If you’re a technology, service, or digital experience provider engaging with covered entities, such as hospitals, physician practices, health plans, and health clearinghouses, you should be concerned about HIPAA compliance, as you likely qualify as a Business Associate (BA). But HIPAA compliance isn’t intuitive, so knowing how HIPAA applies to your business and how to ensure you’re successful in complying with the regulations can be daunting.
Clearwater recently teamed up with MATTER Health to share an overview of business associate cybersecurity and HIPAA compliance requirements. This educational partnership aims to enhance healthcare innovation and prepare start-ups with the best foot forward as organizations grow their businesses and integrate into the healthcare ecosystem. Presented by Nathan Walker, Principal Consultant with Clearwater’s Digital Health/Health IT Consulting Team, the series examines healthcare vendor risk-a growing concern for the industry as vendors accounted for nine of the ten largest data breaches in 2022.
While focusing on solving problems and enhancing the healthcare experience, growing companies must also quickly develop security, compliance, and privacy maturity. These strategies are critical to earning the trust of potential key customers; failure to account for and properly address these requirements can cost a digital health company new business opportunities and result in financial penalties that from an audit or investigation by the Office for Civil Rights (OCR), the agency within the Department of Health and Human Services that enforces HIPAA. The following ten key priorities are a great starting point and important in planning and implementing a cybersecurity and compliance program.
1. Establish a privacy and security risk management and governance program
Determining whether or not a privacy and security risk management program is in place is the first step to establishing where you have gaps and how to fill them. While a policy is a set of rules or guidelines, a program refers to a set of activities or interventions aimed at achieving a specific goal. In this case, it would be to ensure your cybersecurity strategies comply with HIPAA regulations. A cyber risk management and governance program would include:
- A designated HIPAA security and or compliance officer
- A governance structure
- A board to whom your security officer reports
- Leadership structure to whom the officer reports
- Regular meetings (and resulting meeting minutes) for program governance
2. Develop and implement HIPAA Privacy and Breach Notification policies and procedures
Be sure you have privacy and breach notification policies and procedures in place. Ensure they are routinely reviewed and updated and establish a document repository. They will be critical evidence if you ever face Office for Civil Rights (OCR) scrutiny or an investigation.
3. Train all members of your workforce
Be sure to include training around HIPAA requirements and security and privacy awareness. Conduct this training consistently and frequently, including documentation of training and updates to the curriculum.
4. Perform an OCR-quality HIPAA security risk analysis
If you face an investigation or inquiry, a security risk analysis may be the first thing OCR will ask to see. Unfortunately, nearly 90% of organizations that face monetary settlements or penalties for HIPAA violations related to electronically protected health information did not conduct a risk analysis correctly. Or worse, they never completed one at all. Risk analysis is not a checklist or check-the-box activity; it requires oversight from a HIPAA expert to establish optimal outcomes.
5. Implement HIPAA security risk management
Once you complete your risk analysis, you’ll need to implement a risk management plan to respond to the risks that you’ve identified. The plan should itemize those risks that require treatment or mitigation. You should also document where you’ve decided to accept risk and under what conditions and risk levels you plan to mitigate. Risk avoidance steps can be taken, documenting any additional safeguards you plan to implement. This will address findings regarding gaps and ongoing risk management.
6. Periodically complete a HIPAA security evaluation, or what’s also known as a compliance assessment
This is often considered a nontechnical evaluation under the HIPAA Security Rule. Think of it as a gap assessment and demonstration that your organization is being reasonably diligent in ensuring that you’re complying with the security rule.
7. Establish routine technical testing of your environment
The HIPAA Security Rule also requires technical testing, including vulnerability scanning, internal and external penetration testing, and web application testing. Adding related assessments as part of your testing processes is a good step in light of the increased rate of ransomware and phishing attacks. Doing so allows you to see where gaps or issues put you at greater risk of a successful attack.
8. Implement a strong and proactive business associate management program
Be sure you have business associate agreements for your vendors interacting with PHI just as your customers will scrutinize your security practices. It’s critical to have processes in place and documented to address and mitigate risks associated with the business associates and other third-party relationships you maintain.
9. Complete Privacy Rule and Breach Notification Rule compliance assessments as a best practice
Compliance assessments help you uncover any gaps in your Privacy in Breach Rule Compliance measures.
10. Document and act upon a remediation plan
Documentation is key for maturing your program and attesting to your program’s effectiveness. But remember, it’s more than documenting what you’re doing correctly.
You also want to identify your known gaps and weaknesses and document all the steps to mitigate or remediate those issues.