2020 SecurityMetrics HIPAA Guide
We create and publish our HIPAA Guide each year to give healthcare IT and HIPAA leaders an up-to-date resource to direct and focus their HIPAA compliance efforts to the areas that are quick and impactful, as well as to outline and provide guidance in areas that may take more time to understand and implement.
Data breaches involving protected health information (PHI) increase every year. It seems like we see a new hospital or healthcare network breach on the news every week. In fact, by the middle of 2019, PHI breaches at healthcare organizations had already doubled the total from 2018, according to the Protenus Breach Barometer.
PHI is extremely valuable to hackers, even more so than credit card data. PHI and associated personally identifiable information (PII) can be used to make false insurance claims, gain access to prescription drugs, or target patients with healthcare-related scams.
Because of PHI’s value, hackers are determined to steal it. Healthcare practices are busy and not always focused on security. These circumstances can contribute to devastating breaches with far-reaching consequences that sometimes include going out of business.
Medical practices are busy and protecting PHI can seem difficult. But, there are a lot of security controls and policies that go a long way to preventing a data breach.
What’s new in the 2020 HIPAA Guide?
- More auditor perspectives and stories
- Section on cloud security
- New graphs and diagrams
- Improved design focused on usability
- Improved "How to Read This Guide" section
- 2019 HIPAA survey data
- Updated with 2019 HIPAA information
- Health Organizations Are Focused On Patient Care
What are some of the principal challenges health organizations face when it comes to data security and HIPAA compliance?
Hear from our Director of Assessments, Matt Halbleib CISSP (CISA, QSA (P2PE), PA-QSA (P2PE)), and our Principal Security Analyst, George Mateaki (CISSP, CISA, CISM, QSA, PA-QSA) about why we created the 2020 HIPAA Guide and how we hope it will help organizations.
“Patient care organizations are focused on patient care. But they are starting to recognize that security is a huge part of patient care. As they focus on the patient care aspect, they run out of time. That’s why we created the guide,” Principal Security Analyst, George Mateaki.
2019 HIPAA Survey Data
Every year, our HIPAA research team conducts surveys of HIPAA leaders at healthcare organizations to find out where organizations could use support and education.
Our responses come from over 450 different healthcare professionals responsible for HIPAA compliance. These survey respondents mostly belong to organizations with less than 500 employees, however, the resulting data is important to organizations of all sizes, because almost all healthcare organizations share patient data with one another.
When PHI is shared between two organizations, they impact each other’s security, regardless of size.
We found that the majority of healthcare organizations did well in the areas of HIPAA leadership and documentation:
- 87% of organizations have a designated person responsible for HIPAA compliance (e.g., a Security or Privacy Officer).
- 74% of organizations review and update their HIPAA compliance documentation at least annually.
- 51% of respondents review their business associate agreement documentation at least annually.
We also found that in addition to HIPAA, the most common security mandate that organizations comply with is the Payment Card Industry Data Security Standard:
- 39% of respondents also comply with PCI DSS compliance; 10% comply with GDPR compliance; 5% comply with HITRUST requirements.
In the area of training, the majority of HIPAA survey respondents did well:
- 65% of respondents train employees annually; 7% train employees semi-annually; 8% never train employees; 2% don’t know how often they train employees.
- 75% of respondents provide HIPAA Privacy Rule training; 69% provide HIPAA Security Rule training; 67% provide HIPAA Breach Notification Rule training.
- 63% of respondents test employees on their HIPAA training.
2020 HIPAA Guide helps organizations of all sizes
We find that healthcare organizations particularly love the ease of use, structure, and accessibility of the 2020 SecurityMetrics Guide to HIPAA Compliance to assist with HIPAA training. See what some of the HIPAA Guide users have to say:
"Thank you for providing the guideline for our business. It is less stressful knowing that I have the correct guide to improve our services to our patients and to protect our business." - Nancy Wiseman, M.Ed., Ed.S., Vice President, Citrus Endodontics, P.A.
"This is the most comprehensive guide on HIPAA I have found." - Crystal Hertz, National Health Foundation.
"The HIPAA Guide is one of the best helps/tools/references. It's well organized and easy to understand for our medical office staff and providers." - Hedy Haun, Sr. Process Analyst, Sharp HealthCare
"I loved SecurityMetrics. They have the best resources when it comes to PCI and HIPAA compliance and their customer service is unmatched." - Jennifer M. Connell, Owner E2E Health Solutions, LLC
"SecurityMetrics Guide to HIPAA Compliance is really helpful, very informational and updated." - Jeffrey Delos Reyes, Flow Health Outsourcing Inc.