Implementing IT controls for effective HIPAA compliance in the public sector
What's the secret to ensuring HIPAA compliance? Controls and technology. IT departments are in the hot seat when it comes to making sure information is protected and that their public sector organizations stay HIPAA compliant. You need to identify major risks and compliance weaknesses, and speed up corrective action.
Learn what controls you can implement and how you can leverage technology to streamline your compliance while empowering your team to safeguard sensitive data and uphold those required regulatory standards.
What is HIPAA?
Enforced by the Department of Health & Human Services Office for Civil Rights, the Health Insurance Portability and Accountability Act is a regulation that protects the privacy of patients in healthcare organizations. It applies to many different groups — from hospitals and health plan providers, to clerks in doctors’ offices, and even the volunteers and trainees in these organizations.
HIPAA is focused on three basic issues: privacy, security and administrative simplification.
HIPAA’s Privacy Rule determines how healthcare organizations and professionals can use and disclose protected health information. This helps make sure a patient’s protected health information is only shared with appropriate people in an appropriate way, and only if the patient gives permission.
The Security Rule is concerned with electronic protected health information (ePHI) — what HIPAA defines as any personally identifiable health information (e.g., blood type, doctor, room number) that is digitally stored. The rule outlines specific expectations that organizations must meet to keep this information safe and ensure appropriate use.
The Administrative Simplification section of HIPAA involves a national standard and series of standard codes that must be followed when identifying and diagnosing medical conditions and exchanging electronic information.
HIPAA compliance isn’t optional. All affected organizations need to have a plan in place for compliance.
Public sector HIPAA compliance
Aside from the Privacy and Security Rules, there are some other key requirements for HIPAA compliance in the public sector:
Breach Notification Rule: The Breach Notification Rule mandates public sector organizations to notify affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media, in the event of a breach of unsecured PHI.
Business Associate Agreements (BAAs): Public sector entities must have written agreements, known as BAAs, with any third-party vendors or contractors who handle PHI on their behalf. BAAs outline the responsibilities of the business associates to protect PHI and comply with HIPAA.
Training and awareness: Public sector employees and workforce members should receive HIPAA training to understand their responsibilities and the requirements for protecting PHI. Training programs should cover privacy, security, and breach notification policies.
Auditing and monitoring: Regular monitoring and audits should be conducted to assess compliance with HIPAA requirements and identify any vulnerabilities or non-compliance issues. Public sector organizations should have processes in place to address and mitigate any identified risks.
What happens if organizations don’t comply?
The healthcare sector suffered about 295 breaches in the first half of 2023 alone, according to the HHS Office for Civil Rights (OCR) data breach portal. More than 39 million individuals were implicated in healthcare data breaches in the first six months of the year.
The OCR conducts regular reviews and investigations to make sure healthcare organizations stay in compliance. If any violations are discovered, they can result in both civil and criminal penalties ranging from $100 to $250,000 per incident. Each record of data can count as a single incident.
For example, if a healthcare organization’s laptop containing 10,000 records is stolen, the fine could be $1 million or more. Healthcare professionals who knowingly disclose public health information can face even harsher penalties, like imprisonment for up to 10 years.
Anthem Inc., a licensee of Blue Cross and Blue Shield, is one organization that faced some serious penalties for non-compliance. In 2018, the company agreed to pay $16 million to the OCR for failing to implement measures that would detect hackers and prevent cyberattacks. As a result, the ePHI of 79 million people was exposed.
The data breach happened partially because Anthem:
- Didn’t conduct an enterprise-wide risk analysis
- Had insufficient procedures for regularly reviewing information system activity
- Failed to identify and respond to suspected or known security incidents
- Overlooked the implementation of adequate minimum access controls to prevent the cyber attackers from accessing sensitive ePHI.
This event is considered to be the largest U.S. health data breach in history.
HIPAA can be quite vague in its expectations for protecting against cyberattacks, so to prepare for these audits, we recommend reading The American Health Information Management Association's (AHIMA) Statement on Cybersecurity and Information Security.
So, what can be done to prevent data breaches in the future?
