The increased adaptation of information technology in the medical field has raised concerns for securing the usage and transmission of protected healthcare information (PHI). As an individual, you don’t want your insurance company or the healthcare industry to publicize or abuse your medical information. To protect the misuse of PHI, United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It safeguards the confidentiality of PHI and ensures secure transmission of electronic PHI (ePHI) between healthcare industries.
HIPAA is now mandatory for companies that work with data related to a patient’s personal information, medical history, test and laboratory results. Substantial fines, criminal charges, and lawsuits are filed if a company fails to comply with HIPAA regulations.
In March 2018, EmblemHealth was charged $575,000 in the settlement for data breach that exposed 81,122 Social Security numbers caused by a mailing error
If your organization has access to PHI or ePHI, we recommended you to take a compliance assessment to determine how well you meet the HIPAA regulations. This article addresses the administrative measures healthcare industries are required to implement to satisfy compliance with HIPAA. These measures will not only keep you HIPAA compliant but will also implement some of the best-known information security practices in your organization.
Administrative Measures of HIPAA Compliance:
Establishment of policies:
Policies establish the boundaries, guidelines, and best practices for storing and transmitting ePHI in your organization. The physical and technical safeguards of HIPAA require you to set policies that address the following:
- Facility access control: It is required to implement an access control mechanism in your organization. It prevents unauthorized access to the location where ePHI is stored to prevent data tampering, and theft.
- Use of Workstations: Organizations are required to restrict the use of workstations that have access to ePHI. Policies must be devised and implemented to specify and govern how functions are to be performed on the workstations.
- Policies for mobile devices: Policies must be implemented to govern how ePHI is removed using mobile devices that have access to ePHI. Organizations must address the situations when the user leaves the organization or the device is re-used, sold, etc.
- Data privacy: Organizations must ensure that a written permission is taken from patients before their health information is used for marketing, fundraising or research.
Designating a security/ compliance officer:
You need to appoint a Compliance Officer or hire a trusted third-party service who should be responsible for developing and implementing policies regarding HIPAA.
HIPAA requires covered entities to conduct annual audits of their organization. Your compliance officer will assess the technical and physical administrative gaps in your security standards. He will receive complaints from individuals who believe that their privacy is violated and find a possible solution. Moreover, the policies and standards of HIPAA compliance keep changing. Therefore, you need someone to review each update in the policies and device new strategies year-after-year to satisfy the compliance.
Training of employees:
Generally, employees are considered the weakest point in information security. Accidental as well as intentional data leak or misuse can cost thousands of dollars for violating HIPAA rules. Therefore, organizations need to provide privacy training to all personnel who produce, transcribe, store, transmit and have access to PHI or ePHI.
The training should consist of, but not limited to basic on-site and online specialized health privacy policies and work practice training. You must ensure that your employees are aware of what information should and should not be shared outside of your organization.
Often things won’t run smoothly. With the attackers constantly evolving their tactics, there is a high possibility of a data breach. The HIPAA Breach Notification Rule requires covered entities to notify the regulatory body and the concerned patients in case of a data breach. Therefore, you must have an incident management procedure that can report security breaches and provide the best possible remediation of such incidents. The breach notification should be documented and include:
- The nature of the ePHI involved
- Who used the ePHI, if known
- To whom the disclosure was made
- How much the damage has been mitigated
Internal auditing and monitoring:
Strict policies and heavy penalties of HIPAA requires you to conduct self-auditing of resources. But, with a large number of devices distributed over a wide area network, it becomes difficult to generate compliance reports from each device. Also, a data breach can come for any vulnerable device on the network. Therefore, you need to implement Security Information and Event Management (SIEM) solutions that can monitor and audit assets that stores ePHI, in real time. SIEM systems provide automated solutions for gathering the compliance data and documenting reports, thus simplifying administration.
The Administrative Safeguards are the pivotal elements of a HIPAA compliance that establish measures to protect PHI and govern the conduct of the workforce. In 2018, more covered entities and Business Associates are paying attention to the HIPAA Privacy and Security Rules. Though HHS’ Office for Civil Rights (OCR) hinted for future changes to HIPAA regulations, there were no major changes. Still, a majority of the task are affected in organizations to constantly satisfy the HIPAA compliance policies. With the administrative measures listed here, you can develop best practices for storing and using PHI. By implementing them, you can ensure that your entire working is not affected by constant updates in HIPAA regulations. For more details about HIPAA, check out our article on – All you need to know about HIPAA compliance