by Dave Moore, CISSP, 08/15/2021
Do you know if your doctor, clinic or hospital is “HIPAA compliant?” Federal law says they need to be, but the latest reports from the Office of Civil Rights at the U.S. Department of Health and Human Services show a shockingly high number of medical professionals are not even close to following the rules designed to guard your health, protect your privacy, and keep you safe from Internet criminals.
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is all about how PHI (Protected Health Information) can be used and disclosed. PHI is anything that can be used to identify you, including your name, address, phone number, Social Security number, medical records, financial information, and ID photographs. PHI stored or transmitted electronically is called ePHI. For most situations, that means computers and the Internet.
Doctors, nurses, clinics and hospitals need to pay attention. I know of clinics where everyone in the building is in violation of HIPAA rules. Sort of like the uncle everyone has who brags about never wearing a seatbelt, they’ve been getting away with it for so long nobody gives the subject any serious thought, at all. If the other shoe ever drops on their floor, though, the penalties can be severe.
Whether you are a medical professional or not, the HIPAA cybersecurity rules are so close to general Internet safety rules I thought I would share them with you, so you can see what your doctors, nurses and other healthcare providers are supposed to be doing. When you see the word “compliance,” you can replace it with “Internet safety.” When you see “PHI,” feel free to substitute things like “financial” or “personal” information.
Keep in mind that, even though medical professionals are required to be “in compliance,” there is no such thing as “HIPAA compliance certification:” there are only HIPAA rules that health care providers are required to comply with and follow, but there are no government-approved compliance certifications that can be attained.
There also is not a technical solution that can magically achieve HIPAA compliance. There is no single software program or electronic device that can be installed to instantly “turn on” HIPAA compliance. Yes, there are numerous technical things that should be in place (antivirus, firewalls, encryption, strong passwords), but HIPAA compliance is also deeply rooted in personal behavior.
Doctors, nurses, receptionists, support staff, third-party vendors and anyone who touches protected health information in any way must change their behavior to be HIPAA compliant. All the technical solutions in the world will not work if they are not combined with HIPAA compliant human behavior.
There are also physical safeguards that should be employed, such as secure locks on doors, filing cabinets, computers, etc., as well as security alarm systems.
The HIPAA Security Rule is described at www.hhs.gov/hipaa/for-professionals/security/index.html. It establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Covered entities and business associates are required to perform a Security Risk Assessment (also known as a Security Risk Analysis). This analysis helps in understanding, identifying and implementing HIPAA compliance safeguards.
The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment Tool (found at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool). The tool’s features make it useful in assisting small and medium-sized health care practices and business associates as they perform a risk assessment.
The Security Risk Assessment should be run before deploying computers that are expected to be HIPAA compliant, and run again each time software, hardware or network changes are made.
There are six annually required audits/assessments needed for HIPAA compliance. They cover Security Risk, Privacy, HITECH Subtitle D, Security Standards, Assets and Devices, and a Physical Site Audit. Results of the audits and assessments should be maintained for six years. These audits are often best performed by trained and certified security professionals employed by covered health care entities.
Next week: HIPAA Security, Part Two.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org