Companies both directly in and indirectly connected to healthcare have to navigate compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One component of successful, seamless compliance is conducting HIPAA self-assessments. Regular audits, purely independent or with professional help, can both stave off the exorbitant costs of non-compliance and optimize your broader cyberdefense capabilities.
HIPAA Self-Assessment: Optimizing Compliance and Security
Unlike certain other cybersecurity regulations, HIPAA does not require formal certification. Instead, a HIPAA audit by the US Department of Health and Human Services (HHS) typically coincides with an investigation of non-compliance. However, one of the HIPAA rules does require regular risk assessments, and broader self-auditing practices will help ensure long-term compliance.
There are three major components to a company-wide HIPAA compliance self-assessment:
- Compliance with the Privacy Rule and its permitted uses and disclosures of PHI
- Compliance with the Security Rule’s risk analysis and safeguard requirements
- Readiness for Breach Notification Rule compliance if a data breach does occur
In the sections below, we’ll detail the most critical requirements of each rule, along with how they (and other considerations) should inform your self-assessments for HIPAA compliance.
How to Self-Assess for Compliance with the Privacy Rule
The first and most fundamental target for HIPAA self-assessment is baseline compliance with the Privacy Rule. It defines the types of information HIPAA regards sensitive: primarily, personal or personally identifiable information deemed “protected health information” (PHI). It also defines the specific parties to which all HIPAA rules apply: covered entities, including healthcare providers, health plan administrators, and clearinghouses, along with their business associates.
The primary prescriptive function of the Privacy Rule is establishing conditions under which PHI can (or must) be used or disclosed. Namely, PHI may only be used or disclosed in the specific circumstances described below or in select ways the subject of the PHI has authorized in writing.
For these reasons, the best way to self assess compliance with the Privacy Rule is to inventory all data to determine what is (or might be) PHI. Then, scan for any evidence of misuse (or any potential vulnerabilities that could lead to misuse), which could lead to a Privacy Rule violation.
Privacy Rule Permitted and Required Uses and Disclosures
According to HHS’s Privacy Rule summary, there are two scenarios in which disclosure of PHI is required: to its subject and to the HHS as part of an investigation when either requests it. Beyond these use cases, there are six categories of permitted uses and disclosures of PHI, which break down as follows:
- To the subject of the PHI – Covered entities may disclose PHI to its subject or to a designated direct representative of the subject, such as a spouse or nuclear relative.
- For select operational goals – Covered entities may disclose PHI to or amongst other covered entities, or to other select parties, for certain healthcare-related operations:
- Treatment, including direct provision, coordination, or management of services
- Payment, including all collecting, furnishing, and management of payments
- Healthcare operations, including general administrative and managerial tasks
- With opportunities to object – Covered entities may disclose PHI if its subject provides informal consent or if they are incapacitated (if the use is deemed in their best interest).
- If incidental to authorized use – Covered entities will not be penalized for individual disclosures of PHI that are incidental to other, authorized uses or disclosures thereof.
- For public interest or benefit – Covered entities may disclose PHI for these causes:
- If a use or disclosure is required by local or federal law or by court order
- If a use or disclosure is undertaken as part of broader public health activities
- If a use or disclosure helps or is deemed in the best interests of abuse victims
- If a use or disclosure is to or involves a health oversight agency or authority
- If a use or disclosure is related to select judicial or administrative proceedings
- If a use or disclosure is to law enforcement or for law enforcement purposes
- If a use or disclosure is about or concerns arrangements for a deceased person
- If a use or disclosure is of or relates to donations of organs, eyes, or tissues
- If a use or disclosure is for or related to research for generalized knowledge
- Of a limited set, safeguarded – Covered entities may disclose PHI in limited data sets if personal details are removed and the recipient agrees to uphold specific safeguards.
All the permitted uses listed above—except for most instances of the first—must also be limited to the least amount possible, per the Minimum Necessary Requirement. There are other components to the Rule as well, such as requirements for notifying PHI subjects regarding their data’s use or storage and its privacy. But the most critical assessment factors are the restrictions and control over PHI access.
How to Self-Assess for Compliance with the Security Rule
The Security Rule exists to extend Privacy Rule protections out across all electronic PHI (ePHI), or PHI that exists either primarily or exclusively in electronic forms. In particular, it guarantees confidentiality, integrity, and availability of ePHI. Confidentiality refers to the Privacy protections above; integrity refers to an absence of inappropriate changes or deletions; availability refers to authorized users’ swift and easy access to ePHI in acceptable use cases (per the Privacy Rule).
The Security Rule governs specific safeguards to identify and protect against any unauthorized access, along with reasonably anticipated threats to security or integrity. These components should inform the basis of any self-assessment focused on Security Rule compliance. First, companies need to engage in regular risk assessments to fulfill a Security Rule Requirement. Then, they should also audit their internal infrastructure for the required safeguards.
Security Rule protections do not apply to non-electronic PHI proper. Still, the required protections are likely to impact all information (PHI and ePHI), so all systems and storage should be tested.
