Everyone in the data privacy world has heard of HIPAA, and the term is often used to explain how and why sensitive information is protected from release to second and third parties.
But HIPAA — which stands for the Health Insurance Portability and Accountability Act — has changed several times since it was first enacted in 1996. That means requirements for HIPAA compliance have changed too.
For instance, when the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009, it expanded HIPAA’s reach to a base well beyond health care organizations and physicians groups. HITECH made HIPAA compliance a nearly ubiquitous obligation that now also applies to Software-as-a-Service (SAAS) platforms and many others. Let’s take a look at how you can make sure you are in HIPAA compliance at all times.
HIPAA Compliance Management, and a Little HIPAA History
Congress enacted HIPAA to protect private health information when people changed jobs and were forced to apply for new health insurance. The U.S. Department of Health and Human Services (HHS) adopted the Privacy Rule in 2003 and defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
In 2005 the HIPAA Security Rule updated the regulation, focusing on electronically stored PHI (ePHI). The updated regulation incorporated three new areas of compliance, two of which affect IT departments:
- Administrative safeguards, which refer to policies and procedures that show HIPAA compliance and document that HIPAA policies are followed.
- Physical safeguards include controlling access to data storage areas.
- Technical safeguards incorporate communications transmitting PHI electronically over open networks.
Who Needs to Be HIPAA Compliant?
Anyone who looks at, handles, transfers, or even occasionally comes into contact with ePHI and PHI should be HIPAA-compliant. Healthcare providers, such as doctors and nurses, and covered entities like health plans and healthcare clearinghouses obviously must comply with a healthcare-related IT regulation since HIPAA regulations are written especially for the healthcare industry.
HITECH, however, cast a wider net by introducing “business associates.” Business associates include any person or entity that involves the use of or disclosure of protected health information as part of the service they provide.
These are examples of business associates that also must follow HIPAA privacy rules:
- An audit firm doing compliance for a healthcare provider that has to be HIPAA compliant, must also be HIPAA compliant.
- A SaaS software provider processing payments for a doctor’s office must also be HIPAA compliant.
- Human resource platforms must also be compliant, since they help HR manage a company’s healthcare program.
What Are the Consequences of Violating HIPAA?
HIPAA violations are serious crimes, punishable by fines and even jail time if a business has slipped into non-compliance or simply neglects to follow HIPAA compliance requirements.
In 2020, Premera Blue Cross paid a $6.85 million settlement and Aetna paid a $1 million settlement. Individual providers were fined anywhere from $3,500 to $160,00 according to this list in HIPAA Journal.
Depending on what type of exposure happened, a business may be required to send out a breach notification not just to its customers, but also to the media. That sort of disclosure may cause serious damage to a business’ reputation
The Office for Civil Rights (OCR), a unit of the Department of Health and Human Services, enforces the Privacy and Security Rules. Although HHS updated the Enforcement Rule between 1996 and 2009, the HITECH Act strengthened HIPAA and consolidated the rules under the Omnibus Act.
Why You Need Continuous Monitoring
HIPAA requires that you perform an initial risk assessment, and also maintain and properly update a continuous risk analysis process. Here are some guidelines issued by Department of Health and Human Services (HSS):
- Covered entities must perform risk analysis as part of their security risk management processes.
- The type of risk analysis applied differs from business to business, as does selection of appropriate security measures.
- A risk analysis process may include following activities:
- Evaluate the likelihood of a data breach and the effect of potential risks if e-PHI is exposed.
- Implement appropriate security measures such as stringent access control and HIPAA compliance software to address the risks identified by the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable, and appropriate security protections. Most often this is done by using some type of risk management software.
- Efficient risk analysis is an ongoing process, in which the covered entity regularly reviews its records and tracks access to e-PHI, as well as continuously watch for security incidents.
- A HIPAA-compliant business must also periodically evaluate the effectiveness of the security measures put in place.
Point-in-time risk evaluations no longer protect your data environment. As cyber criminals develop their attack methods, it’s important to update the defense of your data security.
How Maintaining a Continuous Compliance Program Enables Risk Management
Today, risk management is more than simply filling out questionnaires. Controls can become outdated in the blink of an eye. Whether it’s a previously unknown vulnerability (“zero day attack”) or malware, new threats arise constantly. Continuous monitoring allows you to see into the risks threatening your data, but that’s just the first step.
Continuous compliance requires you to address new risks as soon as possible. HHS outlines the requirement for compliance as distinct from monitoring.
For example, as part of your monitoring program, you may find that you haven’t updated a software with the most recent patch. If you do nothing to fix the problem, you’re continuously monitoring your environment but not maintaining continuous HIPAA compliance.
In other words, you are identifying risks to your environment but you’re not managing them and you have no plan for remediation in case you do suffer a data breach. Those are two essential tasks of a modern risk management and compliance program.
How to Integrate Continuous Audit Into Your HIPAA Risk Management Program
If you’re taking a security-first approach to cybersecurity compliance, then you’re not only monitoring risks but mitigating them as fast as possible. You have updated remediation plans ready for any imaginable attack — and you are constantly looking to update them. This approach also means that you can show your actions, in case your HIPAA compliance is challenged by authorities or business associates.
Proving your compliance is where your continuous auditing program comes in handy. Internal and external auditors need documentation that shows the processes you apply to monitoring and compliance. Assuring a successful audit outcome requires documents that show you’re finding risks and mitigating them rapidly.
Automated tools help you connect two things: the continuous monitoring of a security-first approach to compliance, and the documentation required to support an audit of your controls and procedures. Finding the right automated tool enables a faster, more efficient integration of monitoring, complying, and auditing your security stance.
How ZenGRC Eases the Burden of HIPAA Risk Management
ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability helps organizations to assure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls completed and a portion of controls mapped to a particular framework.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s many vendors.
GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs; it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.