If you’ve been around the IT business world, there’s an increasing likelihood that you’ve run across the term HIPAA or HIPAA Compliant. Previously I wrote about how the healthcare IT niche is rapidly growing into the “next big thing” for MSPs. I also spoke about understanding the basics of HIPAA on a podcast episode with Nate Teplow. Now, I’d like to explore exactly what it means to be HIPAA compliant.
So what does this have to do with IT professionals?
First, some definitions.
HIPAA (not HIPPA) is the Health Insurance Portability and Accountability Act. It was enacted on August 21, 1996 and signed into law by President Bill Clinton. If you were in the “working world” around that time you may recall the media coverage about how important it was that workers be able to carry their employer-paid insurance after separation of employment, at the employee's cost.
Along with health insurance portability, the law also created regulations to protect patient privacy. This patient information is usually referred to as PHI (Protected Health Information) or ePHI (Electronic Protected Health Information). You may even see it referred to as IIHI (Individually Identifiable Health Information).
PHI includes any IIHI that is transmitted by electronic media, maintained in electronic media, transmitted or maintained in any other form or medium. In order to effectively protect PHI in electronic format it is imperative that IT professionals understand what and who HIPAA pertains to.
Now that we know what all these acronyms mean, let’s figure out if any of this actually applies to you…
Does HIPAA Apply To My Business?
HIPAA applies to two particular types of entities or businesses. One is called a Covered Entity and the other is called a Business Associate.
For the sake of keeping the article from turning into a long (and boring) lesson on HIPAA, lets just jump to the meat of it. IT professionals who create, maintain, transmit or receive ePHI or PHI for a Covered Entity or another Business Associate is considered a Business Associate by definition and thereby legally bound by the governmental regulations we call HIPAA. In addition to being bound by the regulations, Business Associates now also carry the same liabilities and penalties of HIPAA with changes in the law called the Omnibus Rule of 2013.
The first thing any IT professional should completely understand is that doing IT work for a Covered Entity or Business Associate WILL ALMOST CERTAINLY REQUIRE YOUR BUSINESS TO ALSO BE HIPAA COMPLIANT.
So, what does this mean?
To dispel one of the myths of HIPAA compliance, let me point out that signing what’s called a Business Associate Agreement DOES NOT make you HIPAA compliant, although it is part of the compliance requirements. In like manner, using something that is HIPAA compliant DOES NOT inherently pass down that compliance to you.
In order for your business to be HIPAA compliant, there are a number of things that must be done. Let’s take a look at a high level overview of what most of these requirements are.
First and foremost, you must conduct a Security Risk Assessment of your business. This is the same first step no matter who you are. The primary purpose of this assessment is to determine how information or ePHI is created, maintained, received and transmitted in your business.
Wait… you say you don’t have access to ePHI? As an IT professional, doing work on a business network likely requires that you have administrative access to their systems. You may also have remote access. HIPAA doesn’t care if you “can’t” access the protected data… just that you HAVE access to it. Even if the data is encrypted and there’s almost no way for you to actually see it, that doesn’t matter.
So, with that in mind, let’s look at some common ways you may “touch” this data and not realize it at the moment:
- Backup / Restore Services – are you backing up data that is ePHI? A common service that IT professionals sell is backup. Configuring the backups, access to the backups and doing restores. Do you store the backups in-house? Where does the data go?
- Remote Support – if your business provides remote support then you will almost certainly log in to help a customer and see the data on their screen.
- Onsite Support – do you have administrative rights to workstations, servers, etc.?
As you can see, with just a few examples, its very probable that your business will “touch” ePHI or in some way be exposed to it.
After the security risk assessment, the next step is to use the data gathered in the assessment to create a risk management plan. This is the step where you mitigate all of the issues that were discovered in the assessment.
The Safeguards of HIPAA
Though HIPAA is designed to ensure protection of privacy, a large part of this requires a lot of policies, procedures and continual documentation.
After the risk management process comes the part where your business must develop the policies and procedures that HIPAA requires. These are all part of HIPAA known as the Security Rule. The Security Rule is broken down into three subsections; Administrative Safeguards, Physical Safeguards and Technical Safeguards.
Disclaimer – There are many more rules and much more to the regulation. We are just focusing on the Security Rule here.
