HIPAA

HIPAA compliance audits consist of a never-ending cycle of risk, compliance, and monitoring. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule provides not only that you are compliant but that your vendors meet compliance standards as well. HIPAA compliance audits chomp away at your employees’ time just as the Hungry Hungry Hippos in the childhood game devour marbles.

Just as winning a game of Hungry Hungry Hippos means being the fastest player, winning at hungry hungry HIPAA means saving time and corporate resources.

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally enacted the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”  

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Why is HIPAA Compliance Important?

Many companies initially assumed that HIPAA was merely a suggestion, so HHS created the Enforcement Rule. This was the first foray into imposing civil money penalties for HIPAA violations.The Enforcement Rule was reinforced by the 2009 HITECH Act, which created four violation categories and four corresponding tiers of penalty with minimums and maximums for violations. Penalties range from $10,000 per violation to $50,000 per violation based on tiered structure. The Office for Civil Rights (OCR) enforces the Privacy and Security Rules by investigating complaints, conducting compliance reviews, and performing education and outreach to help organizations comply.

In the first six months of 2017, 1,996 breaches impacted over 5.5 million individuals. While laptop theft was the biggest reason for these breaches, the greatest vulnerability came from hacking or IT incidents.

What Can I Do To Get Compliant?

Risk assessments are your first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. As a first step to HIPAA compliance, go to the Security Risk Assessment Tool created by the Office of the National Coordinator for Health Information Technology. Answering the 156 questions can help you identify your biggest risks.

The Security Risk Assessment (SRA) Tool is a useful but time-consuming first step. Since the insights are stored on Excel spreadsheets, the tool makes it more difficult to scale your business. Spreadsheets can be useful for initial compliance tasks but rapidly become overwhelming. The marbles in Hungry Hungry Hippos quickly become scattered and chaotic in the same way compliance documentation does when done on spreadsheets. Sharing across spreadsheets can leave information stranded between stakeholders.

What Documentation Supports HIPAA Compliance Audits?

Under the Phase 2 HIPAA Audit Program, covered entities as well as their business associates must prove documentation through policies and procedures. According to the OCR HIPAA audits procedure, the examination includes a review of standards and implementation specifications for the Privacy, Security, and Breach Notification Rules.

Privacy Rule Documentation

Your auditor will request copies of business associate contracts, business associate compliance assurances, patient confidentiality forms, confidential communications requests, disclosures, whistleblower policies, group healthcare documentation, procedures and policies for PHI use, patient authorization forms (including patient intake consent forms), a directory of people with access to the facility, as well as policies and procedures for protecting information in accordance with other laws. In addition, HIPAA compliance audits require documentation of record retention.

Security Rule Documentation

Security Rule audit documentation is the most important and also the most difficult to bring together in one place. HIPAA’s Security Rule requires organizations to show adherence to technical information systems standards. This is area where the Health Information Technology for Economic and Clinical Health (HITECH) Act overlaps with HIPAA.

Importance of Risk Assessment

HIPAA auditors consider the size of the business, technical infrastructure (hardware and software), costs of security measures, and the probability and criticality of each potential risk to PHI. For this reason, your auditor will require a risk assessment and review whether you thoroughly assess the potential risks and vulnerabilities to confidentiality for both PHI and ePHI. This risk assessment needs to show documentation of not only review but also reasonable and appropriate levels of risk mitigation.  

Physical Security

Physical security remains a large part of HIPAA compliance audits, requiring a review of physical locations in which information is stored as well as the people who have access to these locations. This review requires documentation of visitors’ access to facilities. Physical security also evaluates who accesses workstations and moves hardware/software that can contain ePHI.

Information System Security

To prove compliance with HIPAA’s Security Rule, you need to provide policies and procedures related to prevention, detection, containment, and correction of security violations. Moreover, your auditor will ask not only to review policies regarding employee sanctions but also whether any sanctions were handled within the boundaries of those procedures.

