Addressing HIPAA Privacy Rules and Cybersecurity for Hospitals and Health Systems
Managing HIPAA compliance can be a messy, complex process; especially for hospitals and health systems managing compliance for hundreds of individual clinics and practices. It can be difficult to track, maintain and report on risk management and cybersecurity efforts. Many organizations are using time-consuming manual processes such as spreadsheets and emails for compliance, which can require a significant investment of time, money, and resources.
With the increase of breaches in healthcare, it is critical for hospitals to prioritize and maintain their compliance. By skimping on HIPAA requirements and security best practices, not only are organizations more vulnerable to cybercrime, but they are also at risk for regulatory fines and penalties. Healthcare data breaches are going up across the board, and the frequency of OCR fines are increasing due to hospitals and other healthcare organizations neglecting HIPAA requirements. So how can you effectively protect your organization while avoiding these costly fines and penalties? Let’s discuss HIPAA compliance for hospitals one step at a time.
The HIPAA Safe Harbor Rule and TEFCA
First, some good news. The HIPAA Safe Harbor Rule incentivizes cybersecurity best practices for healthcare organizations and business associates. The Safe Harbor Rule allows for reduced fines and penalties for HIPAA violations if an entity subject to HIPAA laws has adopted specified cybersecurity practices. To put it simply, if you are audited due to a data breach, but you can prove that you have cybersecurity measures in place, you can avoid penalties. Additionally, TEFCA (Trusted Exchange Framework and Common Agreement) outlines foundational principles for secure sharing of Healthcare information and PHI, further giving guidance on how to implement best practices.
Security Risk Assessment (SRA)
The SRA is the minimum standard in the healthcare industry to establishing and documenting security, privacy and general cybersecurity controls. In the event of an audit, one of the first questions posed is, “have you completed a HIPAA Security Risk Assessment?” An SRA helps identify the gaps in your security program that expose your organization to risk. From there, you can create a corrective action plan to prioritize those risks based on potential impact and work to remediate them. Anyone can perform an SRA, but it needs to be thorough and qualitative to pass an audit. Intraprise Health offers a turbo tax-like solution to completing an SRA. Our SRA software, HIPAA One®, follows the OCR Audit Protocol, is based on NIST-methodologies, and was specifically designed for hospitals and health systems.
We understand how important it is to streamline and automate your compliance, as well as provide accurate data and reporting. Our customized reporting allows organizations to audit once, report many times, allowing you to spend less time digging through data, and more time eliminating risks and strengthening your security posture. For those hospitals who need extra guidance, we have a team of certified assessors available to further assist organizations.
The SRA is a cybersecurity baseline and only covers basic cybersecurity best practices. Smaller clinics and business associates may be able to get away with simply performing an SRA, but depending on the size and scale of your organization, it may be necessary to adopt a cybersecurity framework such as NIST or HITRUST to further mature your security program. A framework is a big step up from an SRA, a more comprehensive approach to cybersecurity and risk management. Many industry leaders see cybersecurity frameworks as the gold standard of security programs. An important distinction between regulatory compliance and adopting a framework is mandatory vs voluntary. Healthcare Organizations and their Business Associates perform an SRA because they are required too; progressive organizations across all industries adopt a cybersecurity framework because they wish to secure their systems and protect their assets with the absolute best security practices and controls available.
Inevitability of an Audit
Your chances of experiencing a breach, given enough time, are 100%. When a breach occurs, you may have to respond to an audit. The purpose of a HIPAA audit is to gauge organizational compliance and determine whether the breach was the result of negligence or if it was unavoidable.
List of things an auditor will look for:
- Documentation – Do you have policies and procedures that up-to-date and effective?
- Quality SRA – Have you performed an SRA, identifying compliance gaps and implementing a remediation plan?
- Ongoing Monitoring – Are you following through on the remediation plan? Do you have an ongoing program in place to detect HIPAA breaches or security incidents?
- Business Associates (BA) – Have you identified your BAs, and do you have up-to-date agreements in place with each?
- Response team – Do you have designated officials managing your security and privacy compliance?
These are the guiding factors to a strong HIPAA compliance program. If you can answer these questions affirmatively, you are in a great place to avoid penalties and fines. For any questions about what more you can do to achieve compliance, contact a member of our team.