5 best practices for HIPAA security
The risk of protected health information being breached has grown dramatically within the past few years, and to combat the threat, the HIPAA Security Rule was created to provide organizations with administrative, physical, and technical guidelines to safeguard their electronic PHI.
"The guidelines underscore a higher goal of the HIPAA Security Rule: helping organizations maintain their data’s confidentiality, integrity, and accessibility," said Mahmood Sher-Jan vice president of product management at ID Experts. "Understanding the guidelines and their greater goal can help organizations implement best practices to better protect their ePHI."
Sher-Jan shares five best practices for HIPAA security.
1. Do a PHI inventory. According to Sher-Jan, an inventory allows for a complete account of every element of PHI that an organization holds. This is a logical starting point, he said, since it identifies the information assets that require securing. "Although the HIPAA Security Rule only covers electronic PHI, it's prudent to address both paper and electronic PHI formats," he said. "This process helps determine how an organization collects, uses, stores, shares and disposes of its PHI—its life cycle." An inventory reveals the risks where a breach may occur, so organizations can be strategic in their planning to protect PHI and develop the best plan for a response, based on real information. "On a security level, a PHI inventory means knowing where the systems, servers, and applications that capture and use PHI are and who their business owners and users are," he said. "These owners should understand the regulatory requirements and define the risk of exposure of the PHI, while communicating these risks to the IT and security staff."
[See also: HIPAA 5010 contingency plan needed, says MGMA.]
2. Do a HIPAA security evaluation. This includes evaluating your organization's security policies and procedures to ensure they're up to date, and they reflect any environmental and operational changes, said Sher-Jan. "This is a mix of both a technical and non-technical evaluation that produces a prioritized gap analysis for key data assets," he said. "Assets can also be categorized by the application that uses it or server on which is resides. And based on the evaluation, Sher-Jan continued, an organization can conduct a gap analysis around each asset to pinpoint the holes between its current protection levels and what the HIPAA Security Rule requires. "The rule has a mixture of 'required and 'addressable' implementation specifications; it's important the 'addressable' specifications are not treated as optional," he said. "They're requirements that may be satisfied by alternative means or may not be applicable to the entity."