IT’s role in HIPAA compliance
When it comes to IT, the biggest pain is HIPAA’s Security Rule, which lays out expectations for handling and protecting ePHI. ePHI is at constant risk of being hacked, misplaced or accessed by the wrong people (intentionally or unintentionally). IT departments are on the hook for making sure this information is protected so their organizations stay HIPAA compliant.
That means IT departments are in charge of:
- Maintaining the confidentiality, integrity and availability of ePHI
- Protecting ePHI from hazards and threats
- Protecting ePHI from unauthorized use and disclosure
- Training employees to stay compliant with the rules
To make sure these responsibilities are met, the IT department must put appropriate controls in place.
HIPAA requires the protection of digitally-stored health information.
What IT controls can be implemented for HIPAA compliance?
HIPAA has a long list of required and recommended security standards and safeguards to guide IT departments in meeting the Security Rule. A combination of administrative safeguards, physical safeguards, and technical safeguards is needed for compliance.
Administrative safeguards are controls that can be implemented through administrative efforts like conducting a risk assessment. This is actually the most foundational step toward HIPAA compliance. Check out this helpful HIPAA risk assessment template to get started.
Other examples include:
- Appointing a security officer
- Setting access levels
- Determining incident procedures
- Choosing a reporting contact
- Setting up contingency plans for data emergencies
Physical safeguards are measures taken to physically restrict access to places where ePHI is stored, like hospital computers or phones. Putting procedures in place to validate a worker’s facilities access is an example of a physical safeguard.
Technical safeguards are technology tactics that can help minimize access to ePHI, such as implementing automatic logoffs after periods of inactivity, or encrypting data wherever possible.
Technology solutions like Diligent IT Compliance can be used as part of all of these safeguards.
How can I use technology to streamline HIPAA compliance?
Conducting risk assessments
Conducting an in-depth risk assessment is a first step toward preventing events like cyber attacks. By identifying all possible areas of risk, you can start to implement more specific controls.
Governance, risk and compliance (GRC) software makes it possible to conduct risk assessments and list all controls and responsible employees within the software.
If a control is neglected, it will notify the right individuals to fix the issue immediately. If, for example, a security officer isn’t appointed, your risk level increases and you’re able to take corrective action.
Testing controls
To help prevent instances of employees having wrongful access, GRC software can be used for assigning access levels to specific user profiles and conducting tests to find outliers that might have additional, unauthorized data access.
This helps IT adjust access rights proactively, and in half the time, rather than waiting for an incident to occur before taking corrective action.
Enforcing security training
Employee security training is a HIPAA requirement. To make sure your employees understand their own roles in HIPAA compliance, schedule security training regularly for the following occasions:
- During new-hire onboarding
- When there are changes to the regulation
- Periodically as check-ins
Technology can be used both to administer training and check that it’s being done. Some software can send out surveys that ask employees to confirm they have completed the required training. You can also see how employees are performing on security training and make a note of those who require additional support.
IT departments play a significant role in ensuring HIPAA compliance. Recent data breaches confirm just how serious non-compliance penalties can be. To make sure your organization is HIPAA compliant, take the time to review HIPAA’s Security Rule and implement the required and recommended administrative, physical, and technical controls.
Technology solutions are essential in each step of HIPAA compliance to identify major risks and compliance weaknesses, and speed up corrective action. It is worth exploring GRC software options as well as additional resources to help guide you toward effective compliance.
Better practices for compliance management
For the vast majority of organizations, compliance requirements are a painfully complex and expensive area to manage. And the challenge is only getting greater with an ever-growing and ever-changing number of regulations with which you need to comply.
The good news is that there is a solution to a big part of the problem. Download this eBook to learn the practical things you can do to transform your compliance processes so they become far more efficient, and far less expensive and cumbersome to maintain. At the same time, you will achieve greater assurance over the reliability of your compliance programs.
You’ll learn:
- 5 common compliance management challenges
- How to create a high-performance compliance management process
- How to transform your compliance program
- How technology can improve compliance
- What technology you need for a high-performance program
