Compliance

The healthcare industry is a prime target of hackers. The importance of cybersecurity in healthcare is an essential consideration for all organizations handling patient data.

Be aware of the latest numbers; read our article on the latest Healthcare Cybersecurity Statistics.

Healthcare Data Breaches, By the Numbers

1. 89% of healthcare organizations experienced a data breach in the past two years. Despite the sophisticated measures put in place by providers to prevent data breaches , they are still common. (Source: Dizzion).

2. A Mid-Horizon study concluded that approximately 100 percent of web applications connected to critical health information is vulnerable to cyber attacks. Network penetration results also showed that hackers could easily access domain level admin privileges of most healthcare applications. As a result, the use of advanced technologies such as block-chain and cloud computing is necessary to ward off such attacks in the future. (Source).

3. It is estimated that the loss of data and related failures will cost healthcare companies nearly $6 trillion in damages in the next three years compared to $3 trillion, in 2017. From a statistical point of view, it is the most significant transfer of wealth in human history. If proper security measures are not taken, experts believe that cybercrime can have a devastating financial impact on the healthcare sector in the next four to five years. (Source).

4. 82% of surveyed healthcare organizations agree that digital security is one of their foremost concerns. (Source: Health IT Security)

5. 55% of healthcare companies in the United States faced cyber attacks. Almost one-fifth confirmed that they had been attacked in the last 12 months. (Source).

Healthcare Ransomware Statistics

Ransomware has brought many a healthcare organization to its knees. It is likely to remain one of the most prominent threats of 2019 and beyond. Despite increasing awareness among healthcare professionals, the number of ransomware attacks continues to grow.

6. Ransomware attacks on the healthcare sector will quadruple by 2020. Attackers like to attack the healthcare sector due to the potential value of such data. The healthcare sector is prone to paying the ransom because the disruption, lost productivity, and damage to the data can be more expansive than preventing the loss by paying the ransom. (Source: Herjavec Group Healthcare Report)

7. As of 2018, the number of ransomware families dropped from 98 to only 28. However, there were 350 different variants of ransomware observed in 2018 compared to 241 in the previous years. It means that ransom-takers are using more sophisticated tactics to hack into vulnerable systems. (Source)

8. Healthcare organizations are more willing to pay ransom to avoid downtime and gain access to critical patient data. It is estimated that 23 percent of healthcare organizations paid some form of payment to the attackers. The healthcare industry is vulnerable because it uses legacy systems that are mostly out-dated and vulnerable to attacks. (Source: Infosecurity Magazine)

9. Organizations that handle healthcare data that fail to update their systems may face grave consequences in the future. The majority of healthcare ransomware attacks were malware related. Of the 2,600 incidents reported, 36 percent were malware related followed by accidental disclosure in 26 percent of the cases. (Source: Beazley Breach Briefing)

Implementation of Advanced  Security Technologies To Fight Back

10. The nature of cybersecurity spending in the healthcare sector varies significantly due to the specific requirements of organizations. A majority of companies are spending their budgets on network security and investing in mobile protection measures. Another 51% are also spending on advanced technologies that will make data on the move more secure during data transfers. (Source: HIPPA Journal)

11. A large number of healthcare firms are migrating to a cloud-based solution. Despite the safety as their prime concern, 25% of the firms suggest that they are not encrypting their information during data transfer to the cloud. 38% of firms that have data in a multi-cloud environment such as Amazon Web Service does not use encrypted technology. (Source: Hytrust)

12.  60% of healthcare organizations globally have introduced IoT devices into their facilities. The Internet of Things has seen an exponential rise in the use of IoT enabled devices in a range of fields. Wearable and implantable IoT devices are already widely used in healthcare, including insulin level monitors to pacemakers. (Source: Statista)

Cybersecurity IT Talent: Human Weakness

We tend to think of cybersecurity as a system of digital checks and balances. But while this is important, organizations should still consider the human component. Even if you’re spending heavily on automated systems, it means little if you don’t have the right people to implement and manage them.

13. 42% of healthcare organizations leave their cybersecurity in the hands of a vice president or C-level official (Source: Chime).

14. 39% report their biggest challenge when it comes to implementing cyber defenses is the lack of qualified employees (Source: HIPAA Journal).

15. 37% say that less than 1 in 4 candidates are skilled enough to keep their companies secure (Source: Health IT Security).

16. Cybersecurity requires specific knowledge and skills to secure and combat attacks. Often, these skills are not easy to find as 27 percent of healthcare firms reported that they are unable to find suitable candidates to fulfill cybersecurity roles. Another 14 percent suggested that they are not sure if they will be able to fill vacant positions. The ISACA State of Cyber Security Report also concluded that 45 percent of firms don’t think that their applicants understand the nature of their job (Source).

