The U.S. Department of Health and Human Services (HHS) – specifically, the Office of Civil Rights (OCR) - administers the HIPAA program in the United States. Generally speaking, HIPAA applies to all organizations that either see patients (called covered entities) as well as those organizations that work in a support capacity (called business associates). In this article, we're going to specifically discuss the HIPAA Security Rule.
The HIPAA Security Rule is where the majority of the cybersecurity requirements are in HIPAA. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164, and is actively enforced by OCR. While we recommend reading the Security Rule in its entirety, there are a few specific areas to address that are often overlooked.
-
There is no technical HIPAA Scan. The HIPAA security rule is composed of both documentation and technical measures that must be taken to ensure compliance with HIPAA. There is no technical scan that will make "you HIPAA Compliant."
-
There is no HIPAA Certification. HIPAA is a law that requires compliance but does not provide any certification program. The HITRUST program is a private industry certification program that can be used to attest to HIPAA Compliance but is not a substitute for full compliance with the HIPAA text.
-
Template policies are not always compliant. HIPAA requires the completion of policies that are both compliant with HIPAA and that accurately reflect your organization. Do not rely on template policies as your environment will likely not be compliant with your own policies.
-
Appointment data is protected health information. All appointment data, including data taken on websites, is PHI and protected under law. If you are hosting your own website, please either direct customers to call for an appointment or make sure you choose the right hosting provider for your business.
-
Perform your risk analysis annually. While HIPAA does not specify a specific timeline for a risk analysis, we recommend you perform one annually to ensure you're staying on top of security. In the event of a data breach, this is one of the first things OCR will ask for. (Note: A risk analysis is not the same as a vulnerability scan. Ensure that any provider you choose is using a standard risk assessment methodology, such as the NIST SP 800-30).
The HIPAA Security Rule is rather straight-forward, but we still recommend seeking legal counsel and professional security consulting advice. The fees and penalties resulting from a failed investigation are enough to put even the largest of medical organizations out of business.
Insureds can request our HIPAA Compliance Spreadsheet, and as always, for more information on this topic, please reach out to us; we're here to help!