Are you a HIPAA covered entity or one of the hundreds of thousands of HIPAA business associates? Either way, now's the time to start re-evaluating HIPAA, that old federal regulation affecting the
With the recent HITECH Act (Health Information Technology for Economic and Clinical Health Act), HIPAA finally has some teeth. The HITECH Act was part of President Obama’s 2009 government expansion bill. It contains provisions to extend HIPAA security and privacy compliance to business associates, adds breach notification requirements, new rules for using encryption for protecting health information and periodic audits of covered entities and business associates to ensure compliance.
Security compliance “reviews” are already being performed on HIPAA covered entities. And these aren’t the typical reviews that have been performed in the past. The federal government is actually seeking out healthcare providers and plans in order to spot check their compliance status. The CMS Office of E-Health Standards and Services has revealed HIPAA compliance gaps that many businesses thought they had under control, or were immune to.
The report found everything, from covered entities not performing risk assessments, to poor processes around security documentation, to lack of workstation security assessments. This is contrary to the practices of some covered entities that having a notice of privacy practices and a firewall are all that's needed for HIPAA compliance.
In addition to these reviews, actual enforcement is stepping up as well. It was recently announced that the division of the U.S. Department of Health and Human Services responsible for HIPAA Privacy Rule enforcement—the Office for Civil Rights (OCR)—is now responsible for HIPAA Security Rule enforcement as well. Formerly the Centers for Medicare and Medicaid Services (CMS) was responsible for the Security Rule. And as we saw, very little was done to monitor or enforce this component of HIPAA. Now that enforcement of both rules is under one umbrella, it appears the government is finally taking their own laws seriously.
If you're a HIPAA covered entity or business associate, you've got some work ahead of you:
- Review the HITECH Act and the HIPAA Security Rule to (re)familiarize yourself with what's expected.
- Meet with your legal counsel and security committee to ensure everyone is on the same page regarding what needs to be done.
- Review your business associate contracts to ensure they're in line with the requirements.
- Perform that in-depth risk analysis that the HIPAA Security Rule mandates and find out where your business is weak.
- If you performed an in-depth analysis a while back, it's probably a good time to look at things again since so many things undoubtedly change in your information systems from year to year.
The bottom line is to know what you're up against so you can cover the essentials and minimize your business risks. I usually say the more things change with security the more they stay the same, but when it comes to HIPAA compliance—times, they are a changin' indeed. And I don't expect that they'll ever be the same again.
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies . In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in August 2009