We expect to see the Centers for Medicare and Medicaid Services -- the unit within the Department of Health and Human Services responsible for compliance with the Health Insurance Portability and Accountability Act -- place greater emphasis on proactive enforcement in the coming year. The impetus is a report issued in October by the HHS inspector general that faults CMS for not providing effective oversight and enforcement of HIPAA security. We're also watching closely to see how the pending appointment of a Cabinet secretary for HHS and the Obama administration's plan to update the nation's electronic medical records system affect HIPAA enforcement.
A common complaint about HIPAA is that the details tend to be fuzzy -- there's no product companies can buy to magically get compliant, and there's no sanctioned checklist to guide you to certification. This is, to a large extent, by design: One goal of HIPAA was to be a one-size-fits-all, technology-neutral regulation.
Many information security pros enjoy this flexibility, while some wish for more guidelines. Whatever your stance, HIPAA requires that IT groups tailor a security program to their specific environments. To help, we pulled together 10 steps that should put companies well on their way to building a security program that will pass muster, just in case the feds come knocking. We've included the basics here; find an expanded version in our special InformationWeek Analytics HIPAA Alert.
1. Assign A Security Official
Sounds basic, and most large organizations have designated an information security officer. But smaller shops may not recognize the value of having a single person responsible for coordinating all HIPAA activities. This doesn't mean the security official does all the work; rather, this is the person who tracks compliance requirements and brings projects to the internal groups responsible for implementation.
2. Determine Your Individual Risks
The essence of HIPAA is establishing a sustainable security management process to reduce risks and vulnerabilities to a reasonable level. This process consists of assessing risk, mitigating identified risks, and documenting risk management processes and procedures. It all starts with a risk assessment, which must be conducted at least every five years.
Your risk assessment will guide nearly all of your other implementation steps. But remember: Any assessment is just a snapshot of a point in time, and computing environments are constantly changing. This is why the concept of a security management process is so important. Every time a new system comes online, or a change to an existing system is proposed, the risks need to be assessed. It's at this point that you can decide whether the risk is acceptable, can be transferred using insurance or some other strategy, or needs to be mitigated.
What needs to be included in your policies and procedures? A good place to start is with the standards in the Security Rule. This introduces a key concept in HIPAA: Standards are either "required" or "addressable." Obviously, required standards have to be implemented, although most of them still provide enough room to customize to your environment. Addressable standards are interesting because they can be met by deciding (and documenting) that a standard isn't applicable to your environment, or that you've addressed the standard in an alternative manner.
4. Know Your Users
CMS says that information access management and access control are the two most commonly violated provisions of the Security Rule. Information access management comprises your policies and procedures to authorize access to personal health information. Once a user is authorized to access that information, for example, how will she gain that access? In many organizations, it was common practice for people, especially providers moving among patients, to use a common account for access to patient systems, even leaving computers logged on for the next user. If you fell for this convenience, now is the time to repent. Every user must have a unique identifier to access patient data.
7. Control Your Media
The management of devices and media used to store patient information is another top source of HIPAA violations, according to CMS. The Security Rule includes four provisions covering devices and media. HIPAA also includes provisions for tracking storage media and devices as they're moved around the facility and disposed of, as well as data backup.
8. Train Users, Then Remind Them
Users are crucial to security, but it's very easy for information security pros to assume they already understand the issues. All members of your workforce need ongoing security training. HIPAA leaves it up to you to decide what's appropriate and how training should be conducted, although the provision describes the training as "periodic security updates."
Instead, reasonable access restrictions should be implemented and followed up with audits of access trails to ensure that employees aren't looking at or modifying records they shouldn't.
10. Clean Up Old Data
This step will simplify your HIPAA compliance efforts by reducing the amount of data you need to protect. Hopefully, when you did your inventory for your risk assessment, you didn't just focus on the systems in day-to-day use but scoured the data closets for older gear and unused databases.
Once you've used your inventory to identify outdated data and systems, you need to make the classic closet-cleaner's decision: toss or keep? If there's reason to keep the data, does it need to be accessible? If not, archive it to durable media and store it in a vault or with an off-site data storage company. Data on a tape in a vault isn't susceptible to hackers or curious employees.
Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.