How Enterprise Cyber Risk Management Can Facilitate Compliance Efficiency

HIPAA is not the only law that addresses data privacy and security within the healthcare industry. There are many other laws and regulations which apply to specific types of data and/or specific kinds of data transactions that are applicable to the healthcare industry. Many of these laws and regulations include language, requirements and standards related to risk assessment. For example:

Family Educational Rights and Privacy Act (FERPA). The FERPA statute and accompanying regulations give parents access, and some control, over the disclosure of personally identifiable information (PII) found in education records.^[13] When a student enters postsecondary education or turns 18 years old, FERPA rights transfer to the student.

Genetic Information Nondiscrimination Act (GINA) of 2008. GINA protects individuals from discrimination based on their genetic information. The specific areas of discrimination GINA addresses are employment and health coverage.^[16] When the HIPAA Omnibus Final Rule was published in 2013, the Privacy Rule was modified to encompass the protections specified in GINA.^[17] Genetic information, as part of a patient’s health record, is protected by both HIPAA and the more specific protections spelled out in GINA.

As these examples illustrate, laws and standards that address the privacy and security of data are embedded in many different regulations that impact healthcare organizations. The examples cited above focus specifically on language related to risk analysis/risk assessment. But the fact is, conducting a risk analysis is but one aspect of a comprehensive Enterprise Cyber Risk Management (ECRM) program. An effective ECRM program includes, but is not limited to, the following activities:

• Evaluating whether or not the organization has adopted a cybersecurity framework, such as the NIST Cybersecurity Framework (CSF), and evaluating the maturity of the organization’s implementation of the framework;
• Conducting an enterprisewide risk analysis that identifies all of an organization’s information assets (data, systems, and devices), documents the threats and vulnerabilities associated with each of those assets, and documents the organization’s approach to addressing each of those risks;
• Assessing the organization’s compliance with the requirements of the HIPAA Security Rule;
• Assessing the organization’s compliance with the requirements of the HIPAA Privacy and Breach Notification Rules;
• Establishing ongoing processes for identifying and treating risks as the organization evolves and the risk landscape continues to change.
• Assuring ongoing maturity of the ECRM program through continuous process improvement.

An effective ECRM program will execute these tasks in a way that complies with HIPAA requirements and meets OCR expectations. A comprehensive ECRM program, which meets these goals, can provide the foundation for meeting the data privacy and security requirements of many different mandates and regulations. In other words, a comprehensive ECRM program not only serves to protect the organization from cyber risk, it also helps simplify compliance with myriad regulations related to data privacy and security.

ECRM is a journey, not a destination. It takes time to establish and implement a comprehensive ECRM program. However, once such a program is in place, it can help make compliance activities more efficient and more effective. By implementing a single, comprehensive, ECRM program, organizations can not only have confidence that they will meet HIPAA’s requirements, but also have confidence that they have a program in place that will meet the data and privacy requirements of many other statutes and regulations as well.

The following three action steps can help healthcare organizations move toward leveraging the power of ECRM to manage privacy and security mandates efficiently and effectively:

1. Identify the information security and privacy regulations that impact your organization. HIPAA’s Privacy, Security and Breach Notifications Rules are likely at the top of the list. But what about the other regulations mentioned in this article? Do any of them apply to your organization? Are there other regulations-for example, state-specific regulations-that control the way your organization manages cyber risk?
2. Analyze the specific requirements of the data security and privacy regulations that impact your organization. For example, how many of the regulations require a risk analysis or risk assessment, as described in this article? What other common requirements, related to cyber risk management, can you find across the breadth of data privacy and security regulations your organization is subject to?
3. Find out whether or not your organization has implemented an ECRM program. Share the information you have gathered about how cyber risk management impacts your organization with respect to compliance. Make sure compliance has a seat at the table as the organization establishes, or matures, its ECRM program.

^[3] GDPR, Article 35

^[4] GDPR, Article 35(7)(c) and Article 35(7)(d)

^[5]Pub. L. No. 106-102, 113 Stat. 1338, codified in relevant part primarily at 15 U.S.C. §§ 6801-6809, §§ 6821-6827

^[7] Federal Trade Commission (FTC). “How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.” 2002.

^[13] 20 U.S.C. § 1232g; 34 CFR Part 99.

^[14] National Center for Education Statistics, Institute of Education Sciences (IES). “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.” November 2010. https://nces.ed.gov/pubs2011/2011602.pdf.