How to Become HIPAA Compliant

April 15, 2019

Key steps to achieve a future state of HIPAA compliance

Most people associate HIPAA with protected health information in a hospital or doctor's office setting. While protecting the integrity of patient data is critical in a literal medical setting, HIPAA IT compliance applies to a wide range of other settings in numerous industries and verticals. Many different types organizations that deal with sensitive healthcare data will have to become HIPAA compliant.

The compliance mandates are broken down into two key rules: the Security Rule and the Privacy Rule. For information technology and security, HIPAA compliance focuses on the Security Rule. The U.S. Department of Health & Human Services defines it: “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.”

In essence, HIPAA determines how a patient's protected health information is used and disclosed. It stipulates administrative, physical and technical safeguards to make this happen. Here's the catch—HIPAA regulations, specifically the Security Rule, apply not just to hospitals or doctor's offices, but to any organization that interacts with electronic healthcare data. If you store, transmit or process PHI, you're responsible for compliance with HIPAA, period.2

And if your organization commits a HIPAA violation, the consequences are serious, including sizable fines and loss of business. The effort to ensure that your critical systems and data are HIPAA compliant is important for regulatory purposes, but that's just the beginning. Few businesses can afford the reputation damage a breach gone public can cause.

Realizing a HIPAA-compliant future

If your organization deals with healthcare data and has IT systems in the cloud — or is planning a move to the cloud — becoming HIPAA compliant is not negotiable. A good place to start is creating an execution list for moving toward a HIPAA-compliant future. A reputable cloud services provider (CSP) who can support HIPAA compliance is a valuable ally.

A quick list worth considering:

  1. Assess where you are now. A good risk assessment starts with creating a data inventory.
  2. Establish an incident response plan. An incident response team should be ready to enact your data breach response plan.
  3. Know your compliance requirements. If you are classified as a “covered entity,” are you in compliance with the requirements stipulated by HIPAA?
  4. Remember that CSPs are business associates too. The HIPAA Omnibus Rule makes it clear that they are directly responsible for complying with the HIPAA standards that apply to business associates. Make sure any CSP you work with signs a business associate agreement, and ask how the CSP handles data security and privacy.
  5. Put thought into your mobile device and BYOD polices. PHI can travel on smartphones, laptops, tablets and other mobile devices used by healthcare employees, contractors and vendors — devices that are subject to theft, loss and hacking.
  6. Invest in a cyber-insurance policy. These insurance plans are available either as a stand-alone or as an addendum or endorsement to an existing policy

An additional consideration is knowing where your organization's HIPAA responsibilities begin and end, which will depend on whether you host your critical infrastructure internally or in the cloud. If you have a CSP, it's essential to ask 1) what is required for your organization to be HIPAA compliant, and 2) which controls your team is responsible for. Not all CSPs have the same offerings when it comes to a HIPAA compliant cloud services.

Given the rate at which technology changes, HIPAA compliance is a living, breathing and ongoing effort on behalf of your organization and your CSP. A viable option for ensuring your business is fully covered is working with a cloud provider who offers professional, consultative services when it comes to HIPAA mandates. A knowledgeable partner will outline to your IT team which aspects of controls you're responsible for, and what they can take care of on your behalf.

Becoming and remaining HIPAA compliant

Whatever your methodology for achieving HIPAA compliance, including a strategy for remaining in compliance in order to stay audit-ready is key. In fact, the top two considerations for becoming and remaining HIPAA compliant are:

  1. Working with a trusted IT partner who has a proven track record with helping organizations in providing those services.
  2. Finding a trusted auditor to engage with early and often.

Do not go down one path without the other.

When you've solidified your HIPAA compliance strategy, particularly when working with a CSP, make sure that your team keepings all parties in communication. That will ensure that the solution developed protects your organization today — and well into the future. 

David Kidd, Flexential

David Kidd

Senior Vice President, Governance, Risk and Compliance

Complete the form to sign up for our blog.