Our phones have been ringing off the hook the past few weeks (which is a good thing!) and we anticipate that this will continue as customers, prospects and partners work to get their arms around the new U.S. Department of Health and Human Services (HHS) Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule that took effect this week. While business associates have until September 23 to reach compliance, the Rule, which encompasses new requirements and modifications to the Privacy and Security Rules, could present some confusion in the marketplace.
To help, we partnered with Coalfire to provide our readers with the below top five tips to ensure a speedy transition. For further reading, you can also check out our joint-byline with Andrew Hicks of Coalfire that “Electronic Health Report” published, as well as our press release that we issued today.
- Know if you need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to PHI, regardless of their position and how far removed they are from the covered entity, is now in full scope.
- Take a solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical and logical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
- Conduct a risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any control gaps need to be outlined.
- Control the flow of ePHI data via mobile devices. While there is not a specific requirement within HIPAA that addresses mobile devices, tablets and smartphones frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
- Know the definition of encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or is too difficult to implement. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged, especially those that cannot be technically met. We cannot stress enough how thorough this documentation should be – it should be supported through a risk management program and updated at least annually or with the introduction of new risks. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.