As a very basic guide, I’ll list the requirements of all three Safeguards here:
- Security Management Process
- Risk Analysis (Required)
- Risk Management (Required)
- Sanction Policy (Required)
- Information System Activity Review (Required)
- Assigned Security Responsibility
- Workforce Security
- Authorization and/or Supervision (Addressable)
- Workforce Clearance Procedure (Addressable)
- Termination Procedures (Addressable)
- Information Access Management
- Isolating Health Care Clearinghouse Functions (Required)
- Access Authorization (Addressable)
- Access Establishment and Modification (Addressable)
- Security Awareness and Training
- Security Reminders (Addressable)
- Protection from Malicious Software (Addressable)
- Log-in Monitoring (Addressable)
- Password Management (Addressable)
- Security Incident Procedures
- Response and reporting (Required)
- Contingency Plan
- Data Backup Plan (Required)
- Disaster Recovery Plan (Required)
- Emergency Mode Operation Plan (Required)
- Testing and Revision Procedures (Addressable)
- Applications and Data Criticality Analysis (Addressable)
- Business Associate Contracts And Other Arrangements
- Facility access controls
- Contingency Operations (Addressable)
- Facility Security Plan (Addressable)
- Access Control and Validation Procedures (Addressable)
- Maintenance Records (Addressable)
- Workstation Use
- Workstation Security
- Device and Media Controls
- Disposal (Required)
- Media Re-Use (Required)
- Accountability (Addressable)
- Data Backup and Storage (Addressable)
Technical Safeguards are comprised of (but not limited to) the following:
- Access Control
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
- Audit Controls
- Person or Entity Authentication
- Transmission Security
- Integrity Controls (Addressable)
- Encryption (Addressable)
As an IT professional, you will probably have no problems at all with the Technical Safeguards. The Technical Safeguards are best practices in using technology to protect data and systems. Regardless of the type of client, these safeguards should be part of your business policy for every client, not just those bound by HIPAA.
Looking at the Physical Safeguards, its easy to see that these deal with the things you can do physically to protect data and systems.
Administrative Safeguards may look a bit confusing because these are written to cover all HIPAA entity types. Therefore, there will be parts of the Administrative Safeguards that will not apply (for example, Isolating Health Care Clearinghouse Functions)
Notice also that the elements are listed as Required or Addressable. Required elements are just that… required. Addressable elements means that you must address the element and what you are going to do to satisfy it. An example of this might be termination procedures. Let’s say you are a solo-preneur and there are no employees to terminate. That doesn’t mean that you skip over this element, you still must address it in your policies and procedures.
Document, Document, Document
Remember, compliance is largely documentation and following that documentation. As one HIPAA compliance expert once told me, “HIPAA requires three primary actions; document what you’re going to do, document what you’re doing and document what you did”. I like to say, If its not documented, it didn’t happen.
Sometimes, we joke in this niche that you need to document that you documented everything.
There have been recent, severe fines levied against entities for simply not having a policy OR having a policy and not following it.
A recent study shows that Business Associates (that would be the category MSPs and IT Pros are in) make up more than 60% of the breaches that have occurred historically. This means that the biggest risk of a breach for healthcare providers actually comes from their Business Associates.
In addition to the Security Rule, there are also other rules that must be learned… the Privacy Rule and Breach Rule.
If all of this sounds overwhelming, you are not alone. Most IT professionals I speak with typically take one of three paths. Some choose to take the path of ignoring HIPAA and trying to rationalize that it doesn’t apply to them. They are taking a HUGE risk in continuing to service HIPAA Covered Entities and Business Associates.
Another choice I see is IT professionals deciding that dealing with HIPAA and taking on the massive liabilities is simply not worth it to them. They choose to not take on any clients that are bound by HIPAA.
Lastly, I see IT professionals who want to work with or continue to work with customers who are bound by HIPAA. They can choose to try to do all of this work themselves or get help. Obviously, I’m a huge fan of HIPAAforMSPs.com as this resource was built for this exact problem facing IT professionals and MSPs.
Make sure you choose the path to either get all in or choose the path to get all out. HIPAA is not to be taken lightly and the penalties and fines are SEVERE. One violation can put you out of business or worse.
So, what does it mean to be HIPAA compliant as an IT professional?
It means that you have done the work to satisfy the elements of the Security Rule, you have policies and procedures in place to address the elements, you are knowledgeable in HIPAA as it applies to your business, you document everything and keep this documentation, you create an ongoing training program and you create a culture of compliance within your business. HIPAA is not a one-and-done checklist. HIPAA is a continual process, a way of conducting business with those who are also bound by HIPAA compliance.
The landscape of HIPAA compliance is rapidly changing around the country. Although HIPAA has been around for some time, the actual opportunities for getting into this niche are still very new.
In Real Estate, the saying is that the most important thing is location, location, location. In business the most important thing is differentiate, differentiate, differentiate.
If you are interested in becoming HIPAA compliant and staying HIPAA compliant, I think its very much worth the hard work. It may well be the differentiation your business needs to set it apart from the crowd. Go ahead… You can do it!
By Steve Lowing
By Paula Griffin