To prove compliance with your internal policies and procedures, your auditor will ask for information systems records including audit logs, access reports, and security incident tracking reports. The access reports need to document that each workforce member’s access to PHI is limited to only the information necessary to complete their jobs and procedures upon job termination. This means that your organization’s HIPAA compliance audit documentation must include clear definitions of the ePHI access that is appropriate for each job level.
You’ll need to provide documentation of encryption levels while showing when sessions time out due to inactivity. This will include screenshots as well as system settings to prove implementation of an automatic logoff. This also includes ensuring business associates and group health plan providers appropriately comply with HIPAA and HITECH ePHI requirements.

Finally, your auditor will request training logs to ensure your employees receive ongoing security awareness education.

Record Retention

Part of any audit is ensuring that companies retain information for the required six years. For HIPAA compliance audits, however, this retention can impact a patient’s healthcare. Therefore, you will be required to provide proof of retention and retrieval.

Disaster Recovery Protocols

The last step in the Security Rule review of HIPAA compliance audits segues into Breach Notification. Before clearing an organization under the Security Rule, auditors need to ensure that you have appropriate malicious software protection and documentation of monitoring, including login procedures, employees engaged in reviewing login attempts, and password guidelines.

Finally, your Security Rule audit will require documentation of your disaster plan recovery, including but not limited to data recovery, critical business process continuity, and testing of the plans.

Audit Documentation

HIPAA compliance audits require that documentation of policies and procedures is reviewed periodically. This can be internal as well as the required external audit.

Breach Notification Rule

You will be required not only to provide documentation of policies and procedures, but also to give your auditor copies of any complaints and dispositions of those complaints. This includes documentation of any sanctions against workforce members for failing to comply, as well as proof that your organization did not retaliate against those exercising their whistleblower rights.
Moreover, your organization will be required to give documentation proving that your risk assessments were completed in accordance with the law.

The Breach Rule requires notification of those impacted by a data event. Generally, the documentation required will be a list of all breaches involving 500 or more individuals and provide copies of the notifications, including those sent to the Secretary as well as everyone impacted by a data breach from a business associate. You will need to prove timeliness and appropriate language used.

How Automation Can Help You Win At Hungry Hungry HIPAA Compliance Audits

With the overwhelming amount of documentation required for a successful HIPAA compliance audit, preparing for one can feel chaotic. Anyone who ever played Hungry Hungry Hippos as a child remembers the frenetic experience of randomly pushing the levers, hoping to gobble up the most marbles to win.
The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate across your organization’s various stakeholders, providing them with the right information for their needs.  

A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.
With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.
ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

To schedule a demo and become the hungriest HIPAA compliant organization, contact ZenGRC.
 

Just when you figured out how to negotiate the “business entity” definition, Congress hit you with the Omnibus rule. Thanks to the Health Information Trust Alliance (HITRUST), the HITRUST Framework helps HIPAA and vendor management which had suddenly become “a thing.” Managing patient health information (PHI) feels like gathering evidence from a crime scene.
 
Anyone who remembers the O.J. Simpson trial remembers the infamous bloody fingerprint. The sample of O.J. Simpson’s blood went missing during the police investigation. Only 6 ml of the 8 ml of the blood drawn from Simpson was accounted for, causing people to suspect evidence was planted. While HIPAA may not be as exciting as a high speed car chase, tracking your chain of evidence—or in compliance speak, chain of trust—matters.

What is PHI?

 
PHI incorporates multiple types of information available to health providers. When looking at the ways that the HITRUST Framework helps HIPAA and vendor management, the first thing to do is to learn the various terms under this umbrella.

Health Information

“Health information” encompasses information created or received by a health care provider, health plan public health authority, employer life insurer, school or university, or healthcare clearinghouse. This information can relate to past, present, or future physical health, mental health, or condition of any individual. In easy terms, this covers all the information a patient gives to health care workers when admitted to a health care office or facility.
 

Individually Identifiable Health Information

“Individually identifiable health information” includes any demographic information that can be linked back to the patient. In other words, this may not be specific to the condition but is part of the history and clearly identifies the individual or can be used to identify the individual. For example, this not only includes name, address, and social security number, but may also include date of birth, zip code, or county location. If the information can be traced back to a specific individual, not just a population, then it falls under this umbrella.
 

