5 best practices for HIPAA security
The risk of protected health information being breached has grown dramatically within the past few years, and to combat the threat, the HIPAA Security Rule was created to provide organizations with administrative, physical, and technical guidelines to safeguard their electronic PHI.
"The guidelines underscore a higher goal of the HIPAA Security Rule: helping organizations maintain their data’s confidentiality, integrity, and accessibility," said Mahmood Sher-Jan vice president of product management at ID Experts. "Understanding the guidelines and their greater goal can help organizations implement best practices to better protect their ePHI."
Sher-Jan shares five best practices for HIPAA security.
1. Do a PHI inventory. According to Sher-Jan, an inventory allows for a complete account of every element of PHI that an organization holds. This is a logical starting point, he said, since it identifies the information assets that require securing. "Although the HIPAA Security Rule only covers electronic PHI, it's prudent to address both paper and electronic PHI formats," he said. "This process helps determine how an organization collects, uses, stores, shares and disposes of its PHI—its life cycle." An inventory reveals the risks where a breach may occur, so organizations can be strategic in their planning to protect PHI and develop the best plan for a response, based on real information. "On a security level, a PHI inventory means knowing where the systems, servers, and applications that capture and use PHI are and who their business owners and users are," he said. "These owners should understand the regulatory requirements and define the risk of exposure of the PHI, while communicating these risks to the IT and security staff."
[See also: HIPAA 5010 contingency plan needed, says MGMA.]
2. Do a HIPAA security evaluation. This includes evaluating your organization's security policies and procedures to ensure they're up to date, and they reflect any environmental and operational changes, said Sher-Jan. "This is a mix of both a technical and non-technical evaluation that produces a prioritized gap analysis for key data assets," he said. "Assets can also be categorized by the application that uses it or server on which is resides. And based on the evaluation, Sher-Jan continued, an organization can conduct a gap analysis around each asset to pinpoint the holes between its current protection levels and what the HIPAA Security Rule requires. "The rule has a mixture of 'required and 'addressable' implementation specifications; it's important the 'addressable' specifications are not treated as optional," he said. "They're requirements that may be satisfied by alternative means or may not be applicable to the entity."
3. Conduct a HIPAA risk analysis. This risk analysis goes beyond the high level evaluation and applies to the PHI data assets identified during the inventory and security evaluations, said Sher-Jan. "This means an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI, so they can be properly identified and mitigated," he said. "Until now, it's been difficult to quantify the business impacts of these risks for most organizations." Sher-Jan referenced the recent report focusing on the financial impact of breached PHI on an organization, which gives organizations the tools to evaluate the potential costs associated with a breach if one were to occur.
[See also: HIPAA 5010 deadline stays with bit of leniency.]
4. Have a mitigation plan in place. "Knowing the specific risks an organization faces can help it determine the appropriate preventative measures necessary for compliance with federal regulations," said Sher-Jan. "[The] HIPAA Security Rule should be treated as the floor for [protecting] PHI. A compliance and mitigation plan should include all aspects of the HIPAA Security Rule." And these aspects should incorporate administrative safeguards, including policies and procedures around emerging technologies, like texting or the use of social media; physician safeguards, like requiring proper workstation security, device, and portable media controls; and technical safeguards, including user authentication, encryption when appropriate, access and audit controls for access to PHI, and mechanisms for safely transmitting data.
5. Create and maintain a current Incident Response Plan (IRP). An IRP is an effective and cost-efficient way for organizations to meet both HIPAA and HITECH requirements, while providing guidelines related to PHI security-related incidents, said Sher-Jan. "This is one of the specific areas that will be audited by OCR as part of the recent pilot HIPAA audit program launches by OCR through KPMG," he said. "For instance, an IRP should designate an incident response team and roles, outline when and how to respond after a security or privacy incident, conduct and document incident risk assessments, and notify affected individuals and government agencies if notification is required under the law."
Follow Michelle McNickle on Twitter, @Michelle_writes