What HIPAA Means for Covered Entities and Business Associates

What is HIPAA? How does HIPAA apply to my business and what must I do to ensure I’m HIPAA compliant? Watch as our HIPAA Expert, Stephanie Rodrigue, walks us through the ins and outs of HIPAA and protecting ePHI for covered entities and business associates.

Stephanie Rodrigue Explains HIPAA’s Impact on Covered Entities & Business Associates

What is HIPAA?

HIPAA refers to laws that apply to covered entities and business associates regarding the privacy, security, and accessibility of electronic protected health information (ePHI). Covered entities and business associates use this information to provide services to the public such as medical care, and the filing and billing of medical claims. Covered entities include doctor’s offices, hospitals, healthcare providers, health plans, and healthcare clearing houses. Because these entities are collecting health information directly from the patient, it’s probably obvious that they are responsible for protecting ePHI.

But, there are actually many types of companies providing services such as data storage, analytics, marketing, billing, collections, and practice management that are receiving ePHI from a covered entity and are also responsible to protect ePHI under the HIPAA security and privacy rule. The HIPAA/HITECH Act is enforced by the Office for Civil Rights (OCR) through a required notification, audit, and fine program. If a covered entity or business associate does not have proper safeguards in place to protect ePHI, a breach of this information can occur and fines will be assessed and issued by the OCR.

Understanding how to protect ePHI is a critical responsibility of covered entities and business associates because HIPAA laws dictate how this private information is received, transmitted, and stored and how it is made accessible to the patient.

If you clicked on a video entitled, “What is HIPAA?” then you’re probably pretty new to this topic. So I’d like to start by defining some of the terms that you’re going to encounter. First, HIPAA is an act that was passed in 1996 and updated in 2009 with the HITECH act. And these provide the rules for the privacy and security of protected health information. Protected health information is commonly referred to by the acronym, “PHI”, and it’s the information that’s collected about the health care or payment for healthcare that can be directly linked to an individual.

Covered entities commonly collect this information. These are doctors offices, hospitals, other health care providers, health plans, and health care clearing houses.

Another group that comes into contact with PHI are the business associates and these are people or organizations that provide services on behalf of a covered entity.

I hope that this information provides a little bit of help for you. If you have more questions please feel free to contact us.

What Does A Complete Risk Analysis Planning Process Look Like?

Why are we spending time on three separate sessions about risk analysis? A formal risk analysis is required under the Security Rule, it’s something organizations consistently struggle with, and it has benefits beyond meeting the Security Rule requirement. Let’s get started.

In this session, we’ll discuss the five key elements of planning a HIPAA risk analysis.

  1. Goal: There are several goals to have in mind during your organization’s risk analysis. You should aim to create a thorough, complete planning process so that you don’t end with incomplete results. You should also aim to measure risk instead of strict compliance. Our goal for you is to teach the differences between a HIPAA risk analysis and a HIPAA gap analysis. A risk analysis asks, ““How much exposure do we have to unauthorized access or disclosure of ePHI? What else do we need to do to reduce risk?” But a gap analysis asks, “How are we doing compared to what the regulations require?”
  2. Resources: During the planning process, you should assess your resources by asking: Who will lead the project? Do they have proper experience in conducting risk analyses? Do they have leadership support? Have they reviewed past risk analyses?
  3. Scope: Risk Analysis applies to all electronic PHI; created, received, maintained, or transmitted. We believe that when assessing scope, you need to think in terms of ePHI processing as opposed to systems. Where does PHI enter and leave your entity? We also believe that creating an ePHI workflow is key in having a complete risk analysis. The issue with ranking risks and implementing controls without a flow is that you may leave gaps between systems.
  4. Information Gathering: There are many places to look when gathering information: information gathered in ePHI flow research, past and present ePHI projects, information security incidents, interview with key staff, documentation review, etc. It may seem obvious, but we’ll say it anyways: document your information gathering. The OCR has indicated in its security series that entities should document information on ePHI during this information collection phase
  5. Perspectives: When you’ve completed the planning process, you might wonder: How do we ensure that we’ve accurately captured all of the information we need to properly complete a risk analysis? There are two ways to check yourself: internal and external resources. This is an appropriate time to bring in individuals who aren’t leading the project and present your findings to them. Or, you could find a third party who has expertise and who can help you decide whether you’re ready to conduct a risk analysis.

Download the full webinar to hear Mark Hinely’s case study breakdown and the Q&A portion. Contact us today for more information on risk management.

A Conversation about Trends in HIPAA Enforcement Activity

In this webinar, Joseph Kirkpatrick and Mark Hinely discuss historic and 2016 trends in OCR enforcement activity. 2016 was a record year for enforcement and these trends are the most direct way that the OCR can tell us what or where they’re looking.

 
Mark Hinely has chosen four cases to discuss that represent 2016 enforcement activity trends: UMass Health, St. Joseph Health, Advocate, and University of Mississippi Medical Center. Each of these organizations had breaches that led to massive penalty fines and extensive corrective actions; Advocate’s multiple breaches led to a $5.5 million fine, making it the largest ever. The trends we’re discussing deal with failure to conduct risk analysis and risk management, failure to create and implement effective policies and procedures, and failure to offer proper training to the workforce.

