One of the trendy marketing terms being used by equipment and service providers in the security space is “HIPAA Compliant Environment.” It’s usually used to describe items like highly secure protocols, including operational environment controls, workload (VM and application) hardening, data at rest and in transit protection, identity, and access management.
All of these tools are very useful to ensure privacy and security in the use, storage, and transmission of protected health information (PHI). But security and compliance are not the same things. Here are the things to consider to help evolve beyond a HIPAA Compliant Environment and create a Culture of Compliance that adds value to your organization.
HIPAA Compliant Environment or a Culture of Compliance – Super Security Kryptonite
Let’s say you allocate resources to build the ultimate network for your organization. It has the highest-speed internet access, bulletproof VPNs, the latest computer technology, security protections that rival the CIA, encryption, multi-factor authentication…literally anything you can think of to ensure total security.
All of the time, effort, and money that it took to build the perfect system can be undermined simply by allowing a human being to access it. Nearly 80 percent of HIPAA violations happen because of administrative failures. The technology has no chance of succeeding if the people who operate do the wrong things.
People send billing information to the wrong patient. People share passwords and share access with staff members who shouldn’t have it. People click on links in emails promising “free $100 Amazon gift cards” that secretly install malware, spyware, or ransomware.
HIPAA Compliant Environment or a Culture of Compliance – From People Worst to People First
Security standards such as encryption and multi-factor authentication are absolutely critical. In fact, they’re actually required in the HIPAA rules and regulations. But employees have to be trained on what to do and why it matters.
That starts by having effective policies and procedures to govern the use and access of PHI within your organization. Your policies must adhere to the HIPAA Privacy Rule and the HIPAA Security Rule guidelines.
Your policies and procedures tell your employees what kind of value you place on patient PHI. Do they include consequences for violations? Are you willing to follow through with appropriate discipline if and when someone violates one?
Employees must be trained on the policies in a way that does more than just check a box. HIPAA training should include not only what to do, but why it should be done. When employees understand the connection between what they do and how it protects their clients, it creates engagement and ownership. They can attest to training without any reservations or questions.
Training should be supplemented with testing. Not standard multiple-choice testing, but practical testing such as fake phishing emails that help remind them to be vigilant when doing their daily jobs.
HIPAA Compliant Environment or a Culture of Compliance – Connecting all the Pieces
Building a culture of compliance also extends into relationships with business associates and other vendors. Do you take the time to do real due diligence on what they deliver? Do you sign business associate agreements before PHI data is transferred? Do you have confidentiality agreements to cover vendors who may accidentally see PHI while in your office?
Effective complete HIPAA compliance does not end with you. It needs to be continuous, acting as a shield to help protect the PHI for which you are responsible.