HIPAA Compliance in 2019 – A Mix of Challenges and Opportunities for Healthcare Providers to Become and Remain Compliant

Healthcare organizations must take the right steps to avoid big fines and stay current of the latest technologies.

March 12, 2019Manhattan Tech Support

SecurityCloud ServicesIT Consulting & StrategyTech Support & Managed IT ServicesHealthcare

hipaa blog post head 0319

In recent years, The Department of Health and Human Services Office of Civil Rights Management (OCR), has aggressively increased efforts to make sure that healthcare providers are properly implementing the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). Although the total number of penalties has plateaued from its 2016 peak, in the last two years the OCR has increased the size of HIPAA violation fines, which includes the headline-making penalty for Anthem Inc. of $16 million, the largest HIPAA fine ever.

With a renewed vigor for enforcing HIPAA compliance, and with data breaches on the rise in the healthcare industry, it’s essential that providers have a clear idea of what’s required of them, especially as new technologies continue to shape the healthcare landscape in 2019.

The Five Technical Requirements of HIPAA Compliance

There are five main dimensions in which the HIPAA standard protects digital information; these are referred to as the “technical safeguards.”

  1. Access Controls – These limit access to electronic personal health information (ePHI) to authorized personnel.
  2. Audit Controls – Organizations must use the right mix of hardware, software, and procedures so that all systems storing ePHI are monitored and data access is properly logged.
  3. Integrity control – This set of controls ensures that data is not being altered or destroyed by unauthorized personnel
  4. Transmission security – This set of controls is used to ensure that electronic personal health information (ePHI) is protected when in transit across a network.
  5. Authentication – Verifies the identity of individuals accessing sensitive information.

Although HIPAA has been around for over twenty years, many healthcare organizations still struggle to maintain strict control over their data. Why is that?

Part of the problem is the sheer volume of data that the healthcare industry produces. Not only is there EHR data to manage, but there may also be external data collection efforts to supervise, as well as supply chain or vendor data that must be processed securely. In other situations, there just isn’t the IT manpower to ensure that data is being protected throughout the entire network.

There are several areas that could be potential sources of trouble for healthcare organizations in 2019; let’s look at a few.

Securing Mobile Devices for HIPAA Compliance

Studies have shown that over four-out-of-five physicians, and three-out-of-four nurses, use their personal smartphone at work. To make sure that you receive all the benefits that mobile devices can provide, without putting ePHI at risk, healthcare providers must take vigorous steps to ensure that their HIPAA controls are securing mobile data as effectively as possible.

First, this means ensuring that best practices are being uniformly enforced. Don’t allow your employees to “jailbreak” devices and ensure that applications and operating systems are getting regular updates. Also, make sure that any mobile device connecting to your EHR is doing so through a virtual private network (VPN) or using multi-factor authentication. These first-line measures are mandatory and should be considered a foundation for further steps.

Next, make sure that your email and messaging applications are secure. While HIPAA doesn’t lay out explicit requirements for data encryption, it does say that encryption should be implemented if it will help ePHI. Because the decision to not encrypt data must be accompanied by a documented alternative, this effectively means that encryption is required for all data in transit over mobile networks.

When looking for solutions, remember there’s a big difference between those that are HIPAA capable and those are built HIPAA compliant. In order to make sure that data is encrypted while in transit, and stays encrypted while at rest, you will likely need to combine several solutions to ensure that all your emails and instant messages are sent securely. Developing this type of comprehensive solution is often best handled by an outside expert who has experience building and deploying HIPAA-compliant mobile solutions.

hipaa blog post body 0319

Finding Greater Confidence in the Cloud

Another focal point for HIPAA compliance experts in recent years has been cloud computing. While cloud adoption rates in the healthcare industry continue to soar, providers still face great ambiguity when making a commitment to cloud technology, or expanding their existing cloud services. This includes concerns like, how do I properly vet my cloud service providers (CSPs)? How do I ensure that cloud data is HIPAA compliant throughout its entire lifecycle?

Any CSP that stores ePHI for your patients is subject to the same HIPAA controls that you are. To determine the HIPAA compliance of a potential CSP, you should begin by analyzing the quality of their solutions and if they provide the required levels of security and uptime. In the event of downtime, do they have procedures in place to allow you to access data? You should consider all these elements of their compliance services before signing on with them. The next step in verifying a CSP involves a thorough risk analysis of their administrative and technical controls to ensure that the CIA triad of confidentiality, integrity, and availability will properly apply to all the data they’ll be storing or processing for you.

Here, as with mobile devices, encryption will play a significant role. The industry standard for at-rest data is AES 256-bit encryption. This should be employed on both local and cloud file systems. However, at-rest data is just one piece of the puzzle. To ensure that data is secured while in transit, healthcare providers need to implement secure sockets layer (SSL) encryption, so that data moving between web browsers and cloud services, or mobile devices and cloud services, is adequately protected.

The Benefit of Having NYC’s HIPAA Expert at Your Side

There’s nothing like having an expert at your side to help you deal with the many complexities involved in achieving strong HIPAA compliance. Manhattan Tech Support has been helping organizations in the healthcare industry build and maintain HIPAA compliance strategies for decades and can guide you through every step of the process. Have a question for our experts? Call us anytime at 212-299-7673.

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

AI trends in IT management

calendar March 22, 2023

author Manhattan Tech Support

Artificial Intelligence Business Intelligence Cloud Services Cyber Insurance IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

AI trends in IT management

AI is on everyone’s minds these days. ChatGPT3 and OpenAi have brought what’s possible to the mainstream in a way we haven’t seen outside of movies before. If you’ve spent any time following the trends online, there’s a lot of

Read More
Best Microsoft 365 features for 2023

calendar March 15, 2023

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Software Development Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Best Microsoft 365 features for 2023

Microsoft’s office suite (now called Microsoft 365) has come a long way from its early days as a word processor and spreadsheet platform. These days, Microsoft 365 is a powerhouse of productivity tools that handle everything from word processing to

Read More
Digital Trust – what is it and how does it affect your business

calendar March 8, 2023

author Manhattan Tech Support

Business Intelligence Cloud Services Cyber Insurance IT Consulting & Strategy Security Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Digital Trust – what is it and how does it affect your business

It seems we hear new stories about cybercrime every day. The stories range from huge ransomware attacks on hospitals to city infrastructure being compromised. It might seem like this isn’t something that you and your business need to worry about,

Read More