If your company qualifies as a covered entity under HIPAA, now is a good time to review your compliance efforts and fill in any gaps -- before the feds come calling.
We expect to see the Centers for Medicare and Medicaid Services -- the unit within the Department of Health and Human Services responsible for compliance with the Health Insurance Portability and Accountability Act -- place greater emphasis on proactive enforcement in the coming year. The impetus is a report issued in October by the HHS inspector general that faults CMS for not providing effective oversight and enforcement of HIPAA security. We're also watching closely to see how the pending appointment of a Cabinet secretary for HHS and the Obama administration's plan to update the nation's electronic medical records system affect HIPAA enforcement.
A common complaint about HIPAA is that the details tend to be fuzzy -- there's no product companies can buy to magically get compliant, and there's no sanctioned checklist to guide you to certification. This is, to a large extent, by design: One goal of HIPAA was to be a one-size-fits-all, technology-neutral regulation.
Many information security pros enjoy this flexibility, while some wish for more guidelines. Whatever your stance, HIPAA requires that IT groups tailor a security program to their specific environments. To help, we pulled together 10 steps that should put companies well on their way to building a security program that will pass muster, just in case the feds come knocking. We've included the basics here; find an expanded version in our special InformationWeek Analytics HIPAA Alert.
1. Assign A Security Official
Sounds basic, and most large organizations have designated an information security officer. But smaller shops may not recognize the value of having a single person responsible for coordinating all HIPAA activities. This doesn't mean the security official does all the work; rather, this is the person who tracks compliance requirements and brings projects to the internal groups responsible for implementation.
2. Determine Your Individual Risks
The essence of HIPAA is establishing a sustainable security management process to reduce risks and vulnerabilities to a reasonable level. This process consists of assessing risk, mitigating identified risks, and documenting risk management processes and procedures. It all starts with a risk assessment, which must be conducted at least every five years.
Your risk assessment will guide nearly all of your other implementation steps. But remember: Any assessment is just a snapshot of a point in time, and computing environments are constantly changing. This is why the concept of a security management process is so important. Every time a new system comes online, or a change to an existing system is proposed, the risks need to be assessed. It's at this point that you can decide whether the risk is acceptable, can be transferred using insurance or some other strategy, or needs to be mitigated.
Your Fines May Vary
Sure, $100,000 might not break the bank, but CVS felt the sting
Settlement agreed to in February by CVS pharmacy chain, HHS, and the FTC over potential HIPAA violations
Fine levied against Providence Health System in July 2008 for security lapses
Data: U.S. Department of Health and Human Services
3. Document Everything
Government security requirements are big on documentation, and HIPAA is no exception. The need for documented policies and standards comes up often in HIPAA's Security Rule. CMS provides a list of sample questions for HIPAA security audits; most involve review of documentation, starting with policies and procedures (see www.cms.hhs.gov/securitystandard).
What needs to be included in your policies and procedures? A good place to start is with the standards in the Security Rule. This introduces a key concept in HIPAA: Standards are either "required" or "addressable." Obviously, required standards have to be implemented, although most of them still provide enough room to customize to your environment. Addressable standards are interesting because they can be met by deciding (and documenting) that a standard isn't applicable to your environment, or that you've addressed the standard in an alternative manner.
4. Know Your Users
CMS says that information access management and access control are the two most commonly violated provisions of the Security Rule. Information access management comprises your policies and procedures to authorize access to personal health information. Once a user is authorized to access that information, for example, how will she gain that access? In many organizations, it was common practice for people, especially providers moving among patients, to use a common account for access to patient systems, even leaving computers logged on for the next user. If you fell for this convenience, now is the time to repent. Every user must have a unique identifier to access patient data.
5. Prepare For Incidents
HIPAA requires that procedures be in place to identify and respond to security incidents, minimize the harmful effects of incidents, and document them and their resolution. Your incident response needs will be driven by your risk assessment. If Internet attacks are a high risk, you may decide that complex intrusion-detection systems are called for. Large companies may need to have standing incident response teams with forensics experts on staff, while smaller companies could assign these duties to existing staff and plan to outsource specialized tasks during an incident. Whatever your size, documentation of incidents that happen is crucial.