Does Your Non-Medical Business Need to Comply with HIPAA Requirements?

Use Weaver’s Downloadable Self-Assessment Checklist to Evaluate Your Status

Organizations that interact with or store electronic personal health information (ePHI) must comply with the Health Insurance Portability and Accountability Act (“HIPAA”). Non-medical businesses may be surprised that they are subject to HIPAA because they have clients handling ePHI. Any non-medical business is considered a “business associate” of a covered entity and subject to the security requirements of HIPAA if they collect, process, or store ePHI on a frequent basis. To find out more about ePHI and other related requirements in Weaver’s three-part series:

1. Who Needs a HIPAA Security Assessment? You May Be Surprised: Rules Touch Many Non-Medical Businesses
2. The Who and How of HIPAA: Understanding Terms, Scope and Applicability
3. Building in the Safeguards

Identify Risks Through Self-assessment

Typically, the first step towards compliance is to identify risks and assess the organization’s strengths and weaknesses related to HIPAA security requirements. Many organizations do so by using a checklist or other format for self-evaluation.

Weaver’s self-assessment checklist provides guidance for baselining current compliance status and identifying areas of improvement necessary to achieve HIPAA compliance. While it is not a substitute for a formal HIPAA compliance assessment, the checklist can help identify processes needed to move towards a HIPAA compliant status.

Common Risks to Uncover and Address

The self-assessment checklist covers several general categories related to HIPAA compliance. The following broad descriptions covers the main areas of concern in the more detailed checklist.

Insufficient Risk & Information Governance

Information Security Management & Responsibility: An organization does not properly identify risks specific to ePHI, leading to misuse and misdirection of resources away from high-risk areas.

Workforce Security and Evaluation: Adequate supervision over members of the organization’s workforce is not appropriately designed to ensure that only authorized personnel interact with ePHI. Specific key performance indicators are not defined and monitored to appropriately identify when instances of inappropriate supervision occur.

Incident Response & Communication: An organization’s incident management and response procedures are not designed to comply with timeframes required by HIPAA for an ePHI-related breach. Communication processes do not include disclosures required by HIPAA for ePHI-related breaches.

Inadequately Enforced Contracts with Business Associates

Contracts, Agreements and Enforcement: A written contract between the covered entity and business associates performing services on behalf of the covered entity fails to contain the 10 recommended requirements defined by the Office for Civil Rights (OCR). These include requiring proper use of ePHI, requiring proper safeguards, and disclosure requirements.

10 Recommended Requirements from OCR: The business associate, which the covered entity requests to sign a contract with, is currently not adhering to all, or some, of the recommended requirements from the OCR.

Control Environment Weaknesses

Facility & Media Security: Physical safeguards at the organization fail to account for all possible scenarios in which an adversary may physically intrude upon an area containing ePHI, or a device that contains accessible ePHI. If areas are physically breached, media device security safeguards do not prevent the adversary from inappropriately accessing ePHI.

Information Access & Integrity: Logical access safeguards (e.g., unique identifiers, automatic logoff, passwords) are not designed to enforce a need-to-know or least privilege strategy regarding ePHI access. Consequently, the integrity of ePHI cannot be relied upon because access to modify and delete information is not properly controlled, recorded, and restricted.

Data Protection: Inadequate encryption protocols are employed for ePHI stored on servers or transmit to external parties (i.e., business associates), resulting in potential data loss and theft.

Insufficient Documentation Supporting the Compliance Process

Awareness & Documentation: Inefficient or inadequate compliance awareness campaigns resulting in employee complacency regarding responsibility for use and protection of ePHI. Individuals may not be aware of HIPAA compliance policies and procedures without such suitable campaigns.

Could Your Organization Use HIPAA Help?

Your first HIPAA Security Assessment can be difficult and time consuming. We want to help make it easier for you. Weaver’s IT Advisory professionals have the experience to help guide this process and address common pitfalls involved in HIPAA compliance, especially for Business Associates and others who may access PHI for the first time.

For more information on how HIPAA regulations may apply to your organization, contact us. We are here to help.

©2024