What Must You Do to Make Your Organization HIPAA-Compliant?

August 21st, 2018
What Must You Do to Make Your Organization HIPAA-Compliant?

Meeting the stringent standards of industry regulators is one of the major challenges that small business leaders face. The Health Insurance Portability and Accountability Act (HIPAA) and the associated Health Information Technology for Economic and Clinical Health Act (HITECH) are two such industry regulations that concern any healthcare organization as well as companies that handle data on their behalf.

In other words, if your business has any kind of access to confidential patient health information (PHI), or is likely to do so in the future, then compliance is mandatory. Failing to meet the security and privacy standards laid out by HIPAA may result in crippling fines, not to mention greatly reduced trust and lasting damage to your reputation.

Identifying the Risks Facing Your Organization and Its Data

As with most compliance strategies, becoming HIPAA-compliant begins with a risk assessment that uncovers and documents potential threats and vulnerabilities, both online and offline. HIPAA was enacted over two decades ago, when the technology landscape was very different than it is today, so many technical requirements are up to interpretation. The HITECH law was passed in 2009 to clarify matters and create specific obligations that healthcare entities and their business associates need to follow.

You’ll need to assign a privacy and security officer to carry out the risk assessment of your current working environment. This requires a complete audit of your technology infrastructure, paying special attention to devices that transmit or store electronic PHI.

Given the wide array of different devices used in the modern workplace, such as employee-owned portable computers and smartphones, this step can be complicated. You’ll need to look at your entire portfolio of devices, employee- or company-owned, as well as any hosted resources, such as cloud storage systems or web apps that access PHI.

Armed with your technology inventory, the next step is to carry out the actual risk assessment. You’ll need to consider factors such as outdated software and physical vulnerabilities such as theft or natural disaster. Any pre-existing security policies and controls will also need to be evaluated.

Implementing Your Security and Privacy Policies

Your technology inventory and risk assessment form the foundation of your entire compliance strategy because they break everything into HIPAA’s three security umbrellas: technical, administrative, and physical safeguards.

The HITECH legislation also adds clarity to exactly what sort of safeguards you’re legally obligated to implement. Many safeguards are compulsory, while others may only apply to certain situations such as, for example, companies that allow employees to use their own devices for work or those who outsource their IT to a managed services provider. The safeguards stipulate the following actionable measures:

  • Assign a security and privacy officer (this can be the same employee)
  • Define access controls like multifactor authentication and emergency access
  • Create an auditing strategy for ongoing monitoring and installing new systems
  • Ensure the integrity of electronic PHI to prevent unauthorized modification
  • Restrict physical access to data-baring systems and printed PHI

Assembling your security policies and other safeguards is just one step toward achieving HIPAA and HITECH compliance. It’s important to remember that humans remain the weakest link in the cybersecurity chain, and security policies are only as effective as the ability of your workers to follow them. That’s why the law also requires regular ongoing security and privacy training for all employees who work for covered entities and their business associates.

HIPAA specifically requires annual training so that employees always know how to avoid data breaches and, even more importantly, how to identify and report them. Remember, the digital threat landscape evolves alongside technology, hence the need for a dynamic and ongoing training program.

ATS Tech Solutions helps healthcare organizations and their associates achieve HIPAA and HITECH compliance with IT solutions tailored to the specific needs of the industry. Contact us today to schedule your free network health check.