of an incident? HIPAA requires businesses to “Establish (and implement as needed) procedures to restore any loss of data.” You need to document how you will protect and recover patient data at a minimum. Stronger plans include communication, alternative sites, and business operations afterward to keep your organization functioning.
Business Associate Agreements – Required
With the HIPAA Omnibus Final Rule of 2013, organizations are liable for the compliance of their “Business Associates” and the subcontractors of those associates. This means vendor management is more critical than ever – making sure that your vendors are actually complying with HIPAA rules with validation.
Audit Controls – Required
While everyone thinks their patients’ data is housed exclusively in their EHR system, it is all over the place – server folders, laptops, desktop computer hard drives, portable drives and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years.
HIPAA Data Encryption (Data at Rest) – Addressable
Encryption of PHI data is one of the best ways to avoid data breaches. Many data breaches and HIPAA settlements originate from lost or stolen computers, laptops, servers, and thumb drives. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices?
Unique User Identification – Required
No shared logins and passwords are allowed by the HIPAA Security Rule – none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers.
Automatic Logoff/Lockout – Addressable
An unlocked computer is a HIPAA violation waiting to happen. We’ll work with you to find the right solution to your organization, from types of lockouts to more convenient and fast ways to securely log back in, such as tokens and biometrics.
Bottom Line with HIPAA Security
Our advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.
Learn More about Managed Healthcare IT
One of the best ways of both reaching HIPAA Compliance and a better IT infrastructure is working with a managed service provider who understands both your needs and requirements.