Joseph and Mark also engaged in a Q&A session to answer many questions regarding risk, including:

Q: How do you keep an organization’s risk analysis fresh from year to year?

A: Don’t copy and paste from last year’s risk analysis. Last year is not effective for this year. You need to determine what contains PHI that didn’t last year. Things have changed, even if you think they haven’t.

Q: How do you make a risk analysis more specific from year to year?

A: Bring in a third party assessor, or any type of third party, who can see what you can’t. Even bring in someone internal, but who’s subject matter is different.

Q: What is the difference between a gap analysis and a risk analysis?

A: A gap analysis takes your organization and compares its gaps against strict, specific, published standards. A risk analysis, though, requires you to think more broadly and determine what risks are unique to your organization.

Q: What’s the difference between a risk analysis and risk management?

A: A risk analysis assesses the potential threats to an organization’s confidential information. Risk management takes the information discovered from a risk analysis and acts on it to protect the confidential information.

Listen to the full webinar to learn about each of the cases listed above, hear more of the Q&A session, and learn even further about the current trends in enforcement activity. Contact us today to speak to a HIPAA expert.

The NIST Cybersecurity Framework: A Common Language for Cybersecurity Issues

The cybersecurity realm is overwhelming – the issues, the regulations, the changes, the threats, the persistence. We’re living in a world where we hear about new breaches every day. None of us can possibly know everything about all cybersecurity issues, and that’s okay. We’re all vulnerable and overwhelmed, but that’s no excuse not to prepare and continually develop your organization’s defenses. We believe that the NIST Cybersecurity Framework is a way to start having a language and a method to understanding what the issues are and how they should be dealt with.

The core of the NIST Cybersecurity Framework includes:

  • Functions – Organization of basic cybersecurity activities at their highest level
  • Categories – Subdivisions of a function into groups of particular activities
  • Subcategories – Subcategorizes further divide a category into specific outcomes of technical and/or management activities
  • Informative References – Specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcome

What is the cybersecurity maturity of your organization? It’s an important question to ask and answer honestly, especially when considering the Framework Implementation Tiers:

  • Partial – Informal, reactive, limited awareness
  • Risk Informed – Approved but not implemented, the staff has adequate resources to perform their cybersecurity duties, not formalized in its capabilities to interact and share information externally
  • Repeatable – Risk management is a formal function and updated regularly, changes in business requirements are reflected in the organization-wide cybersecurity practices, your organization understands its dependencies on partners and interacts accordingly
  • Adaptive – The cybersecurity practices adapt based on lessons learned and predictive indicators which results in continuous improvement, adapts to a changing landscape in a timely manner, cybersecurity risk management is part of the organizational culture, communication, and interaction with partners occurs before a cybersecurity event occurs

Healthcare organizations desperately need individuals who will volunteer to lead the conversation about cybersecurity issues; you don’t have to be a cybersecurity expert, just a good communicator. Our hope? In 5 years, everyone within an organization will understand the language of cybersecurity and will be involved in the cybersecurity conversation. It’s not just IT’s issue, or an executive’s responsibility, or the administration’s problem. Can you be the person at your organization to step up and lead the conversation?

To learn more about our HIPAA compliance services, contact us today.

PCI Requirement 12: Maintaining an Information Security Policy

When creating an information security policy, an organization must create a policy that addresses information security for all personnel. Let’s emphasize “all” – this policy is not just for the IT department but is for anyone that would/could be involved in some capacity with storing, processing, and transmitting cardholder data. PCI Requirement 12 helps oversee and govern an organization’s PCI DSS compliance program.

In this webinar, our panelist will discuss the 10 sub-requirements of PCI Requirement 12, which include:

Requirement 12.1 – You must keep a current set of policies accessible to all relevant personnel.

Requirement 12.2 – Risk Assessment is performed at least annually, and also performed when business objectives chance.

Requirement 12.3 – Develop usage policies for critical technologies.

Requirement 12.4 – Security policies must define responsibilities for all users.

Requirement 12.5 – Security management and activities must be formally assigned.

Requirement 12.6 – Implement a formal security awareness program.

Requirement 12.7 – Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.

Requirement 12.8 – Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

Requirement 12.9 – Service providers must acknowledge in writing that they are responsible for the security of cardholder data they possess or store, process, transmit on behalf of the customer, or to the extent that they could impact the security of the cardholder data environment.

Requirement 12.10 – Implement an incident response plan.

The  PCI DSS isn’t just a technical standard; it includes people, processes, and technology. Furthermore, your organization’s policies and procedures are not just pieces of paper. They are an executive-level edict that define how the business will be run. It’s not enough to have policies and procedures. You must make sure that your policies and procedures are effective and actually implemented to ensure they are functioning properly and as you designed them. If your policies aren’t functioning, then you don’t have a policy.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.