Welcome to the final step of our Ultimate Primer for HIPAA Compliance. In this series, we’ve tackled some of the most complex and important legislation for companies handling medical data – the labyrinthine set of regulations known as HIPAA, and all of its included rules and titles. We’ve summarized the history of the HIPAA regulation and the circumstances of its creation in our first part, the general Privacy Rule in the second, and in the third part, perhaps the most important element for data providers, the Security Rule.
What we haven’t done thus far, however, is to provide solutions. Worry no more – today, we’re going to lay-out a few solutions you must implement in order to assure HIPAA compliance. We’ll discuss the first steps of testing your compliance levels, the systems to put in place to ensure said compliance, and finally, what to do when a breach does occur.
Risk Analysis and Compliance Testing
First and foremost, you must test a baseline to see where you stand in terms of compliance. Companies engaging in data transmission, storage, and destruction of health information must test their compliance through a basic series of steps.
First, do an analysis of the scope of data handled. While this is a good idea generally speaking, when it comes to HIPAA compliance, it will inform your approach as to the types of data stored, the access that might be requested, and the functions that will be performed upon said data.
Secondly, assess your general vulnerabilities and the current state of threats. You can do this in a variety of ways. There are a number of server tools that will perform penetration tests, which is a good place to start. You can conduct policy audits, contract with external firms, and even consult similar businesses. At the end of the day, however you do it, you must get a baseline understanding of the threats your data will face.
With this in mind, assess both the likelihood of attack and the potential damage that might be incurred. This will of course include assessing the value of the data, how the data is to be accessed (erased upon receipt versus storage in the cloud, for instance), and whether or not the data is stored opaquely on your servers or transparently, such as through a gateway.
Finally, once you’ve established all of this, you must also establish a plan to continually review and update your plan as new threats emerge. A system built for threats of the past are exposed to those of the future – be very, very careful, and consider your application of the given solution.
What To Do When You’re Not Compliant
So what do you do if you’re not compliant? First of all, cease all data activities. Failing to be compliant can carry penalties of millions of dollars, and in some cases, can even include prison sentences. The moment you find out you are not compliant, cease data activities, even if it means subcontracting out to someone who is compliant.
Now that you’ve paused your data processing, address the steps above. Go one by one, ensuring that you’re meeting both the Privacy and Security Rules, and implement your system before resuming data handling.
Yes, you will lose money. Yes, you might lose clients. Losing a bit of money and a few clients is better than willful negligence resulting in $1.5 Million USD in fines and ten years in prison, however – so you can decide what is the greater threat.
Implementing Proper Authorization and Authentication
Chief of the solutions you can employ here is the use of authentication and authorization. At its most basic, authentication is proving who you are, and authorization is proving you have to access the materials at hand. Using proper systems of both can ensure that your data is unmolested by all but those who must access it and that the data at hand is secured in a compliant way.
These processes are not just remote processes, either. All of your workstations and systems must be compliant, and should therefore also have heavy security systems.
Consider encryption as a chief mode of securing your data. When you encrypt a device, you are making its data unreadable by anyone except those with the proper credentials – at least in theory. With proper encryption, you are properly complying with HIPAA, and preventing unauthorized access.
This encryption is not just for production devices. Devices destined for erasure should also be encrypted to ensure that it is secure through the entire process, not just the beginning. By encrypting your drive, you can make it even harder to recover forensic data after the erasure process as well, making any data that is recovered, should some act of god make that even possible, completely unusable and unreadable.
What If a Breach Occurs?
The worst of the worst has happened. On a development branch, a piece of data was improperly encrypted, and security failure resulted in a breach. What should you do?
First, notify the affected data owners. Let them know exactly what happened, and what steps you are taking to mitigate the damage. If the breach involves more than 500 people, notify the Department of Health Services and the media in the jurisdiction of the affected parties. Immediately addressing this breach is not only the right thing to do, it can go a long way towards preventing civil and punitive legal measures from being taken against you – especially by making the issue not considered negligent, and more considered accidental.
Unfortunately, there’s no getting around it – this will be expensive, and ensuring your issues are mitigated with being costly in terms of time and resources. That being said, quick, effective, and ample communication and mitigation will turn this from a negligent case punished by up to $1.5 Million USD and ten years in prison to a $1,000 dollar fine. Obviously, it’s expensive – but one is much better than the other.
That being said, a breach should not occur if you are properly approaching HIPAA compliance. Test often, and audit your systems constantly. Hire penetration testers, hit your servers with high loads, really put it through the wringer – the more you do now, the more secure you will be in your compliance.
Use Good Tools
Tools are a huge part of ensuring proper function, here, so if you use tools for something like data erasure, they must be fully featured and compliant. Something like ClaraWipe is great, because not only does it erase data securely, it does so using government standards that are HIPAA compliant, ensuring your data is entirely destroyed – with no forensic trail left behind.
When using security software, ensure that it is not only vetted but certified by standard-setting bodies. Utilizing up to date schemas and tools means nothing if they’re untrusted, so properly vet every single solution, from network switches to heuristic security firewalls, to ensure that your network remains compliant and effective.
Hopefully, this primer has helped you understand HIPAA and start on the road to compliance. While each section of these pieces could very well be 20-page dossier, this guide is the perfect ultimate primer – as long as you adhere to the advice within, you too can be HIPAA compliant.