Recent changes to the HIPAA Rules through the HIPAA Omnibus Final Rule, may affect the way healthcare professionals do business. The changes, which became effective March 26, 2013, now apply the Security Rule not only to covered entities but also to business associates of covered entities and subcontractors of business associates. This means that any organization involved with electronic protected health information (EPHI) must have and follow a well-written information security policy with established practices and guidelines that protect this EPHI from falling into the wrong hands. Failure to comply with the HIPAA Rules could result in fines up to $1.5 million for all violations of an identical provision in a calendar year.
With enough information security experience, an appropriate set of security controls, and an understanding of the HIPAA Security Rule, an organization could develop its own information security policy and assess its own current and desired states of compliance. Or it could reach out to its security and compliance hosting provider for compliance consultation. This should include:
- Extended consultation between the healthcare organization and the hosting provider to set expectations and obtain necessary information;
- Development of an information security policy with appropriate security controls targeted to the HIPAA Security Rule that takes into account the organization’s environment, available resources, and risks to electronic protected health information; and
- An assessment of the healthcare organization’s current state of compliance with the HIPAA Security Rule and recommendations from the HIPAA-compliant hosting provider about how to obtain the desired state of security and compliance.
Whether a healthcare organization writes its own policy or develops one through consultation, it must have a set of security controls in place to implement the HIPAA Security Rule standards and implementation specifications. The HIPAA Security Rule does not provide such security controls. Luckily, the National Institute of Standards and Technology Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations specifies HIPAA security compliance controls. By selecting applicable security controls from this publication, an organization can develop an information security policy that it can follow to help meet its HIPAA Security Rule obligations and avoid potentially costly fines.
About the Author: Terry G. Raitt holds the CISSP certification and is the Policy Enforcement Manager in the Risk Management Group of Layered Technologies. His 14 years of experience in the ISP and IT Services industry also includes roles as a network administrator, Linux/Unix system administrator, and technical support manager.