When comparing HIPAA compliance service providers, there are four key factors to target:
- Their approach to access control, which is critical for HIPAA Privacy Rule compliance
- Their capacity for risk assessment and management for the HIPAA Security Rule
- Their visibility and communications infrastructure for HIPAA Breach Notifications
- Their ability to help you meet all your regulatory compliance needs efficiently
Factor #1: Visibility and Access Control for Privacy
The most foundational part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the Privacy Rule. It defines HIPAA’s overall scope, beginning with what needs to be protected and who needs to protect it. Namely, protected health information (PHI) includes data on or containing patients’ health conditions, treatment, and payment records. Covered entities are organizations both within and adjacent to healthcare—and their business associates.
The prescriptive portions of the Privacy Rule require organizations to make PHI available to patients upon request. All other uses and disclosures should be prevented, except for:
- Disclosures to the individual identified in/on the PHI (or their representatives)
- Uses in the service of healthcare treatment, payment, or operations goals
- Uses or disclosures the subject had a chance to agree or object to
- Uses or disclosures incidental to other authorized ones
- Uses in the service of public interests or public benefit activities
- Uses of limited data sets in the service of medical or other research
Further, all of these Permitted Uses and Disclosures need to be limited to the minimum extent possible. The best HIPAA compliance service providers will help you install access and visibility infrastructure to control access to PHI while also making it available to patients when needed.
Factor #2: Risk Assessment and Mitigation for Security
Effective HIPAA compliance support also needs to account for the requirements of the Security Rule, which extends coverage to electronic PHI (ePHI) and establishes proactive risk mitigation.
The Security Rule requires implementing proactive risk assessment to identify and manage all threats to PHI. It also requires implementing three classes of safeguards to mitigate these risks:
- Administrative safeguards –
- Security Management Processes
- Security Personnel
- Information Access Management
- Workforce Training and Management
- Physical safeguards –
- Facility Access and Control
- Workstation and Device Security
- Technical safeguards –
- Access Controls
- Audit Controls
- Integrity Controls
- Transmission Security
Unlike other regulatory frameworks, HIPAA is vague. There is little technical specification or guidance in terms of how organizations need to meet these requirements. This is by design, as the HHS wants covered entities to have flexibility in their approaches to protecting PHI. But the ambiguity can also make the work of protecting PHI hard to navigate without adequate support.
When comparing HIPAA advisors, consider your existing infrastructure and how much guidance you’ll need to craft and implement controls to address the HIPAA Security Rule requirements.
Factor #3: Communications Support for Breach Notification
The other prescriptive rule in HIPAA is the Breach Notification Rule, which requires covered entities to provide three distinct kinds of notice when a breach occurs (see below). The rule also defines a data breach as any instance in which identifiable PHI is leaked—or Privacy or Security Rule protections have been broken to such an extent that a breach could have occurred.
If a breach happens, the three kinds of notice that covered entities are responsible for are:
- Individual Notice – Information about the breach must be provided to all individuals impacted by it within 60 days of discovery. If contact information for at least 10 people is not available, this information must be posted to the covered entity’s homepage for at least 90 days, along with a toll-free number individuals can call for further guidance.
- Secretary Notice – All breaches must be reported to the Secretary of the HHS. If the breach impacts 500 or more individuals, it must be reported within 60 days of discovery, but breaches impacting fewer than 500 individuals may be reported to the HHS annually.
- Media Notice – Breaches that impact 500 or more individuals within a given state or other jurisdiction also need to be reported to local media outlets servicing the location.
Organizations seeking HIPAA compliance support should not overlook this oft-forgotten part of HIPAA. It can be easy to assume that sound security will prevent all breaches from happening, but even the best-defended systems can experience attacks or leaks. You need to be ready to identify and stop a breach when it happens—and report on it according to HIPAA’s guidelines.
Seek out a partner who will help you with the required communications infrastructure.
Factor #4: Coverage for All Your Other Compliance Needs
Finally, you should consider a compliance advisor who can help you meet other needs beyond HIPAA compliance comprehensively and efficiently. Many organizations subject to HIPAA are also subject to regulations in other industries or local data privacy laws, with requirements that overlap with HIPAA. Meeting all their needs while minimizing control overlap and redundancy is a challenge. But it’s one that the ideal HIPAA advisor can help solve—ideally through HITRUST.
The HITRUST CSF is a comprehensive cybersecurity framework designed to streamline your controls for HIPAA and several other regulations into one implementation. Covered regulations include PCI DSS, NIST, GDPR, and many more. A single HITRUST assessment can empower compliance across all of these regulations, maximizing cyberdefense while minimizing spend.
For this reason, you should consider a HITRUST certified CSF practitioner for HIPAA support.
Find the HIPAA Compliance Support You Need
If your organization is currently working within or adjacent to healthcare, or considering expanding into the field, you’ll need to dedicate resources to maintaining HIPAA compliance.
The best and most efficient way to protect PHI and prevent costly HIPAA Enforcement is to work with a quality HIPAA advisor. The ideal consulting partner will help you establish visibility and access controls, risk assessment and management infrastructure, and communication channels for HIPAA’s prescriptive rules. And they’ll streamline compliance across other regulations, too.
At RSI Security, we’re committed to helping organizations meet all their compliance needs efficiently. We know that the right way is the only way to keep sensitive data secure, and we’ll help you enjoy greater freedom and flexibility through disciplined security implementation.
To learn more about our HIPAA consulting services, contact RSI Security today!