What is Required for HIPAA 2020?

With HIPAA enforcement at an all time high, covered entities (CEs) and business associates (BAs) must be clear on what is required for HIPAA 2020. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations working in healthcare to adhere to standards to ensure protected health information (PHI) is secure. HIPAA 2020 mandates that organizations working with PHI implement technical, physical, and administrative safeguards to protect the sensitive information that they work with. Additionally it is required to complete annual self-audits and to vet vendors.

HIPAA 2020 Safeguards

Organizations working in healthcare have an obligation to implement “reasonably appropriate” protections to secure patient’s PHI. Implementing adequate safeguards limits the risk of experiencing a healthcare data breach.

  • Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
  • Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
  • Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained on an organization’s policies and procedures.

HIPAA 2020 Self-audits

HIPAA requires organizations working in healthcare to conduct six annual self-audits annually, and five to complete HIPAA compliance for business associates.  Self-audits are meant to analyze an organization’s privacy and security practices to ensure that they adhere to HIPAA 2020 standards.

  • Security Risk Assessment (SRA): analyzes an organization’s overall security to determine gaps, allowing remediation plans to be created to close gaps.
  • Security Standards Audit: requires organizations to have security policies in place in accordance with HIPAA standards.
  • HITECH Subtitle D Audit: ensures that documentation and procedures are in line with HIPAA breach notification requirements.
  • Asset and Device Audit: requires organizations to create a list of all of the devices that access electronic protected health information (ePHI). The device list should include who uses the device and what protections are in place securing the device.
  • Physical Site Audit: ensures that each of an organization’s physical locations is secure utilizing alarm systems, cameras, and keypad locks, for example.
  • Privacy Assessment (not required for BAs): assesses an organization’s privacy policies, ensuring that PHI use and disclosure is in line with HIPAA standards. 

Vetting Business Associates

Before it is permitted to share PHI with business associates (BAs), healthcare entities must vet the BAs security measures to ensure that PHI is adequately protected. Business associates have the same obligation to HIPAA 2020 as covered entities (CEs). In addition, CEs are responsible for doing their technical due diligence by ensuring that their BAs are HIPAA compliant before working with them. Organizations that fail to adequately vet their vendors are held liable if their BA experiences a healthcare data breach.

  • Vendor Questionnaire: similar to an SRA, it is required to send vendors a questionnaire that assesses the BAs security practices so that gaps in security may be identified. Before working with a BA, it is important to understand the risks associated with working with the vendor. It is suggested that healthcare entities require BAs to create remediation plans to address identified gaps before any PHI is shared with them.
  • Business Associate Agreement (BAA): a BAA is a legal document that must be sent to all business associates before it is permitted to share PHI. This agreement limits the liability for both parties as it states that each party agrees to be HIPAA compliant, and they are each responsible for their own compliance. Without a signed BAA, in the event of a healthcare data breach, both parties will be held liable. 

Incident Response

HIPAA requires organizations working in healthcare to report breaches should they occur. Breaches affecting more than 500 individuals must be reported within 60 days of discovery to the Department of Health and Human Services (HHS), affected individuals, and the media. Breaches affecting less than 500 individuals must be reported by the end of the calendar year to the HHS and affected individuals. 

A recent report conducted by IBM determined that, on average, it takes 279 days to detect a breach. According to IBM, organizations that are able to detect a breach in less than 200 days spend $1.2 million less. A tested incident response plan enables organizations to detect breaches quickly, limiting the scope of the breach while drastically reducing the costs associated with the breach.

Implementing an Effective HIPAA Compliance Program

When creating an effective HIPAA compliance program it is essential to incorporate HIPAA safeguards, self-audits, employee training, business associate management, and an incident response plan. Determining what is reasonably appropriate for your organization can be difficult. As such when developing a HIPAA compliance program it is recommended to consult an expert to ensure that you have covered the full extent of the regulation.