HIPAA Security Officer Tips
Working in conjunction with our professional risk assessment/management partner, we wanted to share some of the most frequent questions received regarding HIPAA security and compliance:
Q. When can we say we are HIPAA compliant?
A. We get this question a lot. There is no definitive answer on this. However, based on what we see from the Office for Civil Rights, an organization will be considered HIPAA compliant if they make a “good faith” effort, which would generally include the following:
* Performed a recent Security Risk Analysis
* Implemented an active Risk Management Process
* Have Policies and Procedures which specify how patient data is protected
* Have signed Business Associate agreements
* Trained employees within the last year
* Documentation evidencing the above and other aspects of your HIPAA compliance program
Q. What are explicit HIPAA requirements?
A. HIPAA has requirements called safeguards; there are 3 sets: physical, administrative and technical. To be considered HIPAA compliant, you must be adhering to these safeguards. A Risk Assessment would provide you with recommendations on how to better align your organization with these safeguards.
Q. Who do I need a Business Associates agreement with?
A. A Business Associate is a vendor of a CE or another BA that needs access to or stores electronic Protected Health Information (ePHI) as a regular part of the services they provide. Common examples of BAs are IT companies (that’s us!), billing companies, and transcription companies. Cleaning companies are generally not considered BAs. Click here for more information from HHS.
Q. Do I need to retrain my employees every year?
A. As a practical matter, yes. If you don’t train your employees every year, it will be called out as something to focus on in your Risk Assessment. And why wouldn’t you want to train your employees annually? It doesn’t take a lot of time, and it provides a lot of benefits to you beyond HIPAA compliance. We look at it as a continual and ongoing process.
Q. Can I send emails to individuals/clients/patients?
A. There are two circumstances in which it is permissible to email individuals/clients/patients. If you have encrypted email, it is fine to email them. If you do not have encrypted email, but an individual/client/patient signs a release saying it is okay to email, then you are fine to email them as well. However, forms are hard to keep track of and can generally be impractical. The best practice is to electronically communicate with a patient through encrypted email and a portal. This is secure and keeps track of all communications for you.
Q. Is Ransomware a reportable breach?
A. It is very possible that it may be, but an investigation of the facts is required to confirm. Click here for more information on HHS guidance. Every effort should be made to prevent a ransomware infection. Make sure all systems are patched, have a recent vulnerability scan and train your employees to recognize and avoid phishing emails. FYI, this is best practice for cybersecurity, no matter what industry you are in.
Q. What is the difference between a security incident and a breach?
A. Anytime the Security Officer suspects that somehow electronic Protected Health Information (ePHI) was disclosed in an unauthorized fashion, there is a security incident. The security incident must be investigated before it is determined to be a breach.
Q. How often should we perform a Risk Assessment?
A. The HIPAA regulations allow organizations to perform Risk Assessments on a frequency they deem appropriate. However, CMS/HHS requires SRAs for Meaningful Use, MACRA, and the Diabetes Prevention Program to be performed yearly, therefore this is now the de facto standard. As a best practice, and to meet HHS standards, everyone should perform an SRA at least once per year.
Q. Do I need to perform a vulnerability scan?
A. Yes. Identifying technical vulnerabilities is a requirement of the HIPAA Security Rule. According to HHS: “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.” However, the HIPAA Security Rule does not specify the frequency in which this should be performed. How often you get a Vulnerability Scan completed is a considered discussion you should have with your IT department or IT vendor. Remember, a vulnerability scan helps not just with HIPAA, but also with your organization’s cybersecurity posture. There have been horrible breaches that could have been prevented if a vulnerability scan had been run.
Q. Do I have to encrypt my laptops?
A. If a laptop is lost, that is a security incident (see above). It is then incumbent upon the organization to perform an investigation to see how much and which electronic Protected Health Information (ePHI) is stored on the laptop. This is virtually an impossible task. However, encryption offers a “safe harbor.” If a laptop is encrypted and it is lost, it is not a breach (provided, of course, that you can prove the laptop was encrypted). Encryption is very cheap, easy to implement, and it is a recommended best practice for all organizations, not just HIPAA Covered Entities.
Q. I know I need to train, but what is the best approach?
A. The best and most effective training is something that becomes part of normal operations, is current and relevant, is ongoing, and has an element of fun to it. Micro training sessions consisting of a short video and a few questions are easy to integrate into one’s work time, along with randomly sent ‘Simulated Phishing Emails’ that not only reinforce the training, but also help everyone know what to be on the lookout for and exactly what they missed should they fall for one. Having it all tracked in a portal that shows how one stacks up against the rest of the team adds that element of fun and competitiveness as well. You then back it all up with a Dark Web Assessment and ongoing monitoring, so you not only know your vulnerabilities from third-party data breaches, but you can quickly react when/if they occur.
We hope you found this Q and A to be helpful and practical. If you have any further questions, please do not hesitate to contact us at email@example.com.