How to become HIPAA compliant

Most people associate HIPAA with protected health information in a hospital or doctor's office setting. While protecting the integrity of patient data is critical in a literal medical setting, HIPAA IT compliance applies to a wide range of other settings in numerous industries and verticals. Many different types of organizations that deal with sensitive healthcare data will have to become HIPAA-compliant.

The compliance mandates are broken down into three key rules: the Security Rule, the Privacy Rule, and the Breach Notification Rule. For information technology and security, HIPAA compliance focuses on the Security Rule. The U.S. Department of Health & Human Services defines it: “The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. ”

In essence, HIPAA determines how a patient's protected health information is used and disclosed. It stipulates administrative, physical, and technical safeguards to make this happen. Here's the catch—HIPAA regulations, specifically the Security Rule, apply not just to hospitals or doctor's offices but to any organization that interacts with electronic healthcare data. If you store, transmit, or process PHI, you're responsible for HIPAA compliance.

And if your organization commits a HIPAA violation, the consequences are serious, including sizable fines and loss of business. The effort to ensure that your critical systems and data are HIPAA compliant is important for regulatory purposes, but that's just the beginning. Few businesses can afford the reputation damage a breach gone public can cause.

Realizing a HIPAA-compliant future

If your organization deals with healthcare data and has IT systems in the cloud — or is planning a move to the cloud — becoming HIPAA compliant is not negotiable. A good place to start is creating an execution list for moving toward a HIPAA-compliant future. A reputable cloud services provider (CSP) who can support HIPAA compliance is a valuable ally.

Here is a quick list worth considering:

1. Assess where you are now. A good risk assessment starts with creating a data inventory.
2. Establish an incident response plan. An incident response team should be ready to enact your data breach response plan.
3. Know your compliance requirements. If you are classified as a “covered entity,” are you in compliance with the requirements stipulated by HIPAA?
4. Remember that CSPs are business associates, too. The HIPAA Omnibus Rule makes it clear that they are directly responsible for complying with the HIPAA standards that apply to business associates. Make sure any CSP you work with signs a business associate agreement, and ask how the CSP handles data security and privacy.
5. Put thought into your mobile device and BYOD policies. PHI can travel on smartphones, laptops, tablets, and other mobile devices used by healthcare employees, contractors, and vendors — devices that are subject to theft, loss, and hacking.
6. Invest in a cyber-insurance policy. These insurance plans are available either as a stand-alone or as an addendum or endorsement to an existing policy

Another consideration is knowing where your organization's HIPAA responsibilities begin and end, depending on whether you host your critical infrastructure internally or in the cloud. If you have a CSP, it's essential to ask 1) what is required for your organization to be HIPAA compliant and 2) which controls your team is responsible for. Not all CSPs have the same offerings when it comes to HIPAA-compliant cloud services.

Given the rate at which technology changes, HIPAA compliance is a living, breathing, and ongoing effort on behalf of your organization and your CSP. A viable option for ensuring your business is fully covered is working with a cloud provider who offers professional, consultative services when it comes to HIPAA mandates. A knowledgeable partner will outline to your IT team which aspects of controls you're responsible for and what they can take care of on your behalf.

How to become and remain HIPAA compliant

Whatever your methodology for achieving HIPAA compliance, including a strategy for remaining in compliance to stay audit-ready is key, the top two considerations for becoming and remaining HIPAA compliant are:

1. Working with a trusted IT partner with a proven track record of helping organizations provide those services.
2. Finding a trusted auditor to engage with early and often.

Do not go down one path without the other.

When you've solidified your HIPAA compliance strategy, particularly when working with a CSP, make sure that your team keeps all parties in communication. That will ensure that the solution developed protects your organization today—and well into the future.