Healthcare Information Security

Understanding HIPAA Compliance, Violation Concerns

Covered entities should regularly review the requirements for HIPAA compliance to avoid potential violations.

Regardless of a healthcare organization’s size, HIPAA compliance must remain a top priority. This is especially critical as technology continues to evolve and more covered entities continue to implement innovative tools such as mobile devices and HIEs.

HIPAA compliance should be regularly reviewed

However, having a thorough understanding of the federal requirements for HIPAA compliance also means that healthcare organizations must understand the potential consequences of HIPAA violations.  Consistent and comprehensive employee training should be paired with regular policy reviews and updates. HIPAA violations could lead to heavy regulatory fines and expose patients’ sensitive information.

By regularly reviewing the basics of HIPAA compliance, covered entities and their business associates will gather a better understanding of what measures they must take to keep patient data - as well as employee data - secure. Concerns over possible HIPAA violations are extremely valid, but do not need to be a detriment.

HealthITSecurity.com will outline the basics of HIPAA compliance, and touch on potential consequences should those requirements be violated. We will also discuss top concerns that healthcare organizations may have, and how those concerns can be overcome.

The 3 safeguards in HIPAA compliance

Administrative safeguards, physical safeguards, and technical safeguards are three key aspects to overall HIPAA compliance. Healthcare organizations need to understand that there is not necessarily specific requirements under each of these areas. Rather, covered entities and their business associates must find ways to meet these requirements that are applicable to their daily operations and needs.

Administrative safeguards are “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to the Department of Health and Human Services (HHS).

Each covered entity will also need to evaluate its security controls and ensure that “an accurate and thorough risk analysis” is performed.

HIPAA administrative safeguards are broken down into several main aspects:

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness and training
  • Security incident procedures
  • Contingency plan
  • Evaluation
  • Business associate contracts and other arrangements

To learn more about common types of administrative safeguards, click here.

Covered entities must also understand physical safeguards when it comes to creating a comprehensive data security plan.  

According to HHS, physical safeguards are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

For example, ensuring that laptops and other mobile devices are always kept behind a locked door when not in use would be a physical safeguard. Additionally, having security cameras at a facility would also be considered a physical safeguard.

Facility access and control, as well as workstation use and device security are the main aspects to this part of HIPAA compliance. Essentially, the physical access to facilities must be limited, while still ensuring that authorized accessed is allowed. Moreover, necessary policies and procedures that “specify proper use of and access to workstations and electronic media” are also required.

To learn more about common types of physical safeguards, click here.

Having strong technical safeguards is also important for covered entities. These safeguards refer to “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it,” according to HHS.

Technical safeguards could include two-factor authentication on devices, or ensuring that updated firewalls are on all desktop computers. Data encryption is becoming a more popular option as well, but is not necessarily a requirement for all healthcare organizations.

However, technical safeguards need to include the following considerations:

  • Access control
  • Audit control
  • Integrity control
  • Transmission security

As previously mentioned, there are no specific requirements for the type of technology to be implemented at covered entities. This is especially true when it comes to technical safeguards. However, healthcare organizations “must use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.”
To learn more about common types of technical safeguards, click here.

What are potential consequences of HIPAA violations?

One of the major consequences that could happen should a covered entity not have the necessary protections in place is a healthcare data breach. While this can still happen even if an organization is HIPAA compliant, data breaches often take place due to a lack of one of the previously mentioned safeguards.

However, as the top healthcare data breaches of 2015 prove, the reaction to a data security incident is just as critical. Last year, the top 10 healthcare data breaches were all classified as a “hacking/IT incident.” Covered entities and their business associates may not always be able to prevent a cybersecurity attack, but this is why detection is critical. That way, an organization can hopefully put a stop to the intrusion before too much damage is done.

HIPAA violations will also likely lead to an organization facing financial fines from the Office for Civil Rights (OCR). The OCR HIPAA settlements from 2015 were all prime examples of how one small oversight could potentially have larger consequences.

For example, OCR reached a settlement agreement with Cornell Prescription Pharmacy (Cornell) in Denver, Colorado in April 2015. While Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the area, OCR maintained that the organization needed to maintain HIPAA compliance.

Cornell was accused of improperly disposing of documents containing patient PHI. Approximately 1,600 patients’ information was found in an unlocked, open container on Cornell’s premises.

“Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,” explained OCR Director Jocelyn Samuels, adding that PHI security is essential for entities of all sizes.

A lack of a proper risk analysis was also cited in HIPAA settlements from last year. The University of Washington Medicine (UWM) agreed to a HIPAA settlement for $750,000.

In that case, an email containing malicious malware reportedly compromised 90,000 individuals’ ePHI, according to OCR. Moreover, UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” Samuels said in a statement.

Top provider concerns include HIPAA compliance

Even with the necessary preparations and regular reviews of federal, state, and local requirements, healthcare organizations are often still worried over their HIPAA compliance. By better understanding how other covered entities view certain regulations, healthcare organizations may find a way to take a comprehensive approach that works for their daily operations.

Earlier this year, HealthITSecurity.com interviewed readers about their current approach to HIPAA compliance, and what were their other top pain points.

External data security threats, employee training, and evolving technology were cited as top concerns, with 32 percent of respondents saying that external threats to data security was the top issue. Twenty-eight percent listed employee training and evolving technology as their main concern.

In terms of the OCR HIPAA audits, 43 percent of those surveyed said that technical safeguards were the most difficult aspect, with 39 percent citing administrative safeguards.

Some survey respondents added that keeping the necessary documentation prepared for potential HIPAA audits was a key concern. Properly understanding the business associate or vendor’s responsibility in case of a breach was also listed as a difficulty.

Regular reviews, employee training

Overall, HIPAA compliance requires covered entities to regularly review federal regulations and ensure that employees have received current training and educational sessions. As organizations continue to adopt and implement new technologies, reviews are essential. This is also true when it comes to risk assessments.

While it is valid to have concerns over potential HIPAA violations, healthcare organizations cannot let that be a detriment to their regular operations or in their approach to keeping sensitive data secure. By having all three HIPAA safeguards in place, paired with regular reviews and updates as necessary, covered entities will be in a much better place to remain HIPAA compliant.