17. If the budget doesn’t restrict healthcare firms to improve their security, the complexity of the system does. 53 percent of the healthcare firms surveyed revealed that complexity of healthcare systems is the major issue holding them back. Healthcare systems can be complicated as lack of experienced and knowledgeable staff to handle such complex systems is another significant concern, cited by 39 percent of firms (Source: Thales Data Threat Report).

18. For small and medium-sized healthcare firms, cloud adaption is a haven from cyber attacks. Despite the early adaption of cloud-based technology by the healthcare sector, nearly 40 percent of these organizations do not have a dedicated staff that can deal with cloud-based problems. Without a dedicated team, small healthcare organizations can face threats while operating in a cloud environment. (Source: HIPPA Journal)

19. The most significant internal cybersecurity threats to healthcare are often high-ranking officials and senior staff who have deep access to the system. A whopping, 61 percent cited senior-level executives as a potential security loophole that can be vulnerable to cyber threats. Similarly, privileged users, such as executive managers, contractors, and service providers, are potential targets for hackers and cybercriminals. (Source: HIPPA Journal)

20. 59% of healthcare organizations get at least five applications for each cybersecurity job, while 13% receive 20 or more. While these healthcare security statistics make for sobering reading, there is some good news. The right candidates do appear to be out there. (Source: Health IT Security).

21. 54% of healthcare associates say their biggest problem is employee negligence in the handling of patient information (Source: Ponemon Study).

Healthcare Companies are Fighting Back

21. Healthcare organizations are taking cyber security seriously as 62 percent of companies have reported that a Vice President is in charge of cybersecurity issues. 41 percent of organizations are in the process of implementing a fully functional security program to address critical problems. (Source: Health IT Security)

22. Recent attacks on healthcare have prompted healthcare companies to increase their cybersecurity budgets from a maximum of 10 percent to almost 25 percent, in 2018. The increase in the budget is correlated to an increase in hiring staff for a specific purpose. In 2016, eight percent of the healthcare companies had more than 10 employees dedicated to the task, which increased to 11 percent, in 2017. (Source: Health IT Security)

23. In 2018, 60 percent of these firms put particular emphasis on cybercrime by increasing their staff, adding new technologies, and training their employees on such issues. Cybersecurity budgets continue to grow as 81 percent of U.S. firms indicate that they will improve their resources to keep critical systems safe. (Source: Healthcare IT News)

24. 57 percent of companies are ensuring that they meet local and global compliance standards of Internet security required in the healthcare sector. Of these, 34 percent confirmed that they are already looking to implement cybersecurity best practices for employees. (Source: HIPPA Journal)

25. Security breaches caused by the loss of sensitive items, such as laptops and other devices, have decreased sharply. While loss or theft of items accounted for nearly 90 percent of the losses in 2010, it has reduced to only 15 percent, in recent years. This is a clear sign that educating employees to take care of their data devices is critical to preventing incidents of theft. (Source)

26. 54% of healthcare organizations believe they have technologies in place to effectively prevent or quickly detect unauthorized access to patient data. An improvement over the 49% reported in 2015. (Source: Ponemon Institute)

5 Largest Healthcare Cyber Security Attacks & Breaches

Here are some of the most significant healthcare data breaches. What can your organization learn to avoid being the next victim?

1. LifeBridge Health

This Baltimore-based healthcare system experienced a malware attack last March. The attack potentially breached the data of around 500,000 patients. Investigations showed that the hackers first gained access to the system back in September 2016.

2. Health Management Concepts

This ransomware attack fast became a full-blown data breach. Hackers were mistakenly provided with a file containing the personal data of over 500,000 patients.

The organization has not disclosed how or why hackers got this information, but the file contained Social Security numbers, health insurance information, and patient names.

3. CNO Financial Group

Between May and September of last year, hackers gained access to the credentials of CNO employees. This information was then used to access company websites, compromising the data of over 566,000 policyholders and applicants.

Data accessed included dates of birth, insurance details, and partial Social Security numbers.

4. UnityPoint Health

UnityPoint suffered two security breaches last year. The second compromised the data of 1.4 million patients.

A series of phishing emails had been made to look like they were from a top executive within the company. When an employee fell for the scam, it gave hackers access to private email accounts.

5. AccuDoc

The data breach of billing vendor AccuDoc was the biggest of last year. The North Carolina-based vendor prepares patient bills while managing Atrium Health’s billing system. The investigation revealed that while hackers could view the data, they were unable to extract it.

Don’t Become a Healthcare Security Statistic

From these healthcare statistics, it is apparent that there has been an increased awareness among healthcare companies regarding cybersecurity. Despite the response, more needs to be done.  All types of hacking attacks are also becoming more sophisticated and the data loss more costly. Solutions start with awareness, updating and maintaining critical systems, and emphasis on security during data transfer.

