The Health Information Technology for Economic an Clinical Health Act (HITRUST) legislation applied the Health Insurance Portability and Accountability Act (HIPAA) to a wider array of organizations. By expanding HIPAA’s reach to a broader business base, HITECH made HIPAA compliance a nearly ubiquitous legislation. Whether you’re a doctor’s office or a Software-as-a-Service platform, you need to better understand how to manage your HIPAA compliance.
HIPAA Compliance Management
What is HIPAA?
Congress enacted HIPAA in 1996 as a way to protect health information when people changed jobs. The US Department of Health and Human Services (HHS) passed the Privacy Rule in 2003 and defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
Two years later, in 2005, the HIPAA Security Rule updated the regulation, focusing on electronically stored PHI (ePHI). The updated regulation incorporated three new areas of compliance, two of which impact IT departments. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.
Who Needs to be HIPAA Compliant?
Anyone who looks at, handles, transfers, or even sniffs at ePHI and PHI should be compliant. Healthcare providers, such as doctors and nurses, and covered entities, such as health plans and healthcare clearinghouses, make sense under a healthcare related IT regulation since they specifically work in medical fields.
However, HITECH cast a wider net by creating the idea of “business associates.” Business associates include any person or entity that involves the use of or disclosure of protected health information as part of the service they provide.
In other words, if you’re an audit firm doing compliance for anyone who needs to be HIPAA compliant, you also need to be HIPAA compliant. If you’re a SaaS software provider who helps enable payment processing, you need to be compliant. Even human resource department platforms need to be compliant since they help HR manage a company’s healthcare program.
What are the consequences of violating HIPAA?
The Office for Civil Rights (OCR) which is a unit of the Department of Health and Human Services (HSS), enforces the Privacy and Security Rules. Although HHS updated the Enforcement Rule between 1996 and 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) strengthened HIPAA and consolidated the rules under the Omnibus Act. HIPAA violations can lead to hefty civil penalties or even jail time.
Why You Need Continuous Monitoring
As part of the Administrative Safeguards provisions in the Security Rule, HIPAA requires that you need to not only perform a risk assessment but maintain a continuous risk analysis process. HHS explains,
Risk Analysis and Management
- The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
- A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI;8
- Implement appropriate security measures to address the risks identified in the risk analysis;9
- Document the chosen security measures and, where required, the rationale for adopting those measures;10and
- Maintain continuous, reasonable, and appropriate security protections.11
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14
Point-in-time risk evaluations no longer protect your data environment. As malicious actors evolve their attack methods, you need to monitor external threats all the time.
How Maintaining a Continuous Compliance Program Enables Risk Management
Today, risk management is more than simply filling out questionnaires. Controls can become outdated in the blink of an eye. Whether it’s a previously unknown vulnerability (“zero day attack”) or malware, new threats arise constantly. Continous monitoring allows you to see into the risks threatening your data, but that’s just the first step.
Continuous compliance requires you to address new risks as soon as possible. HHS outlines the requirement for compliance as distinct from monitoring.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
For example, as part of your monitoring program, you may find that you haven’t updated a software with the most recent patch. If you do nothing to fix the problem, you’re continuously monitoring your environment but not maintaining continuous compliance. Thus, you’re finding risks to your environment but you’re not managing them.
How to Integrate Continous Audit into your HIPAA Risk Management Program
If you’re taking a security-first approach to cybersecurity compliance, then you’re not only monitoring risks but mitigating them as fast as possible. This approach allows you to maintain data integrity, accessibility, and confidentiality, but to maintain HIPAA compliance you need to prove your actions.
Proving your compliance is where your continuous auditing program comes in handy. Your internal and external auditors need documentation that proves your monitoring and compliance. Interviews, while often used as part of the process, only verify that you mean well or thought you did something right. Ensuring a successful audit outcome requires documents that show you finding risks and mitigating them rapidly.
Automated tools help you connect the continuous monitoring of a security-first approach to compliance with the documentation required to support an audit of your controls and procedures. Finding the right automated tool enables a faster, more efficient integration of monitoring, complying, and auditing your security stance.
How ZenGRC Eases the Burden of HIPAA Risk Management
ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.
GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.