How to ensure your business stays HIPAA-compliant in 2020

How to ensure your business stays HIPAA-compliant in 2020

It’s been almost 25 years since the Health Insurance Portability and Accountability Act (HIPAA) came into force, but many healthcare providers and business associates are still having a hard time keeping track of the requirements. The fact that most medical records now exist in digital form makes matters even harder since tech today looks very different now compared to how it did in 1996.

What are the safeguards you’re required to put in place?

Every organization working in the healthcare sector, including those that handle patient health information (PHI) on behalf of covered entities, needs to pay close attention to three key areas and conduct yearly audits to ensure that their privacy and security controls are up to scratch. HIPAA enforcement is at an all-time high, as are the risks of data breaches. Implementing suitable safeguards that can keep up with new and emerging threats is critical for success.

  • Technical safeguards – HIPAA is rather vague on precisely which technical safeguards you need to take, but all devices and systems that store or transmit PHI must have adequate cybersecurity measures. Even if HIPAA doesn’t explicitly require them, these should include encryption for data at rest and in transit, multifactor authentication, and firewalls.
  • Physical safeguards – While threats in the digital space get the lion’s share of attention these days, the importance of securing your physical environment can’t be overstated. These include security cameras, alarms, and keypad locks that prevent and monitor access to high-security areas of a medical facility.
  • Administrative safeguards – Protecting patient privacy is just as much about people and processes as it is about physical and technical measures. These refer to documented policies and procedures designed to protect PHI. They shouldn’t just cover technology, but also the use of cameras in the workplace. You also need an up-to-date and fully documented employee training program.
  • Self-audit for success

    HIPAA requires covered entities (i.e., healthcare providers) to carry out six annual self-audits, while business associates have to complete five. These audits must be fully documented to demonstrate your organization’s efforts to achieve and maintain compliance. The self-audits include:

    • Security risk assessments for determining and mitigating potential security risks
    • Security standards audits for reviewing internal standards in accordance with HIPAA
    • HITECH subtitle D audits for ensuring breach notification requirements are met
    • Asset audits for providing visibility into all devices used to store or access PHI
    • Physical site audits for measuring the capabilities of your site’s physical safeguards
    • Privacy assessments, which only apply to covered entities rather than associates

    Vet your business associates

    Today’s increasingly complex supply chains often mean that the weakest link in privacy and security exists in a third party. Before you share any PHI with third parties such as IT vendors, you need to ensure the necessary business associate agreements are in place. To streamline onboarding and management across your supply chain, you should also have a unified and consistent process that involves asking the right questions to determine the level of risk that each third-party relationship presents.

    Develop an incident response plan

    HIPAA requires that all covered entities and business associates have a documented incident response plan, which includes breach notifications in the event of a security incident. This will help detect and mitigate the effects of a data breach, greatly reducing risk to your organization.

    The HITECH Act, which serves to supplement HIPAA legislation, requires organizations to disclose incidents to patients within 60 calendar days of the breach being detected. In case of an incident that potentially involves records belonging to more than 500 patients, the media and the Secretary of Health and Human Services must be notified.

    Intouch IT is a fully HIPAA-compliant technology provider that specializes in helping healthcare providers achieve more with a secure and managed IT environment. Call us today to find out more.