How vulnerable is your organization? Work with our team of security professionals and ensure that your employee and patient data is secure.

The time has arrived to think differently about security and compliance. Compliance is not security. In fact, you can be compliant but not secure.

Compliance doesn’t always achieve security.

Preparing For Todays Security Challenges

Information technology has grown in leaps and bounds over the last two decades with the industry set to top $5 trillion in 2019. With this immense growth comes complex new compliance and security challenges. Industry insiders know that it’s increasingly important to understand and control how companies share, store, and receive information. IT compliance frameworks are now in place to ensure this regulation of data happens securely, but they can differ extensively.

Breaking it down to its basics, becoming secure and compliant means securing information assets, preventing damage, protecting it, and detecting theft. These are the main mantras and mandates of cybersecurity teams, as they implement frameworks, which are predominantly technical to achieve compliance.

A company can protect its data accordingly if they follow Compliance frameworks and have quality security in place. To have proper protection, companies must understand that Compliance is not the same thing as security. However, security is a big part of compliance.

What are the Differences Between Compliance and Security?

Compliance focuses on the kind of data handled and stored by a company and what regulatory requirements (frameworks) apply to its protection. A company may have to align with multiple frameworks, and understanding these frameworks can be difficult. Their main goal is to manage risk and goes beyond information assets. They oversee policies, regulations, and laws and cover physical, financial, legal, or other types of risk. Compliance means ensuring an organization is complying to the minimum of the security-related requirements.

Security is a clear set of technical systems and tools and processes which are put in place to protect and defend the information and technology assets of an enterprise. Compliance is not the primary concern or prerogative of a security team, despite being a critical business requirement. Security can include physical controls as well as who has access to a network, for example. Standardized methods and tools provided by specialist vendors make security simpler than compliance. Compliance, on the other hand, can be multifaceted and is based on a company’s data type and security processes.

Compliance and Security Based on Specific Frameworks

Compliance studies a company’s security processes. It details their security at a single moment in time and compares it to a specific set of regulatory requirements. These requirements come in the form of legislation, industry regulations, or standards created from best practices.

Specifically, compliance frameworks include:

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) applies to companies in the Health Insurance industry. It legislates how companies should handle and secure patients’ personal medical information. HIPAA compliance requires companies who manage this kind of information, to do so safely. The act has five sections, which it calls Titles. Title 2 is the section that applies to information privacy and security.

Initially, HIPAA aimed to standardize how the health insurance industry processed and shared data. It has now added provisions to manage electronic breaches of this information as well.

SOX

The Sarbanes-Oxley Act (also called SOX) applies to the corporate care and maintenance of financial data of public companies. It defines what data must be kept and for how long it needs to be held. It also outlines controls for the destruction, falsification, and alteration of data.

SOX attempts to improve corporate responsibility and add culpability. The act states that upper management has to certify the accuracy of their data.

All public companies must comply with SOX and its requirements for financial reporting. Classifying data correctly, storing it safely, and finding it quickly are critical elements of its framework.

PCI DSS

PCI DSS compliance is the Payment Card Industry Data Security Standard created by a group of companies who wanted to standardize how they guarded consumers’ financial information.

Requirements that are part of the standard are:

• A secured network
• Protected user data
• Strong access controls and management
• Network tests
• Regular reviews of Information Security Policies

There are four levels of compliance within the standard. The number of transactions a company completes every year determines what level they must comply with.

SOC Reports

SOC Reports are Service Organization Control Reports that deal with managing financial or personal information at a company. There are three different SOC Reports. SOC 1 and SOC 2 are different types with SOC 1 applying to financial information controls, while SOC 2 compliance and certification covers personal user information. SOC 3 Reports are publicly accessible, so they do not include confidential information about the company. These reports apply for a specific period, and new reports consider any earlier findings.

The American Institute for Chartered Public Accountants (AICPA) defined them as part of SSAE 18.

ISO 27000 Family

The ISO 27000 family of standards outlines minimum requirements for securing information. As part of the International Organization for Standardization’s body of standards, it determines the way the industry develops Information Security Management Systems (ISMS).

Compliance comes in the form of a certificate. More than a dozen different standards make up the ISO 27000 family.

Security Covers Three Main Aspects of Your Business

1. Networks

Networks allow us to share information quickly over vast distances. This also makes them a risk. A breached network can do untold amounts of damage to a company.

A data breach of personal information can cause damage to the company’s image. Data loss or destruction can also open companies to criminal liability, as they are no longer in compliance with regulations. Protecting a network is one of the hardest tasks facing security professionals.

