Health Insurance Portability and Accountability Act (HIPAA) compliance is based upon identifying potential risks to Protected Health Information (PHI) and Personally Identifiable Information (PII). Completing an inventory of the PHI and PII that you hold and reviewing the current physical, administrative and technical measures that are in place to protect that data is critical to ensuring compliance with HIPAA mandates. Also key is determining what additional measures need to be put into place to mitigate the risks that have been identified.
Step1: Inventory of PHI and PII
An inventory allows for a complete account of every element of PHI that an organization holds. The inventory should include all software and applications that ‘touch’ PHI and PII, and all devices that PHI and PII are stored on or are processed on. By completing the PHI and PII inventory, you will have a single catalog that lists all forms of both data at rest and data in motion.
Step 2: Access Control
Determine who has access to each application and data store, and what level of access each entity has. An entity can be an application that accesses a data store, or an individual that can either utilize an application or directly access a data store. Evaluate what level of access each entity has, catalogue the level of access and determine if the level of access is appropriate based upon the job description of the person or process. Make appropriate adjustments to access control as appropriate.
Step 3: Device Security
Look at the physical, technical and administrative aspects of each device; this includes Mobile Device Management (MDM) for mobile devices and maintaining antivirus software and other security software. Is each device kept up to date with the most recent security patches? Being properly managed for access as per organizational policies? Physically secured to ensure individuals who are not authorized do not have access to it?
It is important to realize that device security may be challenging for devices that are FDA-approved and must be updated and maintained by vendors. For devices that cannot be kept up to date with current patches, alternate security measures will need to be implemented.
Step 4: Disaster Preparedness
Disasters do happen, and companies must be ready to respond to them at all times. Disaster preparedness necessitates regular backing up of all data; referring to your inventory (Step 1) ensures that all necessary items are effectively backed up. The backups should be tested on a regular basis to ensure they are able to be utilized should you need to restore. This means actually restoring the data and verifying that the restored data is intact. Remember to NEVER test a data restore to the live environment; if the restore fails, your live data is at risk of being corrupted. It is also recommended that your backup policy allow you to retain at least one full year of data history. It is also important to prioritize which systems are restored in which order as part of the disaster recovery process. So, in addition to having access to the data, you will also need to have access to the resources to restore the hardware and software that is utilized to access the data. Your disaster recovery plan should include the individuals within your organization as well as any vendors that may be vital to bringing your systems online.
Step 5: Staff Training and Awareness
Regular staff training must be implemented and all employees should be trained in the privacy and security policies of your organization. As the environment changes, you will need to make adjustments to your policies and procedures, and update staff training programs to ensure that your employees understand their responsibilities in maintaining the privacy, availability and integrity of the data held by your organization.
HIPAA was enacted in 1996, followed by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the final HIPAA Omnibus Rule in 2013. By the time of its publication, the HIPAA Omnibus Rule was largely considered out of date and obsolete. This means that simply meeting the minimum requirements under HIPAA may put your company in compliance with the federal regulations, but that same level of controls may not be sufficient to optimally protect your organization against an event that may impact the confidentiality, availability and integrity of your data. It is also important to realize that many states and jurisdictions have their own regulations when it comes to protected information. It is critical that your organization familiarizes itself with those regulations, and implements adequate controls to address those requirements.
At Opti9, we assist healthcare providers and enterprise businesses with HIPAA-HITECH compliance, so they can rest assured knowing their sensitive data is safe and secure. Our Managed Hosting solutions and facilities, including our flagship NY1 data center on Long Island, are HIPAA-HITECH compliant to improve efficiency, reduce risk and enable organizations to focus on their core business: healthcare services and patient care. To learn more about Opti9’s HIPAA-HITECH compliant Cloud and IT Infrastructure solutions, click here.