How to Implement HIPAA Title ll Compliance Standards
When the Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 there were no smartphones or wirelessly connected medical devices and very few care providers stored electronic protected health information (ePHI). Today, however, communication systems let medical professionals access ePHI via laptop, tablet, or smartphone. Biometric data can be collected through wearable devices and shared with physicians or healthcare insurers. Some ailments are even treated over video conference. As all of this happens, hackers spare no effort to pilfer ePHI for their own gain. Now, more than ever, healthcare organizations must streamline methods that maintain compliance with Title II of HIPAA.
Here Are 13 Suggestions for Improving Your Company’s HIPAA Title II Compliance:
Access Controls and Authentication
The first set of recommendations are focused on securing your perimeter via automated tools, logging, and endpoint protection.
- All users must receive a unique username and password, and organizations must establish procedures that govern the access of ePHI as needed.
- Establish electronic controls to verify that health information has not been illicitly altered or destroyed.
Encryption and Decryption
- Encrypt (to NIST standards) any messages sent beyond internal firewalls, and decrypt these messages upon receipt.
Activity Audit Controls
- Log any attempted access to ePHi, and record any interaction with data during that access.
- Once a certain amount of time elapses, authorized personnel must be automatically logged off unattended devices used to access or transmit ePHI.
Procedures for Mobile Devices
- This physical safeguard mandates the implementation of procedures to clear ePHI from lost or stolen devices (for instance, through the use of mobile device management tools).
Policies, Procedures, and Employee Training
Once you have robust perimeter security tools in place, prioritize a review of your high-level security processes. Now is the time to update and formalize all cybersecurity policies, programs, and partners.
- Security officers must identify any areas where ePHI is in use, and identify all ways that ePHi could be breached in a formal risk assessment.
Risk Management Policy
- Conduct risk assessments regularly to identify risks and track current measures used to manage risks.
Employee Security Training
- Formal, well-documented training sessions must review policies and procedures pertaining to ePHI, and the identification of malware.
- Create a formal contingency plan with the aim of facilitating uptime for critical processes and protecting ePHI during an incident.
Contingency Plan Testing
- Test the plan periodically to assess the criticality of certain applications, and test backups of lost ePHI in an emergency event.
Restricting Third-Party Access
- Bar unauthorized third parties (parent organizations, unauthorized vendors) from ePHI access.
Reporting Security Incidents
- Provide a framework to report security incidents (not necessarily breaches) so that all employees know how and when to report an incident, and can take actions to prevent future breaches related to incidents.
Complying with HIPAA’s technical and administrative rules requires complete visibility into all information systems. Achieving this calls for a security operation center staffed with dedicated security engineers, who can not only establish baseline security configurations that comply with HIPAA, but can also monitor your network around the clock for noncompliant or suspicious behavior. One of the most efficient means of doing so, is by utilizing a Security Operations Center. SOC-as-a-Service provides an affordable hub for network monitoring and reporting, and can greatly improve your business' ability to meet HIPAA requirements. For more information about HIPAA Title II and other compliance frameworks, reach out to iCorps for a free IT consultation.