Network security tools prevent unauthorized access to the system. Firewalls and content filtering software protects data as they only allow valid users.

2. Devices

A user’s personal device that connects to a company network can inject unknown code into the system. Similarly, clicking on the wrong email attachment can quickly spread malicious software.

Antivirus and endpoint scanning tools stop attackers from gaining access to the device. Phishing attacks and viruses have known signatures making them detectable and preventable.

Segmenting access to the network by device, user, and facility limits the spread of malicious software.

3. Users

Careless users are a significant risk for any company. They don’t know they have been compromised and don’t know they are enabling an online attack. Phishing emails are now responsible for 91% of successful cyber-attacks.

Training users to be mindful can help limit innocuous yet dangerous actions. Training can increase security if employees know the risks involved in their daily use of technology.

Compliance and Security: The Perfect Alliance

Security is something all companies need. Most will already have some form of protection when it comes to IT infrastructure. This could even mean the bare minimum of having an antivirus installed on a workstation or using the basic Windows Firewall.

Turning security tools into a compliant IT system requires more effort. Company’s need to prove their compliance with the regulatory standards when a compliance audit happens.

Creating one system, an alliance of both security and compliance, in a systematic and controlled way is the first step in reducing risk. A security team will put in place systemic controls to protect information assets. And then a compliance team can validate that they are functioning as planned. This type of alliance will ensure that security controls won’t atrophy, and all the required documentation and reports are accessible for auditing.

Getting Started on a Secure Path

Compliance that meets a specific framework builds trust in a company. Although regulations will be the driving force behind compliance, the added benefits that come with it are helpful.

A formal assessment of security procedures and systems can highlight areas of concern that need clarification and understanding. Although management should trust administrators to make critical decisions affecting a company’s infrastructure, understanding all the relevant information about security rests with management. Using compliance frameworks to find shortcomings in security is essential when looking at those decisions.

The road to compliance starts with:

• Listing the current security tools used.
• Conducting a risk assessment of the types of information processed.
• Studying the requirements related to the framework.
• Analyzing the gaps in your current controls in regards to the requirements.
• Planning the way forward to solve major deficiencies.
• Testing the efficiency of different solutions.

After applying these steps to a system, conducting regular assessments is the key to success. Compliance and security need to work hand in hand; it does not have to be security versus compliance.

They work in unison; how? Using a compliance framework, assessing security systems, correcting deficiencies, and then beginning assessments which are set on a regular schedule.

Security and Compliance: A Symbiotic Relationship

Security and compliance is a necessary component in every sector. Knowing how each relates to data security is critical.

The IT Industry relies heavily on the public’s trust, and companies that provide them with Information Services need to have stellar reputations. A failure in security can break a business.

Security and compliance are different components of a necessary and crucial system. Knowing how each relates to data protection is critical. Each relies on the other to keep data security at its peak.  Compliance does not equal security on its own. There needs to be a symbiotic relationship between the two. When a company meets compliance frameworks with its internal security measures, the implementation of both will keep data safe and a company’s integrity and reputation intact.

Now that you understand the differences between security versus compliance read about the best security testing tools recommended by professionals. It’s time to take action against potential data threats and guard your cybersecurity.

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.
Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC 2 level of compliance, and strict admin controls among other required security capabilities.

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing severe disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services. This can add up to significant dollars, even before confirming the extent of the breach.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

• • First, the right to authorize disclosure of their health information and records.
  • Second, the right to request and examine a copy of their health records at any time.
  • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

• • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
  • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
  • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
  • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

• • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
  • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
  • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
  • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
  • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

• 1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
  2. The identity of the unauthorized person who received or used the PHI;
  3. Whether the PHI was viewed or acquired; and
  4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

• • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

• • Have you distributed the policies and procedures specified to all staff members?
    • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
    • Have you documented their attestation, so you can prove that you have distributed the rules?
    • Do you have documentation for annual reviews of your HIPAA policies and procedures?
  • Have all your staff members gone through basic HIPAA compliance training?
    • Have all staff members completed HIPAA training for employees?
    • Do you have documentation of their training?
    • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
  • Have you identified all business associates as defined under HIPAA rules?
    • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
    • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
    • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
    • Do you have written reports to prove your due diligence regarding your Business Associates?
  • Do you have a management system in place to handle security incidents or breaches?
    • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
    • Can you demonstrate that you have investigated each incident?
    • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
    • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

• • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
  • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
  • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
  • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
  • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
  • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
  • Workforce members include:
    • Entity employees
    • On-site contractors
    • Students
    • Volunteers
  • Information systems include:
    • Hardware
    • Software
    • Information
    • Data
    • Applications
    • Communications
    • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.