Protected Health Information

“Protected health information” means any individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media. The kicker here is that the definition of PHI excludes education records protected by the Family Educational Rights and Privacy Act, records described in 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. In other words, when records are protected under educational or employment law, that overrides HIPAA.
 

What exactly does “business associate” mean?

 
While “business associate” may conjure up Marlon Brando in The Godfather obliquely referring to gangsters, it isn’t quite that exciting under HIPAA.
 
According to HIPAA, a business associate is a person or entity, other than a member of a covered entity’s workforce, who performs functions or activities on behalf of, or provides services to, a covered entity that accesses protected health information.
 
In regular business terms, a business associate is a vendor who somehow, by virtue of their role as a partner, comes into contact with the kind of information that needs to be protected.
 
For example, this could be a cloud storage vendor or a cleaning service working around files. Most likely, it won’t be a plumber.

How does a health information exchange fit into this??

Health information exchange is one of those IT terms that has a variety of meanings. Generally, it’s the back and forth digital information sharing that takes place between providers. In some places, it refers to the larger concept of general information movement between stakeholders. When it comes to the ways the HITRUST Framework helps HIPAA and vendor management, the term can also be used to refer to the organization or entity that aids in information movement.
 
This means that the phrase “health information exchange” can refer to the vendors handling your patient data. Ultimately, vetting these vendors is critically important because of the overall safety concerns that come with this information.

What is a chain of trust partner agreement?

Unfortunately, or maybe fortunately if you’ve had the experience of living with a toddler, the chain of trust partnership isn’t about working with Thomas and his Very Useful Crew. HIPAA and vendor management is similar to other forms of vendor monitoring but feels even more invasive, particularly if you’re the vendor.
 
Working with vendors under HIPAA means having to trust them with not just your own information but also the information your clients entrust to you. This means that while you may not need to be SOC compliant and complete an SSAE 18 review, you do need to understand the way in which your vendors interact with information and monitor their information security measures.
 
Think of a chain of trust partner agreement as a written trust fall exercise. In corporate trainings, there used to be “trust falls.” Two people stand together in a line, one falls down backward, and the second person catches them. Now, imagine this as people set up like a series of dominoes, one after another after another. The first person falls onto the second, who falls onto the third, until you get to the last person. Each person needs to be strong enough to ensure the person in front doesn’t fall, even with the added weight of the people before them.
 
A chain of trust agreement is the adult, contractual version of this. The business entity at the top of the chain contracts with its vendor. This relationship is covered by the contract between those two. However, that vendor may want to have vendors for itself. This means that despite having  the degrees of separation from the original business entity, these vendors are also related to the business entity through their work with the other vendors.
 
To put it graphically:
 
Business Entity → Contract with Vendor A → Contract with Subvender 1 → Contract with Subsubvendor !
 
Now, Subsubvendor !, by virtue of its relationship with Subvendor 1, which has a relationship with Vendor A, is also related to the Business Entity. As such, even though Subsubvender ! may have nothing to do with health care, that entity is now responsible for the privacy interests of HIPAA and and the risk management involved.
 

How the HITRUST Framework helps HIPAA and vendor management by mitigating the impact to your business

If your organization is anywhere in the stream of a business entity, this means that you’re going to need to determine how to be HIPAA compliant.
Many of the HIPAA compliance requirements can be found in other frameworks governing information systems such as NIST, ISO, and FISMA. However, if you’re already implementing HIPAA or planning to in the future, you want to consider possible gaps.

If you really want to be HIPAA compliance, the HITRUST Cybersecurity Framework (HITRUST CSF) is your safest bet. The HIPAA Security Rule is based on administrative, technical, and physical safeguards as well as organizational requirements such as policies, procedures, and documentation.

The HITRUST CSF is based on the HIPAA Security Rule but also incorporates specific controls within a common security framework that specifically addresses information security concerns. This compliance framework incorporates 14 control categories, 49 objectives, and 149 total control specifications. The prescriptive and scalable HITRUST CSF helps create a system of access control to protect PHI.

