The Health Insurance Portability and Accountability Act (HIPAA Act) was effective in 1996, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009, and the Final Omnibus Rule in 2013 and despite years passed by, HIPAA Privacy compliance is still a challenge for many health care organizations. We have seen several breach incidents relating to PII and specifically PHI.
HIPAA is United States legislation, which provides Data Privacy and Security provisions to safeguard medical information. HIPAA is applicable for any medical practice, health insurance plan, third-party clearinghouse, or any businesses involved with healthcare abiding by all the mandates of HIPAA, ensuring that patient information is kept confidential and secure and has several components to consider for an entity that lawfully must be compliant. These entities are also referred to as "covered entities.
As required under the HIPAA rules the healthcare organizations are required to have a Business Associate Agreement with their vendors or the third-parties. It is equally important to understand the data security controls with their business associates. HIPPA provides rules and regulations for protecting the privacy of Patient Health Information (PHI - Protected Health Information) and security of Electronic records stored or transmitted by a Covered Entity or their Business Associates. This includes PHI in any form - physical copy, electronic or oral.
PHI consists of individually identifiable patient information such as Name, health records, demographic information, contact information, Social Security Number etc. Any company, whether it’s a Covered Entity (CE) or Business Associate (BA), that deals with Protected Health Information (PHI) should have all the security measures - Physical, Network and Processes to ensure compliance with HIPAA guidelines.
Today, healthcare providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems majority hosted in some sort of cloud environment. One of the top cloud risks is the misconfigured servers that can lead to data breaches. Another major risk is insecure APIs. Organizations use API’s to transfer data to the business partners without a secure architecture in place and without conducting proper vendor due diligence and evaluating the data flow lifecycle risks. Organizations are still facing challenges in compliance and most findings relate to basic security hygiene such as risk management, policies, data minimization, and encryption. Organizations are being fined in millions and their names appear in the Wall of Shame by HHS.
Risk Management is one of the critical steps in getting compliant with HIPAA guidelines. HIPAA requires Covered Entities and Business Associates to “conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI)”. SecurWires can help you in identifying the risk scenarios and implement adequate security controls to mitigate risks. Once the controls are implemented, we do a risk re-evaluation to ensure the controls are implemented in the right manner.
An attested report from an independent auditor is the best way to demonstrate HIPAA Compliance. SecurWires follows a five-step approach to get you compliant with HIPAA