What is HIPAA compliance?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law for the United States of America. It was primarily established to:
- Improve portability and continuity of health insurance coverage. Portability means insurance coverage is maintained when an individual takes a job with a new employer
- Combat waste, fraud, and abuse in health insurance and health care delivery.This includes implementing the Privacy Rule, Security Rule, and BreachNotification Rule
- Promote the use of medical savings accounts by standardizing the amount that may be saved per person in a pre-tax savings account
- Improve access to long-term care services and coverage. This includes coverage of individuals with pre-existing conditions
- Clarify tax deductions for employers and other tax revenue items
SEE ALSO: How Much Does HIPAA Compliance Cost?
HIPAA has come to be associated with the HIPAA Privacy and SecurityRules. The HIPAA Act is composed of five parts (or titles). These align with the purposes for the law’s enactment in the previous list:
- Title I: Health Care Access, Portability, and Renewability
- Title II: Preventing Health Care Fraud and Abuse; AdministrativeSimplification; Medical Liability Reform
- Title III: Tax-Related Health Provisions
- Title IV: Application and Enforcement of Group Health Plan Requirements
- Title V: Revenue OffsetsYou might be more familiar with Title II of HIPAA, since this is where the privacy and security of patient data is described.
Data breaches in the healthcare sector are up. According to the Identity Theft Resource Center, as of December 5, 2018, health-related breaches in 2018 accounted for 29.3% of all compromises. In all, there were 363 healthcare data breaches in the US resulting in over 9 million records lost during this period.
If you work at a health organization, you’re familiar with the unique challenges faced when complying with HIPAA requirements, especially Security, Privacy, and Breach Notification Rules. Healthcare practices and networks are busy, vary in size and resources, and are frequent data breach targets.
On top of these challenges, employees at health organizations often wear many hats. Practice owners, receptionists, and sometimes even medical personnel are tasked with overseeing data security compliance. Configuring firewalls, securing Wi-Fi, protecting remote access, ensuring adequate encryption, running employee trainings, and providing HIPAA privacy notices to patients are just a few of the requirements you may be expected to manage.
SEE ALSO: Are Your Emails HIPAA Compliant?
2019 SecurityMetrics Guide to HIPAA Compliance
For these reasons, we created our 2019 Guide to HIPAA compliance to help you close gaps in security and compliance, ultimately helping you avoid a data breach.
Academy is a free, trusted resource that will help you understand and implement security measures to keep protected health information (PHI) safe.
This year’s guide has been updated to include:
- Clarification about HIPAA Security and Privacy Rules
- New HIPAA survey data from health organizations
- New insights and stories from HIPAA security analysts
- A reading chart to guide you based on your technical experience level
You’ll find detailed sections in our guide to help you with:
- Incident response plans
- PHI encryption
- Business associate agreements
- Mobile device security
- HIPAA-compliant emails
- Remote access
- Vulnerability scanning
- Penetration testing
New HIPAA compliance survey data
We’ve updated our HIPAA compliance survey data with healthcare responses form 2018. Some interesting trends emerged. According to responses we received, healthcare compliance with the security rule has gotten worse.
For example, in 2017, 19% of respondents said they never conduct a risk analysis. In 2018, that percentage was much higher, at 49%.
When it comes to encrypting stored electronic PHI (ePHI), in 2017, 20% of respondents reported that they do not encrypt stored ePHI. That percentage did not improve in 2018. In fact, the percentage of respondents who answered “yes” to whether they encrypted stored ePHI went down significantly.
The bring your own device (BYOD) trend is spreading to healthcare. In 2017, only 6% of healthcare respondents answered that employees are allowed to use their personal mobile devices to access patient data. That percentage jumped to 25% in 2018.
The adoption of a BYOD policy increases the chance that a personal device could compromise an entire health network. For example, if a doctor brings their phone home, connects to their personal Wi-Fi and downloads malware onto the device, whatever patient data or personal accounts are on that device could be compromised by hackers.
Day-to-day help for the bigger security picture
We intend our guide to be a “deskside” reference for the day-to-day and recurring demands of HIPAA compliance. It’s meant to strike a balance between generally informative and specifically practical. Those who use our guide report that it is, “...thorough and detailed-oriented. Very helpful.”
Another user found that our HIPAA Guide helped them explain HIPAA to the higher-ups, “I love how comprehensive this manual is. It really helped me to articulate to leadership the complexities of HIPPA as it relates to technological infrastructure.”
SecurityMetrics CEO Brad Caldwell says, “The number of cyber attacks on the healthcare sector continues to increase. We update and release our free HIPAA guide each year to help all sizes of organizations in the healthcare sector strengthen and adapt their cyber defense tactics to keep up with insidious hacker threats.”