Security Rule Risk Analysis Requirements and Available Toolkits
The Security Rule specifically requires a risk assessment, but it does not specify a required format or HIPAA self-assessment questionnaire to document or report findings. Instead, the HHS provides detailed guidance on risk analysis and various resources companies can use—but are not required to—for compliance. These resources should inform your self assessment.
The analytical method HHS recommends is based upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Guide for Conducting Risk Assessments. It specifies procedures for identifying internal vulnerabilities, external threats, and the relationships between them. These relationships determine risk factors of likelihood and potential impact, which in turn determine Risk Levels. The suggested scope involves measuring these factors, reporting on them, and regularly reviewing and updating security to mitigate identified risks.
The HHS’s guidance also points covered entities toward the NIST’s security content automation protocol (SCAP) and a security risk assessment tool (SRA) jointly maintained by the HHS and the Office of the National Coordinator for Health Information Technology (ONC) at HealthIT.gov.
Security Rule Administrative, Physical, and Technical Safeguards
The other primary set of requirements within the Security Rule are more formally prescriptive; these are relatively straightforward to assess, similar to the Privacy Rule requirements above.
Per the HHS Security Rule summary, companies must install the following security safeguards:
- Administrative Safeguards – Policies governing programmatic security management:
- Security management processes, informed by risk assessments and mitigation
- Designated security personnel with defined roles, responsibilities, and resources
- Information access management, pertaining to Privacy Rule permitted use cases
- Cybersecurity training management, covering all behavior involving PHI security
- Regular security program assessment, pertaining to Security Rule requirements
- Physical Safeguards – Physical barriers to restrict and control proximal access to PHI:
- Restricted access to facilities, allowing access only for authorized individuals
- Secure workstations and devices, including all transport and disposal thereof
- Technical Safeguards – Technological solutions for risk visibility and management:
- Control over access, through policies and software guarding access to ePHI
- Control over audits, including regular auditing and safe storage of audit logs
- Control over integrity, including visibility dashboards and integrity monitoring
- Control over transmissions, governing all network traffic of or related to ePHI
Covered entities should assess all existing cybersecurity infrastructure to ensure that installed controls meet—or, ideally, exceed—these basic thresholds.
Note that the Security Rule specifies that most local or state laws that render these requirements impossible to follow are generally preempted by HIPAA, as the federal regulation that takes priority in almost all applicable cases.
How to Self-Assess Preemptive Breach Notification Readiness
The last prescriptive rule within the HIPAA framework is the Breach Notification Rule. Unlike the prior two, it does not require specific security architecture to be in place, nor does it prohibit any specific uses or behaviors regarding data storage and access. However, it does require specific actions to be taken if a data breach occurs—see below for required notifications.
The Breach Notification Rule defines a data breach as any case in which PHI or ePHI has been used or disclosed in a way that the Privacy Rule disallows or otherwise infringes on a Security Rule Requirement (confidentiality, integrity, availability).
Exceptions include instances where the probability of the disclosed data being compromised is proven as low. Also, if PHI or ePHI is disclosed between parties who are authorized to view it or if the recipient cannot retain or use the information to compromise any party involved (e.g., encrypted data), the use or disclosure may not be a breach.
Self assessments for this rule focus on visibility and communications infrastructure to identify a breach as soon as it occurs and send all required notifications within the specified timelines.
Required Individual, Secretary, and Media Notification of Breaches
If a data breach does occur, and PHI or ePHI has been compromised (i.e., Privacy or Security Rule requirements have been broken), a covered entity must notify two specific parties:
- Individual Notice – All parties impacted by a data breach must be notified in writing, as soon as is possible for the covered entity and no later than 60 days after the data breach discovery. The notice can come via email if the impacted party has consented to receive notice electronically.
- If the covered entity lacks contact information for ten or more people impacted by the breach, it may notify print or broadcast media or post notification to the homepage of its website for a period of at least 90 days to ensure full communication.
- Secretary Notice – The Secretary of the HHS must also receive notice of all identified data breaches, irrespective of their size or impact.
- If the breach impacts fewer than 500 people, the notice can be submitted on an annual basis, no later than 60 days after the calendar year within which the breach was discovered.
- If the breach impacts 500 or more people, notice must be provided within the same timeframe as individual notice.
Additionally, if the data breach in question has impacted more than 500 residents within a State or other jurisdiction, the covered entity must provide notice to a third party:
- Media Notice – At least one media outlet covering the specific jurisdiction or area in which the large-scale breach occurred must be provided notice along the same timeline as individual notice. This media notice may take the form of a press release but must include all the same information required for individual notice to all the impacted parties.
Note that these requirements do not pertain only to covered entities proper. For example, if the breach happens because of or under the supervision of a business associate, they must notify the covered entity as soon as possible, no later than 60 days after the breach’s discovery. So, assessing readiness includes scanning infrastructure across all relevant third parties.
Professional HIPAA Assessment and Compliance Advisory
Covered entities and business associates who need to comply with HIPAA should regularly self-assess their compliance with the three prescriptive rules, as detailed above. However, the best way to ensure long-term compliance is to work with a HIPAA compliance advisory partner, like RSI Security.
For help with HIPAA self-assessments and overall compliance, contact us today!