“One of the challenges you may have faced with HIPAA is that it is designed with the largest healthcare organizations in mind and does not scale down easily to small and medium-sized businesses. In today’s article, we will offer practical advice on tackling HIPAA challenges regardless of the size of your business. I hope you will find our tips worth your reading time”
Our approach pivots the traditional advice, making compliancy practical and easier to follow.
Pitfall: Creating non-HIPAA compliant Technical and Cybersecurity systems
Solutions:
- Create a Cybersecurity program including policies, procedures and technical controls to address all specific HIPAA requirements.
- Select a Cybersecurity framework to guide your policies and procedures, such as NIST CSF.
- Select the right maturity level of your Cybersecurity program based on HIPAA requirements and your organization’s legal, compliance, contractual and business needs.
- Perform risk assessment to understand your areas of risk and severity of each risk identified.
- Perform a gap analysis and formulate a plan to remediate deficient areas.
- Prioritize your remediation plan to address highest risk items first.
- Gain management approval and funding to implement your Cybersecurity program and remediation plan.
- A Cybersecurity program and remediation plan without moral and financial support from your executive team is destined to fail.
- Start implementing your remediation plan in the agreed priority order.
- Prioritize areas such as:
- Physically secure access to systems containing electronic Protected Health Information (ePHI).
- Implement Multi-Factor Authentication (MFA) controls even on devices not leaving your facility.
- Perform review of access rights to systems containing ePHI, remove inactive accounts, adjust permissions for active accounts.
- Encrypt all devices containing ePHI, prioritize mobile devices that leave your facility.
- Do not allow any non-controlled devices access to any system containing ePHI, especially, personally owned devices.
- Make sure all your software is current, patch/upgrade/retire as necessary.
- Make sure your Endpoint Detection and Response software is active and current.
- Monitor systems for unusual activity that may indicate an attempted or actual compromise
Pitfall: Failure to manage data according to HIPAA requirements
Solutions:
- Perform a data classification exercise.
- Inventory all system containing ePHI and other protected information.
- Classify each data element or groups of data elements in all systems
- Classify each system based on the highest classification of data it contains
- Implement access controls commensurate with classification of each system.
- All access to systems containing ePHI must use a unique user identifier and if technically feasible be authenticated using multi-factor authentication
- Review and adjust access levels periodically
- Identify all vendors that manage or have access to your ePHI, including both SaaS providers and vendors supporting your systems on premises
- Electronic Health Record systems (HER)
- Productivity systems (Office 365)
- Storage (online and backup)
- Other vendors that have access to your ePHI
- Create a comprehensive vendor management program including:
- Due diligence
- HIPAA requirements compliance
- Technical requirements compliance
- Inventory all media containing ePHI, protect media in line with HIPAA requirements
- Encrypt all media containing ePHI
- Make sure all portable media has an identifiable owner
- Sanitize media before reuse, maintenance or disposal
- Dispose of media in line with HIPAA requirements
Pitfall: Users activities that are not HIPAA compliant
Solutions:
- Create and enforce an acceptable use policy defining rules for use of company IT systems and access to ePHI.
- Be very specific in what is allowed and what not – gray areas may lead to behavior that is not desired.
- Define acceptable ways to communicate ePHI internally and externally.
- Define procedures for reporting policy breaches.
- Include sanctions in your policy.
- Define sanctions for different levels of infractions and for repeat offenders
- Ensure staff are trained and prepared to handle ePHI
- Conduct periodic HIPAA and Cybersecurity Awareness training, including topics such as:
- System usage and cybersecurity hygiene
- Password management
- Phishing and similar attacks
- Social Breaches – talking about patients
- Employee Curiosity
- Messaging ePHI
- Accessing and storing ePHI from unauthorized locations
- Perform simulated phishing testing
- Users who fail phishing tests should receive additional mandatory training
- Periodically test your users on HIPAA and cybersecurity practices
- Create a culture that encourages employee honesty and integrity
Pitfall: Not managing Business Associates Agreements (BAA)
Solutions:Carefully evaluate all potential business associates
- Perform general due diligence
- Ensure they have a HIPAA-aligned policy and culture
- Ensure they use systems that are compatible with HIPAA
- Ensure data retention matches requirements for service provided and ePHI no longer needed will be purged in line with HIPAA requirements
- Maintain an active roster of all Business Associates.
- Include elements specified at 45 CFR 164.504(e) in the contract or other written arrangement with Business Associates.
- Require all Business Associates to use appropriate safeguards to prevent use or disclosure of ePHI other than as provided for by the contract.
- Periodically review/audit your business associates
- Review SOC2/ISO27001/other audit reports
- Review security incidents
- Confirm employees are trained and subject to acceptable use policy
- Confirm business associate’s access to ePHI and use of ePHI is still necessary and that access is at the right level based on the service provided.
- Periodically review Business Associate Agreements.
- Look for expirations of clauses or entire agreement
- Make sure the BAA correctly covers current needs and adjust as necessary
Pitfall: Trying to be HIPAA compliant alone
Solutions:
- Create a partnership of resources. This includes industry associations, professional peers, and 3rd party support vendors.
- Consider outsourcing some of your HIPAA compliance needs to professional service providers and advisors who keep up with regulations changes and with the ever-changing Cybersecurity threat landscape
- Include government resources in your program:
- HIPAA for Professionals: https://www.hhs.gov/hipaa/for-professionals
- Security Rules: https://www.hhs.gov/hipaa/for-professionals/security
- NIST based HIPAA Security Rule Toolkit: https://csrc.nist.gov/projects/security-content-automation-protocol/hipaa
- Business Associate Guidelines: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates