What does it mean to be HIPAA compliant?
When it comes to providing IT services, there are different considerations you will have to take into account, depending on the industry you serve. Some industries—like financial and healthcare—have compliance regulations that must be adhered to, such as HIPAA regulations. In this post, we’ll explore exactly what it means to be HIPAA compliant and how it relates to IT professionals.
Let’s take a look at some definitions.
HIPAA (not to be confused with HIPPA) is the Health Insurance Portability and Accountability Act, enacted on August 21, 1996, and signed into law by President Bill Clinton. Around the time it was passed, there was coverage around the importance of workers’ ability to carry their employer-paid insurance after separation of employment, at the employee’s cost.
In addition to health insurance portability, this law also created regulations around protecting patient privacy. Patient information is often referred to as PHI (Protected Health Information), ePHI (Electronic Protected Health Information), or IIHI (Individually Identifiable Health Information).
PHI encompasses IIHI that is transmitted via electronic media, maintained in electronic media, and transmitted or maintained in any other form or medium. To properly protect PHI in electronic form, IT professionals must understand HIPAA fully.
Let’s see if HIPAA applies to your business.
Does HIPAA apply to me?
HIPAA applies to Covered Entities and Business Associates.
IT professionals who create, maintain, transmit, or receive ePHI or PHI for a Covered Entity or another Business Associate are considered a Business Associate by definition and are legally bound by HIPAA. Not only are Business Associates bound by the regulations, but they are also subject to the same liabilities and penalties of HIPAA under the Omnibus Rule of 2013.
If you are an IT professional who does IT work for any Covered Entity or Business Associate, your business will almost certainly be required to be HIPAA compliant.
As part of HIPAA compliance, you will be required to sign a Business Associate Agreement, but this alone DOES NOT make you HIPAA compliant. By the same token, using software that is HIPAA compliant DOES NOT automatically make your business compliant.
Here are the requirements you must meet to ensure your business is HIPAA compliant:
- Conduct a security risk assessment: All businesses seeking HIPAA compliance will have to do this first and foremost. The main purpose is to understand how ePHI is created, maintained, received, and transmitted in your business.
You may not have direct access to ePHI, but if you have administrative or remote access into your client’s network, you’re considered as having access to sensitive data. Even if that data is encrypted and there’s almost no way for you to see it, HIPAA doesn’t care.
You might be touching this sensitive data by:
- BDR services - maybe you’re backing up data that is ePHI and storing the backups in-house.
- Remote support - do you log in to a customer’s computer remotely and see the data on their screen?
- On-site Support - perhaps you have administrative rights to various workstations and servers.
If so, you may be exposed to ePHI in one way or another.
- Create a risk mitigation plan: Once you’ve finished your security risk assessment, you need to use the data gathered to put together your risk mitigation plan. Here, you will address and mitigate all of the issues that were discovered during the security assessment.
- Get your safeguards in order: This is an involved process, which we will cover in more detail.
Understand HIPAA safeguards
The majority of HIPAA compliance involves policies, procedures, and thorough documentation outlined in various rules.
One such rule is the Security Rule, where you will develop some of the policies and procedures that HIPAA requires. The Security Rule is divided into three subsections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The basic requirements for each are listed below.
- Security management process
- Risk analysis (required)
- Risk management (required)
- Sanction policy (required)
- Information system activity review (required)
- Assigned security responsibility
- Workforce security
- Authorization and/or supervision (addressable)
- Workforce clearance procedure (addressable)
- Termination procedures (addressable)
- Information access management
- Isolating healthcare clearinghouse functions (required)
- Access authorization (addressable)
- Access establishment and modification (addressable)
- Security awareness and training
- Security reminders (addressable)
- Protection from malicious software (addressable)
- Log-in monitoring (addressable)
- Password management (addressable)
- Security incident procedures
- Response and reporting (required)
- Contingency plan
- Data backup plan (required)
- Disaster recovery plan (required)
- Emergency mode operation plan (required)
- Testing and revision procedures (addressable)
- Applications and data criticality analysis (addressable)
- Business associate contracts and other arrangements
- Facility access controls
- Contingency operations (addressable)
- Facility security plan (addressable)
- Access control and validation procedures (addressable)
- Maintenance records (addressable)
- Workstation use
- Workstation security
- Device and media controls
- Disposal (required)
- Media re-use (required)
- Accountability (addressable)
- Data backup and storage (addressable)
Technical safeguards are comprised of (but not limited to) the following:
- Access control
- Unique user identification (required)
- Emergency access procedure (required)
- Automatic logoff (addressable)
- Encryption and decryption (addressable)
- Audit controls
- Person or entity authentication
- Transmission security
- Integrity controls (addressable)
- Encryption (addressable)
Technical safeguards should be part of your business policy for every single client in your network, not just those that require HIPAA compliance, as they are general best practices used to protect data and systems.
Physical safeguards may seem pretty straightforward.
Administrative safeguards can be somewhat more confusing because they are meant to cover all HIPAA entity types. As a result, some parts of the Administrative Safeguards will not apply to you specifically.
It should be noted that elements listed as required are just that (required). Those listed as ‘addressable’ are not meant to be skipped—they must still be addressed in your policies and procedures, even if they may seem as if they don’t apply. For example, you might work for yourself and have no employees to terminate, but you still must address termination procedures in your policies.
Compliance is largely about documentation and adhering to that documentation. Entities can and have been penalized simply for not having a policy or having a policy and not following it.
Studies have shown that Business Associates (the category that MSPs and IT professionals fall into) make up 60%+ of HIPAA breaches, meaning that a healthcare provider’s biggest risk of a data breach comes from their Business Associate. It’s essential to be HIPAA compliant to safeguard your clients and your reputation.
There’s so much that goes into becoming HIPAA compliant. Aside from the Security Rule we addressed, there are other rules like the Privacy Rule and Breach Rule. It can certainly be overwhelming, and if you’re an MSP who has decided against taking action, you’re not alone. The site HIPAAforMSPs.com was created as a resource for IT professionals and MSPs facing the task of becoming HIPAA compliant.
It’s not worth taking HIPAA lightly. Penalties can be severe, and one violation can put you out of business, so it definitely needs to be taken seriously.
As an IT professional, being HIPAA compliant means:
- You have satisfied the elements of the Security Rule
- You have policies and procedures in place and are adhering to them
- You are knowledgeable in HIPAA as it relates to your business, you are adamant about documentation
- You have a thorough training program in place, and you make compliance a cultural priority within your business
HIPAA is a continuous process for you and those you do business with—it’s always changing and evolving. Although it’s been around for decades, there are great opportunities to carve out a niche for yourself here. Knowing how to navigate through HIPAA is a great way to differentiate yourself. Although it requires a lot of hard work, it may be well worth it to set yourself apart from the crowd.