United States

HIPAA/HITECH critical security measures and best practices


Security measures related to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health, otherwise known as HIPAA/HITECH, are numerous and complex. Our webcast presenters shared insights and best practices to keep in mind.

Business associate agreements and vendor management
It's important to understand how HITECH defines a business associate. Once defined, organizations can begin identifying where a business associate agreement must be in place. The business associate agreement is the formal document used to communicate and acknowledge an entity's responsibilities under HIPAA/HITECH for safeguarding the confidentiality, integrity and availability of protected health information (PHI). The regulatory standards define a business associate as an individual who creates, receives, maintains or transmits PHI. Examples of business associates include, but are not limited to, individuals in claims processing, data analysis, quality assurance, legal, actuarial, accounting and data aggregation, to name a few.

As the rule states, business associates must comply with all applicable requirements. This also includes the compliance of subcontractors that create, receive, maintain or transmit PHI. Business associates must establish and review contracts with subcontractors. Covered entities are not required to establish business associate agreements with subcontractors. Organizations must document communications and ongoing relationships with vendors and complete ongoing performance monitoring to ensure rule compliance. In addition, vendor management can be enhanced by completing a risk assessment every 12 to 18 months to identify issues or potential problems. Learn more about how to conduct a security risk assessment and get a helpful risk assessment tool.

Privacy and security practices and breach awareness
From 2009 to 2013, the Office for Civil Rights (OCR) has fielded more than 79,000 reports and complaints in connection with PHI breaches. These security breaches were the result of various incident scenarios, including laptop theft, unauthorized system access, as well as loss of paper records and loss or theft of portable devices. It's reported that the average cost of a data breach to an organization is approximately $200 per individual data record, due to the many post-breach efforts that must take place to remedy the violation, including notifying individuals of the security breach, increasing protection measures and costly litigation.

In our post-webcast survey to attendees, the following emphasizes how widespread breaches are and how organizations are responding to security challenges.

A few things to consider in reporting a breach and working with Health and Human Services (HHS) and the OCR include: a detailed, written narrative related to the breach will be requested, along with any supporting documentation. They will also require a sample copy of the notification letter to affected patients and a copy of the notice or press release sent. In addition, they'll require a listing of all complaints regarding the breach; copies of investigation notes, documents and reports; a copy of any incident report relating to the breach; a description of any internal policy or procedural revisions; descriptions of any training conducted prior to the breach; documentation relating to assessment of risk, as well as copies of policies, procedures and agreements or contracts with vendors. A best practice to keep in mind while working through the breach aftermath is to get to know your specific investigator assigned to your case. This often expedites processing if you can identify an individual to work with directly.

In addition, it's important to have a breach response plan in place to allow for the efficient execution of the steps needed to address the breach. The plan would include a designated response team and team leader that can maintain 24-hour contact with members and alternates, including:

  • Compliance officer
  • Privacy officer
  • Security
  • Information security
  • Legal
  • Public relations and communications
  • Human resources
  • Customer service and patient relations
  • Business units
  • Outside consultants

The plan should establish an internal notification and reporting process with checklists of steps to be taken or considered. In addition, the plan should document all actions considered and taken and reasons for decisions. It's important to know the regulatory and law enforcement agencies that need to be contacted and include that information in your plan, as well. Also, plan for a post-response review, risk remediation and process improvement following the incident.

Access controls related to workforce
A key element of the privacy rule is to assure standards of workforce security. This requires implementing policies and procedures to ensure that all members of your workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not need to have access. Special procedures around identifying data owners, workforce user roles, termination procedures and more need to be in place to verify that access to systems are appropriate and approved. Controls and security measures must be in place to ensure data owners can access essential data, but unauthorized others must not be able to touch it. After measures are in place, vulnerability scanning and penetration testing should be implemented frequently to test for weaknesses, ensure encryption measures are sound, and prevent attackers or users from circumventing the controls. Workstation security should also be assessed, from laptops and mobile devices to off-site work environments, all tested and maintained to assure no vulnerabilities or exposures are present.

Post webcast survey
Health care industry's big issues in 2014, Part 2 – HIPAA/HITECH.

For more information

Please contact our webcast presenters:

Corbin DelCarlo
Director, Risk Advisory Services

Greg Vetter
Director, Health Care Advisory Services

Ron Ritenour
Manager, Risk Advisory Services

Rob West
Manager, Risk Advisory Services