HIPAA (The Health Insurance Portability and Accountability Act) had a watershed moment for healthcare in the U.S. now more than 25 years ago. Signed into law in August of 1996 by President Bill Clinton, it did a range of things all at once, from protecting people’s access to health insurance to how your protected health information (PHI) is handled. While HIPAA has been the law for some time, staying in compliance with HIPAA is an increasingly challenging endeavor as the threat landscape grows.
This post is a roundup of resources from Absolute on how to get and stay compliant with HIPAA.
This post isn’t intended to cover all the facets of HIPAA, just the data privacy ones. There are five sections within the law, but only one, Title II, covers data and privacy. Title II covers patient access to PHI (your right to see and get your data) as well as how the data is protected. In 2013, the Final Omnibus Rule Update added the security protections included in the 2009 HITECH (Health Information Technology for Economic and Clinical Health Act) law that included breach disclosures for all companies covered by HIPAA.
Together these laws, rules, and court decisions form the foundation of HIPAA data compliance, which boils down to one simple premise:
Protect PHI from people who shouldn’t have access to it and make sure the people who do can access securely.
Each of these needs its own set of processes and procedures to ensure you are fully compliant with HIPAA.
Absolute has an entire practice focused on protecting health systems and protected health information and over the years, our experts have written posts that cover every part of HIPAA compliance.
A deep dive into HIPAA compliance and what the consequences are if you have a breach or you are found to be out of compliance (the short answer is the consequences are costly).
This post was mentioned above and gives you a place to start your compliance process. While HIPAA compliance isn’t just about checking off boxes, checklists help you focus on the people, systems, and tasks needed in your compliance program.
If you think HIPAA compliance is just an IT exercise, you are missing a big part of the HIPAA puzzle. HIPAA treats PHI as a civil rights issue which means violations are taken far more seriously than other compliance activities. When someone’s PHI falls into the wrong hands or simply mishandled (like documents recycled without being shredded) you have violated a person’s civil rights to protection of their privacy. The Cybersecurity Insights video in this post explains more about how compliance is only part of the exercise.
This is a follow up post to the one above gets into more of the technical requirements for compliance with another video to break things down for you.
When PHI was only in file cabinets and big servers, it was easier (not easy though) to protect data. Today with laptops, smartphones, wireless diagnostic equipment, and Internet of Things (IoT) on networks, there is a lot more to worry about. Devices healthcare professionals carry with them can be lost, stolen, or hacked. IoT devices such as personal wearables or facility control systems can be the portal to network vulnerabilities, opening the door for hackers to breach systems. There is a lot more to think about today, and your compliance program needs to include all of these risks.
You can’t manage risks you can’t see. One of the cornerstones of all Absolute solutions is the tamper-proof visibility into all the endpoints that access your network. If a laptop goes missing—you’ll see it and be able to manage it.
While achieving HIPAA compliance is challenging, it’s not impossible. Read how one Absolute customer improved their overall security while also becoming HIPAA compliant:
Becoming HIPAA compliant is a lot easier when Absolute is in your corner. You can read more about how you can protect PHI in 7 steps and then get in touch for a demo with a security expert to understand how Absolute can help you with a range of data and security solutions.