What Your CISO Needs to Know About HIPAA
Arm Your CISO with Key Information About HIPAA for Consistent and Confident Compliance
If you recently hired a new Chief Information Security Officer (CISO) to lead your IT team, it is important to know his or her level of familiarity with the Health Insurance Portability and Accountability Act (HIPAA) if you work in the healthcare field.
Perhaps your CISO has years of experience in another industry or business sector, or they might have taken a brief hiatus from a healthcare-related IT position. Either way, a fairly extensive HIPAA discussion should be on the front burner to get your CISO up to speed to keep your data safe and to maintain consistent and thorough compliance.
Why Ask Your CISO to Brush Up on HIPAA Essentials?
Even the most seasoned CISOs—not necessarily new hires since HIPAA is so complex and prone to frequent updates—need occasional refresher sessions on the essential elements of HIPAA. It serves your entire organization’s interests to make sure that your CISO has all the information and tools at their disposal.
The most practical reason you would want to keep your CISO briefed on the latest details about HIPAA is that fines for non-compliance can quickly spiral upwards to the tune of $250,000 or more. In September 2016, the Care New England Health System incurred a fine of $400,000 for non-compliance, regarding the failure to update a business associate agreement (BAA) originally signed in March 2015.
Who Needs to Be HIPAA Compliant, Anyway?
Designed to protect American workers and their families who need to provide vital and confidential information for healthcare purposes, HIPAA’s standards must and do apply to a broad range of industries and entities.
Forbes states that, if you or your organization “belongs to the category of ‘covered entities’ or ‘business associates,’ and you handle ‘protected health information (PHI),’ you and your business are required to be HIPAA compliant.”
Who Are the Covered Entities Your CISO Needs to Consider for HIPAA Compliance?
The covered entities that you need CISO and IT team need to consider when it comes to HIPAA compliance include:
- U.S. Health Plans. U.S. health plans include HMOs, Medicaid, Medicare, and a company’s or government entity’s healthcare plan.
- Healthcare Providers. This extensive list includes physicians, dentists, surgeons, hospitals, clinics, optometrists, nursing homes, pharmacies, and similar individual and group healthcare providers.
- Healthcare Clearinghouses. Healthcare clearinghouses are organizations that collect and process data to deliver to another entity and include billing companies and community health management information systems.
- Business Associates. Also sometimes known as subcontractors and vendors, business associates have access to protected health information (PHI), which makes it essential for these entities to maintain proper HIPAA-compliance. These vendors may include external auditors, billing agents, medical equipment companies, software providers, and cloud data storage and other SaaS providers.
What Is PHI?
Understanding the finer points of protected health information is particularly critical for business associates who may not work with healthcare companies as a general rule. CISOs in these fields may find it helpful to know a few key points about what is classified as PHI:
- A patient’s billing information.
- Conversations between a patient and their caregiver about their condition and treatment.
- Any medical information contained in the healthcare provider’s or health insurance company’s database.
Make Sure Your CISO Understands the HIPAA Compliance Minimum Standards
The best thing your CISO and IT team can do to maintain HIPAA’s minimum compliance standards is to develop a checklist, dividing it into segments for each of the applicable rules. Keep in mind that although there is no hierarchy in HIPAA regulations standards, no portion is optional or voluntary.
Your company’s HIPAA compliance checklist might include the following points:
- The HIPAA Security Rule. The HIPAA Security Rule contains all the standards that your IT team needs to apply to safeguard your electronic protected health information (ePHI) when at rest in your system and when in transit to another party. This security rule includes technical safeguards, physical safeguards, and administrative safeguards.
- The HIPAA Privacy Rule. The HIPAA Privacy Rule determines how and when ePHI can be used and disclosed and is applicable to all covered entities.
- The HIPAA Breach Notification Rule. This rule requires any covered entity that experiences a data breach to notify patients of the breach. The Breach Notification Rule also requires the entity to notify the Department of Health and Human Services and issue a notice to the media when the breach affects more than 500 patients.
- The HIPAA Omnibus Rule. The HIPAA Omnibus Rule addresses previous omissions to updates to HIPAA. This rule provides clarification of procedures and policies and additional information that may help business associates and their subcontractors.
- The HIPAA Enforcement Rule. This rule governs the investigations that follow a ePHI breach and may affect the potential penalties that a covered entity may be required to pay.
CISOs Benefit from Searching for Shortcuts to HIPAA Compliance
Communication can go a long way toward ensuring HIPAA compliance. If you start working with a new vendor or other business associate, for instance, ask them whether they are already HIPAA compliant. While you will still need to verify their level of compliance, you can fast-track your new vendor partnership with confidence, knowing that they understand their need for solid and consistent HIPAA compliance.
Remember the Health Information Technology for Economic and Clinical Health (HITECH) Act
Since healthcare information is so commonly shared electronically, and increasingly via the cloud, HITECH works in tandem with HIPAA regulations. “The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.”
Together known as HIPAA-HITECH, these Acts serve to ensure that privacy safeguards are in place for data that is collected, stored, or transmitted.
Reach Out to a Professional Team That Understands HIPAA Inside and Out
As your CISO learns the ropes in your organization, our HIPAA team of experts at I.S. Partners, LLC. can help. We can conduct an assessment of potential risks, provide third-party attestations, and much more. Call us at 215-675-1400 or send us a message to learn more about how we can work with your CISO to ensure solid HIPAA compliance.