Who Needs a HIPAA Security Assessment? You May Be Surprised: Rules Touch Many Non-Medical Businesses

Understanding HIPAA Security Rules for Business Associates, Part 1 

In 1996, as more medical practices were moving to computerize patient charts and share digital information with partners like laboratories and insurers, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law to set privacy and security measures around protected health information (PHI). The regulation took full effect on December 28, 2000. As more patient data became digitized in the years that followed, the HIPAA Security Rule was issued in 2003 to establish administrative, physical and technical security designed to protect electronic protected health information (ePHI).

Most Americans are aware of HIPAA, if only because they have been asked to sign acknowledgments at their doctor’s office. What they may not know is that HIPAA’s reach goes far beyond doctors and hospitals, labs and radiology centers. Any organization that interacts with PHI or ePHI must comply with the rules for keeping that information safe. This includes businesses, not-for-profit organizations or government agencies. Cloud-based service providers, in particular, may be surprised to learn that because they have clients handling ePHI, the providers themselves are subject to HIPAA.

HIPAA as Ranch Management

If you’ve ever visited a ranch, you may have wondered how the rancher keeps everything running smoothly and all the animals where they need to be. Sheep don’t just line up for a shearing, after all. A lot of planning and organization must happen in the background: details of feeding, milking, birthing, herding from one pasture to another. Putting all the animals away with the right process can help a rancher or farmer milk the cows, shear the sheep, and feed the horses at the right time.

If PHI were animals, you could think of HIPAA as “how I put animals away.” With a strong compliance program, your organization can implement an orderly set of controls that protect PHI/ePHI from inappropriate access, security breaches and other IT security risks.

Implementing a control environment to support your HIPAA Security Rule compliance will give you the tools to herd sensitive data and communicate requirements to your employees and business partners. The compliance program will significantly reduce your risk of incurring HIPAA penalties and support you in responding to a breach if it happens.

What Exactly Is PHI?

HIPAA is intended to safeguard health data that could be connected to a particular individual. The regulation specifies 18 information demographics that could be considered PHI/ePHI, if the data would be adequate to identify an individual and tie that individual to a health record.

In other words, information isn’t regulated PHI or ePHI just because it is personal. It must also identify an individual. For example, in most cases, a birth date alone won’t allow someone to identify an individual. Unless the population is very small, there’s a high probability one individual wouldn’t be identifiable from that date alone.

On the other hand, combining multiple data categories can provide enough information to identify one individual and connect the person with health data. For instance, if you are storing a record with birth dates, physical addresses and prescriptions, you have PHI. Sometimes, it only takes two categories to identify someone. It’s not always obvious which data constitutes PHI, but even seemingly innocuous data can contribute when a record includes multiple categories.

Table 1: PHI/ePHI Demographics

How do you know whether your organization is handling PHI? A security assessment is the best way to find out.

This assessment will determine whether you are subject to HIPAA, whether data in your environment are adequately protected, and whether your security measures comply with the HIPAA Security Rule.

Readiness Assessment

Data Discovery

The first step in a HIPAA Security Assessment is to determine whether any of the regulated data categories exist anywhere in your controlled environment, and whether they could be combined to produce PHI/ePHI. This information could be in a local database or in a cloud environment you manage. Either way, the organization must assess the security measures in place to protect the data. For third-party cloud providers, this assessment could include reviewing a SOC 2 report, verifying necessary data security certifications are in place (e.g., TX-RAMP), or conducting a periodic audit of the cloud provider’s security practices.

Risk Assessment

Once the data categories and storage locations have been identified, you must define potential risk scenarios. These risks can range from human error to ransomware, but they should be relevant to your organization and have a reasonable probability of occurring. Once these risks have been identified, you can implement appropriate remediation strategies specifically designed to mitigate and manage those risks.

Policy and Procedures

The risk assessment will produce a laundry list of to-dos, big and small. Begin to address them by developing proper policies and procedures, if you don’t already have them. Then you’ll need to teach those procedures to your staff and conduct periodic refresher trainings. To effectively embed security measures into the organization, leaders need to set the tone by communicating these processes and emphasizing the importance of following them.

Technical Controls

Once the right policies are in place, the next task is implementing strong internal controls to protect the data identified as PHI/ePHI. The organization will need to ensure the controls operate reliably, with evidence that is documented and auditable. “Auditable” means that, when you are asked to provide evidence that a control operated as designed, you have the documentation. The good news for IT firms is that several industry security standards, such as PCI DSS, SOC 2, and NIST, have requirements that overlap with HIPAA security measures. That means there’s a good chance you are already complying with some of the HIPAA requirements.

The HIPAA Security Assessment

Once you are confident that your organization’s policies, standards, procedures and controls have been implemented, they are operating as intended, and they meet HIPAA requirements, then you are ready to provide information to your choosen assessor, such as Weaver. The assessor will look at whether your organization has implemented the required safeguards and is consistently reviewing its controls to ensure ongoing compliance.

You must be able to provide accurate documentation and explanations of company operations in order for assessors to test your security measures. The documents you provide and any related discussions will be confidential and documented only for the parties for whom the final report of compliance is intended. With this confidentiality, you can be comfortable explaining your processes and pointing out any deviations when they arise or are discovered during the assessment.

What does your organization need to gather before a HIPAA Security Assessment? Assessors typically request copies of:

• All policies related to privacy protections of employees, customers, and personal information
• All policies related to information & data security (physical, logical)
• All policies related to data breach & incident management
• All audits conducted in last three years directed at compliance and data privacy laws
• Data privacy training materials used in the last three years
• Contracts and service level agreements/business associate agreements with vendors who interact with PHI/ePHI
• Descriptions of the measures taken regarding PHI/ePHI transferred outside the United States

Gaps that are typically identified during the assessment include: 

• Not performing a thorough data and asset inventory documenting assets that may contain PHI/ePHI
• Not performing a thorough risk assessment identifying risks to the protection of PHI/ePHI and remediation/mitigation strategies to address
• Missing documentation explaining why an addressable specification is not being performed
• Inadequate procedures for guarding against, detecting and reporting malicious software
• Failure to consistently perform and document annual testing of the disaster recovery plan for elements relevant to ePHI
• Failure to provide adequate emergency procedures in case facilities and systems are not accessible
• Lack of an annual review requirement in vendor contracts
• Failure to retain HIPAA policies and procedures for six years (including every version of the policies and procedures, measured from the day the version was created)

If such gaps go unaddressed over time, they can create long-term issues beyond noncompliance. An untested disaster recovery plan can leave you unprepared when the emergency comes. Not reviewing vendor contracts every year could lead to inadequate protections as the organization and its needs change. Inadequate software protections can lead to data breaches, data theft and even extortion schemes.

Not all organizations face the same risks, and not all risks will affect every organization the same way. A HIPAA Security Assessment is critical to knowing what health care information your organization has and how you can protect that information in the most practical way.

Could Your Organization Use HIPAA Help?

Your first HIPAA Security Assessment can be difficult and time consuming. We want to help make it easier for you. Weaver’s IT Advisory professionals have the experience to help guide this process and address common pitfalls involved in HIPAA compliance, especially for Business Associates and others who may access PHI for the first time.

For more information on how HIPAA regulations may apply to your organization, contact us. We are here to help.

Authored by Hunter Sundbeck, David Friedenberg and Alexis Kennedy.

©2023

This is Part 1 of Weaver’s 3-part series on HIPAA Security Rule compliance:

• The Who and How of HIPAA: Understanding Terms, Scope and Applicability
• Building in the Safeguards