Everyone in the data privacy world has heard of HIPAA, and the term is often used to explain how, when, and why protected health information is protected from release to second and third parties.
But HIPAA — which stands for the Health Insurance Portability and Accountability Act — has changed several times since it was first enacted in 1996. That means requirements for HIPAA compliance have changed too.
For instance, when the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009, it expanded HIPAA’s reach to a base well beyond healthcare organizations and physician groups. HITECH made HIPAA compliance a nearly ubiquitous obligation that now also applies to Software-as-a-Service (SAAS) platforms and many others. Let’s take a look at how you can make sure you are in HIPAA compliance at all times.
What is HIPAA Compliance Management?
Congress enacted HIPAA to protect private, protected health information when people changed jobs and were forced to apply for new health insurance. The U.S. Department of Health and Human Services (HHS) adopted the Privacy Rule in 2003 and defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
HIPAA History: Important HIPAA Dates to Remember
In 2005 the HIPAA Security Rule updated the regulation, focusing on electronically stored PHI or electronic protected health information (ePHI). The updated regulation incorporated three new areas of compliance, two of which affect IT departments:
- Administrative safeguards, which refer to policies and procedures that show HIPAA compliance and document that HIPAA policies are followed.
- Physical safeguards include controlling access to data storage areas.
- Technical safeguards incorporate communications transmitting PHI electronically over open networks.
Who Needs to Be HIPAA-Compliant?
Anyone who looks at, handles, transfers, or even occasionally comes into contact with ePHI and PHI (such as medical records) should be HIPAA-compliant. Healthcare operations and healthcare providers, such as doctors and nurses, and HIPAA-covered entities like health plans and healthcare clearinghouses obviously must comply with a healthcare-related IT regulation since HIPAA regulations are written especially for the healthcare industry.
HITECH, however, cast a wider net by introducing “business associates.” Business associates include any person or entity that involves the use of or disclosure of protected health information as part of the service they provide.
These are examples of business associates that also must follow HIPAA privacy rules:
- An audit firm doing compliance for a healthcare provider that has to be HIPAA compliant, must also be HIPAA compliant.
- A SaaS software provider processing payments for a doctor’s office must also be HIPAA compliant.
- Human resource platforms must also be compliant since they help HR manage a company’s healthcare program.
What are the changes in HIPAA compliance for 2023?
New HIPAA Regulations in 2023
In 2023, it’s anticipated that new HIPAA regulations will emerge once the OCR releases the final rule concerning proposed amendments to the HIPAA Privacy Rule. Despite industry stakeholders pushing for multiple HIPAA updates in 2022, it’s improbable that other fresh HIPAA legislation will be introduced in 2023. Considering the significant proposed modifications to the Privacy Rule in 2022 and the resulting implications for entities governed by HIPAA, we don’t expect further notices on HIPAA revisions to surface in 2023.
What Are the Consequences of Violating HIPAA?
HIPAA violations are serious crimes punishable by fines and even jail time if a business has slipped into non-compliance or simply neglected to follow HIPAA compliance requirements or implementation specifications. HIPAA enforcement is a very serious process because privacy protection is a critical concern to individuals.
In 2020, Premera Blue Cross paid a $6.85 million settlement and Aetna paid a $1 million settlement. Individual providers were fined anywhere from $3,500 to $160,00 according to this list in HIPAA Journal.
Depending on what type of exposure happens, a business may be required to send out a breach notification to its customers and the media. That sort of disclosure may cause serious damage to a business’s reputation. The disclosure outlines are dictated in the HIPAA breach notification rule.
The Office for Civil Rights (OCR), a unit of the Department of Health and Human Services, enforces the Privacy and Security Rules. Although HHS updated the Enforcement Rule between 1996 and 2009, the HITECH Act strengthened HIPAA and consolidated the rules under the Omnibus Act.
Why You Need Continuous Monitoring for HIPPA Compliance
HIPAA requires that you perform an initial risk assessment, and also maintain and properly update a continuous risk analysis process. Here are some guidelines issued by the Department of Health and Human Services (HSS):
- Covered entities must perform risk analysis as part of their security risk management processes.
- The type of risk analysis applied differs from business to business, as does a selection of appropriate security measures.
- A risk analysis process may include the following activities:
o Evaluate the likelihood of a data breach and the effect of potential risks if e-PHI is exposed.
o Implement appropriate security measures such as stringent access control and HIPAA compliance software to address the risks identified by the risk analysis.
o Document the chosen security measures and, where required, the rationale for adopting those measures. These documents can include disclosures of PHI policy, notice of privacy practices and other mandates.
o Maintain continuous, reasonable, and appropriate security protections. Most often this is done by using some type of risk management software.
- Efficient risk analysis is an ongoing process, in which the covered entity regularly reviews its records and tracks access to e-PHI, as well as continuously watch for security incidents.
- A HIPAA-compliant business must also periodically evaluate the effectiveness of the security measures put in place.
Point-in-time risk evaluations no longer protect your data environment. As cyber criminals develop their attack methods, it’s important to update the defense of your data security.
How Maintaining a Continuous Compliance Program Enables Risk Management
Today, risk management is more than simply filling out questionnaires. Controls can become outdated in the blink of an eye. Whether it’s a previously unknown vulnerability (“zero-day attack”) or malware, new threats arise constantly. Continuous monitoring allows you to see the risks threatening your data, but that’s just the first step.
Continuous compliance requires you to address new risks as soon as possible. HHS outlines the requirement for compliance as distinct from monitoring.
For example, as part of your monitoring program, you may find that you haven’t updated the software with the most recent patch. If you do nothing to fix the problem, you’re continuously monitoring your environment but not maintaining continuous HIPAA compliance.
In other words, you are identifying risks to your environment but you’re not managing them and you have no plan for remediation in case you do suffer a data breach. Those are two essential tasks of a modern risk management and compliance program.
How to Integrate Continuous Audit into Your HIPAA Risk Management Program
If you’re taking a security-first approach to cybersecurity compliance, then you’re not only monitoring risks but mitigating them as fast as possible. You have updated remediation plans ready for any imaginable attack — and you are constantly looking to update them. This approach also means that you can show your actions, in case your HIPAA compliance is challenged by authorities or business associates.
Proving your compliance is where your continuous auditing program comes in handy. Internal and external auditors need documentation that shows the processes you apply to monitoring and compliance. Assuring a successful audit outcome requires documents that show you’re finding risks and mitigating them rapidly.
Automated tools help you connect two things: the continuous monitoring of a security-first approach to compliance, and the documentation required to support an audit of your controls and procedures. Finding the right automated tool enables a faster, more efficient integration of monitoring, complying, and auditing your security stance.
How ZenGRC Eases the Burden of HIPAA Risk Management
ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability helps organizations to assure consistency which leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls completed and a portion of controls mapped to a particular framework.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s many vendors.
ZenGRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs; it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.