The Health Insurance Portability and Accountability Act (HIPAA) defines and establishes compliance regulations for healthcare providers surrounding protected health information (PHI) within healthcare organizations. The consequences of non-compliance are dire, as unsecure PHI can significantly increase the risk of identity theft for patients and have long-reaching professional consequences for individuals with compromising medical histories.
Of course, the consequences for healthcare organizations are also unfortunate, with HIPAA settlements ranging from $50,000 to millions of dollars. Two such recent cases included a $4.8M settlement of New York Presbyterian Hospital/Columbia University Medical Center and a $800,000 settlement of Parkview Health System, Inc. In both of these cases, healthcare organizations used improper security protocols to store or dispose of PHI, resulting in clear HIPAA violations.
Rather than hoping your organization avoids a similar breach, healthcare companies should use HIPAA guidelines as an opportunity to proactively reduce the odds of such a breach and establish a thorough standard of patient privacy and security.
About HIPAA Compliance
HIPAA was enacted by the United States Congress in 1996. However, it didn’t gain significant attention until the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) in established the HIPAA Breach Notification Rule requiring companies to provide full disclosure to patients and government authorities.
The core functions of HIPAA and HITECH focus on identifying management and access control to PHI, tracking administrative activities and configuration changes, monitoring access to data, and handling and encrypting data to protect from a security breach. Because each healthcare organization maintains different systems and hardware, establishing compliance in each section of the HIPAA Security Rule will vary according to systems configuration, organizational policies, and the nature of the healthcare business.
Tips for Remaining HIPAA Compliant
HIPAA compliance requires healthcare organizations to establish processes and controls to defend the security and integrity of patient’s PHI. In an increasingly hectic healthcare environment, this can be a complicated and overwhelming task for administrative and managerial employees alike.
Since organizations are required to show that use reliable access control to secure PHI, proper HIPAA compliance relies strongly on the following tips:
- Focus on visibility
Audit reports are a must-have for organizations that wish to maintain a high level of visibility. An active auditing system will not only allow increased day-to-day visibility and monitoring and allow you to prove your compliance, but also provide quick reporting to HIPAA in the case of a suspected breach or security event.
- Train every employee to care about security
Security in a healthcare organization happens on a person-by-person basis. Every employee must be trained to understand what PHI is, how to handle it, and why it is important to handle it so carefully. Follow up with stringent policies across your IT infrastructure to prevent risk from the top to the bottom of your organization.
- Follow-through on new policies
It’s not uncommon for organizations to get caught up in the news cycle of a large breach, implement new training and policies, and then slowly let those initiatives fade over time. Make a commitment to follow through on these compliance policies and raise security from an IT priority to an organizational priority. In the case of HIPAA security breaches, prevention is truly worth a pound of cure.
Further documentation and suggestions on maintaining HIPAA compliance for each of the security rules can be found on Page 3 of the HIPAA Controls and Netwrix Auditor Mapping resource.
HIPAA compliance provides important guidelines for maintaining the security of vulnerable PHI. For more information about understanding and implementing HIPAA compliance solutions for healthcare environments, click here.