Could your organization have access to protected health information (PHI)? Some companies haven’t fully thought this through. Some assume they’re not responsible for PHI since they’re not directly in the healthcare industry, or a covered entity like a doctor’s office or hospital. In fact, more organizations have access to healthcare data than many people realize – and depending on their role and access to PHI, they may have legal obligations under the Health Insurance Portability and Accountability Act (HIPAA) too.
What types of businesses have PHI?
In addition to healthcare providers, health plans and clearinghouses, organizations that provide mental health, substance abuse, behavioral and/or disability services, adoption, foster care, care for senior citizens and even schools that don’t receive applicable federal funds likely fall under HIPAA. Others that may not be as obvious because they perform services on behalf of covered entities include consultants, third party vendors, attorneys, accountants, actuarial organizations, billing or claims processors, transcriptionists, organizations providing administrative assistance and related services, technology vendors, data analytics and reporting vendors and organizations providing management services among others. Organizations in a supporting role like those mentioned are called business associates, and they can have legal obligations as well.
- The Office of Civil Rights (OCR) enforces HIPAA and has a list of examples of business associates and their requirements on the following website: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
To take it a step further, if you could be considered a business associate, think about your clients and the companies you do business with. How does the PHI you have access to move around (get created, received, maintained, transmitted, stored)? Who has access to it? Could you be sharing your client’s information with others? It is REALLY important that you identify where PHI is stored in your organization and who has access to it. At the end of the day, if you don’t know where your PHI is, how can you secure it?
If you have PHI, here’s what you need to know
The HIPAA Security Rule requires covered entities and business associates to conduct a Risk Analysis on a periodic basis. This begins with the identification of all PHI and determining the associated vulnerabilities, threats and risk levels to this data. While it is a HIPAA requirement, it is also a standard practice and is represented in other compliance regulations like the International Organization for Standardization’s Information Security Management System specification (ISO 27001), the European Union’s General Data Protection Regulation (GDPR) and the NY State Department of Financial Services Cybersecurity Requirements Regulation (NY DFS CRR). The guidance released by the US Department of Health and Human Services (HHS) on how to conduct a Risk Analysis is influenced by the National Institute of Standards and Technology (NIST) and includes best practices for organizations to follow. Taking a risk-based approach to focusing your security efforts around your most critical data will decrease the likelihood of unauthorized access to this information and minimize impact on the organization.
- HHS Risk Analysis Guidance: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
These days most large covered entities are working to meet their ongoing compliance requirements (and if they’re not, they should be to avoid the harsh penalties that follow willful neglect). Still, many small to midsized entities, business associates and their subcontractors are not quite up to speed. Some organizations find it difficult to figure out a sustainable approach to HIPAA compliance that fits their business. If you are not sure where to begin, assess your compliance requirements holistically, identify which is most stringent and conduct a gap analysis to figure out what you’re missing. When it comes to the HIPAA Security Rule, the Risk Analysis is one of the first things that should be completed and will provide a path for remediation through a prioritized Risk Management Plan. We find that this assists organizations in focusing their efforts on those that are most crucial and provides a helpful roadmap of activities for the year.
What if I have unsecured PHI?
Taking HIPAA compliance seriously is not only in your best interest, it’s something that shouldn’t be ignored. The OCR has been enforcing the HIPAA Security Rule since 2009 and organizations should be taking action. There are harsh civil and criminal penalties including hefty monetary penalties, strict corrective action plans that need to be carried out in an accelerated manner and even jail time if a covered entity or business associate is found out of compliance especially if it resulted in a data breach. Besides avoiding this situation, developing, implementing and maintaining a compliance program will result in a culture shift where security and compliance are at the forefront of protecting the confidentiality, integrity and availability of critical data and protecting your business in more ways than one.