If you’re using spreadsheets, this becomes overwhelming quickly. Trying to cross reference multiple standards takes manpower and hours. Tying up these valuable resources on a single task may seem cost inefficient.

How GRC Automation overlaps with the way the HITRUST Framework helps HIPAA and vendor management pain

HIPAA compliance can feel overwhelming. The potential for civil and criminal penalties can scare organizations away from incorporating HIPAA as part of their compliance program which, in turn, can lead to lost revenue.
 
With ZenGRC, you can visualize compliance gaps to determine the additional work necessary to be compliant. As you map controls to a particular standard or framework, ZenGRC allows you to map that control to other standards or frameworks that it satisfies.

The first step in the successful implementation of the HITRUST CSF is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that  HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.

Suppose that you are currently ISO 27001 compliant. One of your controls is a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

If you then choose to implement the HITRUST CSF, you can run a gap analysis to determine the additional work necessary to be compliant.
Not only does this make incorporating new standards into your overall landscape easier, it also means that you can expand your business into revenue streams that seemed too onerous before.
 
Automation offers companies the ability to expand their business offerings more easily. When compliance offers a barrier, automation can be the battering ram.
 
To read more about how automation can establish better business practices, read our eBook, “Compliance Management Best Practices: When Will Excel Crush You?”

If your business deals with healthcare providers or healthcare data, chances are you’ve heard of the Health Insurance Portability and Accountability Act, or HIPAA. If you have to be HIPAA compliant, here are some easy ways to get started.

1. Learn the Basics.

The US Department of Health and Human Services (HHS) is responsible for HIPAA administration, and they publish a great resource called “HIPAA for Professionals”. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) added additional controls that intended to promote the use of technology. With this in mind, it’s important that the HIPAA security officer understand the security standards for which they are responsible. 

2. Identify Who You Are

• Covered Entity: Covered entities are defined as one of the following:  Health Care Providers (such as a dentist, pharmacy, or other medical practice),  Health Plans (such as a health insurance company), or Health Care Clearinghouses (an entity that processes health information from one format to another, such as a transcriptionist who performs data entry of a doctor’s notes or a company processing paper records into an electronic format).
  • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
  • As a Covered Entity, compliance is your responsibility, so you’ll need to figure out how to implement appropriate controls.
• Business Associate: If you do business with or on behalf of a covered entity and you handle protected health information (PHI), they will require that you sign a Business Associate Agreement (BAA). Business associate agreements are legally binding contracts that obligate you to meet some or all of the mandates of HIPAA as a business partner.
  • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.
  • As a Business Associate, you’ll be required to engage in a risk assessment and implement the needed access control as specified by the covered entity you’re doing business with.

3. Identify the Rules:

• HIPAA Security Rule, which provides requirements for security, confidentiality, integrity, and availability of electronic protected health information (EPHI). Under the HIPAA security rule, security measures include technical safeguards  and physical safeguards. 
• HIPAA Privacy Rule, which provides requirements for preventing unauthorized disclosure of electronic health information.
• HIPAA Breach Notification Rule, which requires that you provide notification in the event of a data breach. You’ll most likely need a process and capability to notify the subjects in the event of any security incidents (the individuals whose data was subject of theft), as well as HHS. 

4. Identify controls:

• NIST Special Publication 800-66, which provides a detailed roadmap of controls for HIPAA compliance. These controls are pulled from NIST Special Publication 800-53, which provides a comprehensive information security control library.
• NIST SP 800-53 contains a crosswalk of its controls against the ISO 27002 framework. If you’ve implemented ISO controls, you can leverage some of your existing work to jumpstart your HIPAA compliance effort.
• The HITRUST Alliance, a consortium of healthcare and technology companies, has created the Common Security Framework (CSF). This is a rationalized set of controls which can be used to satisfy multiple compliance regimes, including HIPAA and SOC 2.

HIPAA compliance can be complicated, but utilizing a compliance tool like ZenGRC eases the risk analysis and audit controls burden . ZenGRC comes pre-loaded with content for NIST 800-53, ISO 27001/27002, and the HITRUST CSF. It also contains consolidated content to help map the gaps between your existing programs and new requirements related to HIPAA.