Despite the Health Insurance Portability and Accountability Act (HIPAA) first being enacted over 20 years ago, some organizations are still found to be violating HIPAA Rules. Common causes for violations are related to security procedures. Below, we will outline some essential areas that HIPAA covered entities and their business associates should review to avoid sanctions for HIPAA violations.
HIPAA was put in place to help people maintain insurance coverage while between jobs and to protect private health information. Covered entities include health plans, health insurers, and medical service providers.
HIPAA is chiefly enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR) who are responsible for checking compliance with most parts of the HIPAA Privacy and Security Rules. Violations are often solved through voluntary compliance or issued guidance. However, the OCR does reserve the right to impose financial sanctions.
The majority of reported violations involve improperly using or disclosing protected health information (PHI). This can happen through weak security, not correctly allowing patients access to their PHI, or the lack of appropriate administrative data protections.
These errors indicate that many covered entities are failing to implement the necessary security procedures. This is somewhat surprising as one of the very first parts of HIPAA, CFR 45 164.308 (a)(1), requires organizations to put policies in place to “prevent, detect, contain, and correct security violations”.
Some of the necessary steps needed to introduce these protections include:
Risk Assessment – Analysis of risks to the privacy, integrity, and security of PHI
Risk Management – The steps being taken to reduce risks to a “reasonable and appropriate level”
Sanction Policy – The internal penalties related to violating security or privacy procedures
Information system activity review – Introducing regular audits and reviews of activity logs and access history, as well as recording security incidents
Prior to these steps, a common sense approach should be taken to understanding all of the PHI the organization controls, and how they should manage it.
Identify the concerned systems – A vital first step that many do not complete is properly identifying all IT or information systems that deal with PHI. These systems should be examined and their function and hierarchy ascertained.
Organizations should pose the following questions:
Does the hardware and software in the information systems include removable media and remote access devices?
Have the types of information under management been identified?
Has the sensitivity of each type of information been evaluated?
Conduct a risk assessment – The risks and weaknesses of information security must be completely understood.
Organizations should consider:
- The risk of natural disasters of the location of the facility
- Whether responsibility has been designated for all concerned hardware
- Whether existing safeguards and identifiable risks have been examined
- Whether all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information – have been appropriately addressed
Required IT systems and services – Once the risks related to IT and information security have been understood, new software or infrastructure may need to be put in place to maximise security. Examples include:
- Multi-Factor Authentication
- Data-at-Rest Encryption
- Data-in-Transit Encryption
- Cryptographic Key Management
Before putting these safeguards into place, consider:
- Compatibility between new security measures and current IT systems
- Cost-benefit analyses to measure possible investments against potential security risks
Develop and implement policies and processes – New procedures must have an assigned owner, who is responsible for ensuring they are followed. If no one is responsible, no one takes action. Introduce measures with clear accountability to stimulate compliance.
All actors in the healthcare space, from public clinics to private insurers, must abide by HIPAA Rules and internal procedures to keep PHI private and secure. The above guidelines can be used to help your organization conform to best practices, protect PHI, and avoid sanctions for HIPAA violations.