Origins of HIPAA
The HIPAA (Health Insurance Portability and Accountability Act) was created in 1996 to provide a standardized approach to billing and healthcare information, as well as to protect personal data and to ensure changing jobs did not cause problems for any individual with regard to health insurance coverage. With the continued increase in cybercrime, in particular ransomware attacks, it is more important than ever that companies responsible for compliance with this act continually monitor their systems to analyze risk and ensure that they are indeed compliant.
The coverage of HIPAA extends to all companies that deal with any protected health information (PHI), and that includes any businesses that have access to this information working as a subcontractor or business associate of the health company. This typically includes software and support companies that deal with payments or similar third-party solutions.
What Does HIPAA Cover?
There are five separate parts to HIPAA, all of which aim to improve the health sector for both health companies and the individuals who use them. The first deals with health insurance and govern coverage, ensuring it is still valid even when people lose or change their jobs. The second seeks to simplify all administration meaning that transactions are standardized nationally and data is stored securely. This includes security issues for both electronic storage and physical storage considerations. The third and fourth are related to tax and increased protection for individuals needing specific coverage respectively. Finally, the last section relates to company-owned life insurance and foreign citizens.
Who Needs to be HIPAA Compliant?
HIPAA covers every business that uses any PHI, whether this is online or in hardcopy form. This will encompass, among others, healthcare providers such as hospitals, anyone accessing healthcare plans and healthcare insurance specialists. Any medical business whatsoever will be covered by HIPAA and will need to prove compliance.
As an update to HIPAA in 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) stipulated that this should also encompass third-party firms who are business associates of the medical companies covered by HIPAA. This will include SaaS (Software-as-a-Service) companies along with auditing firms and companies such as those providing platforms in use in human resources departments.
In short, if a company has any interaction with PHI or with another business that stores and uses PHI, then they will also be required to be compliant with HIPAA.
The Consequences of Non-compliance
As it is quite clear which companies should be affected by HIPAA, the penalties for businesses avoiding compliance or violating the rules are quite severe. As well as criminal charges being brought for violations, there are also fines which could reach $1.5 million for each and every incident recorded. Additionally, if there is a breach of confidential information whether because of non-compliance or not, the company has to inform all affected individuals as soon as possible.
What is Continuous Monitoring?
In order to comply with the act as a whole, HIPAA has a security rule that requires you to monitor your infrastructure and make any corrections that may be required at any time. This involves checking that all security measures are adequate and will effectively protect all the PHI you hold.
With cybercrime on the increase, it makes sense to continually check that your data and systems are protected. This could include making sure that there are no signs that there have been any breaches, and that your audits are scheduled frequently enough to satisfy the compliance rules. Hackers can integrate any system at any time, so it is vitally important to install patches and software updates as soon as you are issued with them. Simply monitoring occasionally without shutting down vulnerabilities puts your PHI at risk and will not help compliance.
Proving Continued Compliance
To be sure that you are complying with HIPAA every day and not just when you have an audit, continuous monitoring is clearly the answer. You need to be checking for any risks that may affect your security and mitigating them as soon as is practicably possible. Proof that this is being done and that your data is safe and remains confidential relies on documentation and reporting that are acceptable to auditing authorities.
There are automated tools that can help with these processes as they are often developed to continuously monitor systems specifically for compliance purposes. One specific system of record that can handle multiple updates from different employees can help to simplify reporting capabilities and eliminate duplication while tracking outstanding tasks that are still to be completed. Automation revolutionizes your work schedule as it concentrates on the bulk of the tedious and repetitive tasks that enable efficient monitoring and compliance, while leaving your staff free to work on the specifics of mitigating any risks found and managing the overall security measures.
