During the recent Safeguarding Health Information: Building Assurance through HIPAA Security conference, the Department of Health and Human Services (HHS) revealed several cybersecurity best practices for HIPAA-covered entities. Adopting these practices will help them minimize data breaches and avoid compliance issues.
HHS best practices
Review vendor and contractor relationships
According to Emily Crabbe, the HHS’ Office for Civil Rights (OCR) Senior Advisor for HIPAA Compliance & Enforcement, covered entities (like healthcare organizations, health plans, and healthcare clearinghouses) must "Review all vendor and contractor relationships to ensure [business associate agreements (BAAs)] are in place as appropriate and address breach/security incident obligations."
A BAA is a legal document that outlines each party’s responsibilities in safeguarding individuals’ protected health information (PHI). Additionally, a BAA must include the steps the vendor will take during a data breach.
Risk analysis and management
Healthcare organizations must do regular risk analyses to improve their cybersecurity. Specifically, Crabbe states, "Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned."
Moreover, risk analysis can help organizations identify and address potential vulnerabilities before they result in security incidents.
Timely PHI disposal
“Dispose of PHI on media and paper that has been identified for disposal in a timely manner,” Crabbe advises. So, healthcare organizations must securely dispose of PHI to maintain patient privacy and mitigate the risk of unauthorized access or exposure.
Learn from past incidents
Every security incident offers valuable insights, so covered entities must "Incorporate lessons learned from incidents into [their] overall security management process." These insights can help organizations identify weaknesses and implement better controls to prevent future breaches.
Take the Change Healthcare breach as an example, which led to increased scrutiny from the OCR, particularly regarding HIPAA breach notification procedures and the protection of PHI. Analyzing such incidents and understanding their impact can help organizations improve their security and uphold regulatory compliance.
Training and workforce education
Healthcare organizations must "Provide training specific to organization and job responsibilities and on regular basis; [and] reinforce workforce members’ critical role in protecting privacy and security.”
Regular training helps employees understand their responsibilities in securing PHI. Moreover, reinforcing these principles creates a culture of security where staff can recognize security threats, like phishing attacks, and respond appropriately to ultimately protect PHI.
FAQs
What is HIPAA compliance?
HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).
Furthermore, HIPAA compliance is required for covered entities, like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
What types of information are protected under HIPAA?
HIPAA protects all individually identifiable health information held or transmitted by covered entities or their business associates.
How does HIPAA protect electronic health information?
HIPAA requires covered entities to safeguard patients' protected health information (PHI) from unauthorized access or disclosure, ultimately securing electronic health data.
Related: HIPAA Compliant Email: The Definitive Guide
