Tips for complying with the Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act is now a federal law in full force. The web- and data-centric world we live in has made it more important for all companies to understand how the law affects them and their employees.

Companies must rely on their data management and keen ability to provide optimal data security. Every industry has a unique set of requirements for data security, and those requirements are very rarely static. This is especially true when it comes to HIPAA regulations. For hospitals, research facilities and businesses dealing with the health care industry, the regulations for maintaining patient confidentiality can be cumbersome and frequently amended or updated. A company must have a multi-pronged strategy and solution for HIPAA compliance.

Three HIPAA / HITECH trends and tips for 2016 from four Cleveland experts

From cyber security and computer forensics expert Timothy M. Opsitnick, founder, Jurinnov Ltd.

TREND: “Security must remain a constant focus and practice.”

1. Third party security review. Regular third party security reviews are essential for groups that are required to be HIPAA compliant. Security reviews are preventative and minimize the risk and damage done by the inevitable occurrence of a breach. To that end, security vulnerabilities can be identified within an organization and remediated.

2. How do you know if you must comply with HIPAA regulations? There are two types of organizations that must be compliant with HIPAA regulations: covered entities and business associates. Covered entities include health care providers, health plans, and health care clearing houses. Business associates provide services to covered entities. These are vendors that use or receive personal health information (PHI) on behalf of the covered entity. Many organizations may not even know that they are business associates. If you work with a covered entity, ask your attorney if you may be a business associate.

3. How do I get started and when is enough, enough? First, start with the third-party review to determine what you are not doing and what you do well. Second, make sure that you train your staff and know what type of data you have and where your data is kept. Third, make sure that you have an incident response plan so that you know what to do if a data breach or other security incident occurs. Finally, every organization is different and you should take a reasonable and proportional approach to compliance.

From attorney Michael D. Stovsky, partner and chair of innovations, information technology and intellectual property practice group, Benesch, Friedlander, Coplan & Aronoff LLP

TREND: “Know how the law applies and affects your company.”

4. All companies, not only health care providers, should be aware of HIPAA and compliance obligations under HIPAA. This is because the changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH), which went into effect a couple years ago, broaden the parties to which HIPAA applies and the compliance obligations under HIPAA. For example, companies that maintain a self-insured health plan for their employees should examine whether HIPAA and HITECH are applicable to them. Additionally, vendors to entities that must comply with HIPAA and that touch electronic protected health information will almost certainly have extensive compliance obligations under the HIPAA and HITECH.

5. If you are an entity that is required to comply with the privacy and/or security rules under HIPAA, you must make sure that the IT vendors (e.g., “cloud” vendors) with which you contract and which touch protected health information are also compliant with these rules. If your vendors are not compliant, you will not be compliant. You must be diligent in your review of vendors and their facilities and systems to ensure they are adequately protecting your protected health information and are in compliance with the policies and procedures that you have put into place. All such vendors should sign updated HIPAA Business Associate Agreements that reflect the expanded compliance obligations under HIPAA.

6. If you are a vendor to health care providers or to companies that maintain a self-insured health plan, you must carefully understand the agreements, including HIPAA Business Associate agreements that you are being asked to sign. You may now have to comply IN FULL with the HIPAA security rule, which is a very cumbersome process. Compliance with the HIPAA security rule can be cumbersome, time consuming and expensive, but it is the law and cannot be avoided by those subject to the rule. Moreover, your ability to keep doing business with your best customers may be placed at risk if you cannot represent and warrant that you are compliant. So do your diligence, understand your obligations, and act as quickly as possible to comply.

From Joseph Compton, principal, Skoda Minotti Risk Advisory Services

TREND: “Education is essential, for your workforce and business partners. Learn about training opportunities for your staff and associates.”

7. Update those risk assessments. The threat landscape is constantly changing, and an updated risk assessment will help management validate existing controls and identify areas for improved control coverage.

8. Review and update policies and procedures. Use this update process to verify that policy and procedures documented are truly followed within the organization. Update policies to match HIPAA audit program, to gain efficiencies around audit program.

9. Train staff on the HIPAA security program updates. Knowledge is a powerful tool that helps ensure an organization’s security controls function optimally. People determine the success or failure of an organization’s security program.

From data center facility-based cloud operator Kevin Goodman, managing director and partner, BlueBridge Networks

TREND: “Put tools and disciplines in place to provide high availability, reliability and security. Companies must defend and protect the data.”

10. Partner with innovative IT security firms, for frequent penetration testing and regulatory compliance services, such as HIPAA. Typical HIPAA security assessments include external, internal, wireless, VoIP, and physical penetration testing exercises, as well as social engineering techniques.

11. In the health care industry, protecting patient information means more than simply preventing identity theft and other crimes. Securing ePHI (electronic Protected Health Information) also ensures the physical safety of patients since data that are improperly altered or destroyed can lead to clinical quality problems. Your operator’s HIPAA capabilities prevent security breaches before they occur, allowing you to maintain the integrity of ePHI while ensuring patient safety.

12. You should strongly consider only doing business with entities that will execute a Business Associates Agreement (BAA). Each entity should fully understand its policies and procedures in order to facilitate compliance. When a company purports to be HIPAA compliant, ask to formally see the reports or compliance purported. How does it align with your policies and procedures? Is the report prepared by and signed off on by a third-party auditor?

Companies need to be well poised for this important work. There is a strong chance you have some HIPAA data that indeed should be handled in a way that is in compliance with the law no matter your industry. Take the time to review the law and seek outside guidance to be prepared. Frequent review, training, support, investment and preparation will go a long way in ensuring the necessary safety and security of all Protected Health Care Information.

Goodman is managing director and partner with Blue Bridge Networks, a cloud data center and managed services business headquartered in downtown Cleveland.

Crain’s Cleveland Business Article