How to comply with HIPAA Administrative and Physical Safeguards and Breach Notification Rule
In the previous articles of this series, we talked about why almost everyone in healthcare has to be HIPAA-compliant (startups, included), how your developers can apply Security Rule and make apps and wearables compliant, and how to create an efficient training program.
Now, let’s talk about things that help you build HIPAA compliant business processes that are aimed at keeping PHI safe and accessible.
How to comply with HIPAA Security Rule Administrative Safeguards
As we have already discussed, Technical Safeguards of HIPAA’s security standards apply to how you can protect PHI with your software. Administrative Safeguards, though, include recommendations on risk-management framework across your organizations. HIPAA violations which occur when an organization fails to establish appropriate administrative security standards are most common among healthcare organizations, both on the side of providers and vendors' businesses because they relate to human errors. Now, let’s look into aspects of Administrative safeguards.
Establish a security management process
Security management is a mandatory — or required — standard that obliges you to install risk analysis and management across your company, run sanction policy, and create a tradition of “Information System Activity Review.”
As HIPAA protects patients’ health information, to build a risk analysis and management process around it, you will need to
- Understand and define the context of risk management. HIPAA protects PHI, so protection of PHI is your context. Identify what PHI your organization interacts with and what channels or storages are involved in these interactions (storage if you store PHI, networks if you transmit it, all software that is used to analyze PHI — you got the idea.)
- Identify and assess risks. Find out potential threats, security measures you already have in place, and security gaps or vulnerabilities that, if exploited, could open access to PHI. Then, analyze the probability of each threat occurrence and find out which are rare and which should be anticipated. Identify exposure risks: calculate the threat level by the loss in value which you will experience if a certain treat occurs and causes a certain impact.
- Establish threat response procedures. Assign measures that will help you to control, contain, and minimize the impact when a threat occurs.
- Establish recovery procedures. Recovery measures include the evaluation of mentioned value-impact, contingency plans, etc.
- Document processes. First of all, because security management is mandatory. Second of all, because documentation can be used in your employee training, which is also mandatory (and also should be documented.)
- Monitor and re-evaluate established risk-management process regularly.
Now, a bit of dive-in: according to HHS, the most common value-impact of threats that should cover your security management framework are:
- unauthorized access/exposure of PHI;
- loss and damage of PHI, permanent or temporary;
- loss of money;
- or loss of physical assets.
To measure the impact of those incidents for your business, you can either place each potential impact on a scale from low to high; or you can calculate a sum, loss, that could be associated with each threat. The second method is more complex because it must connect even, for instance, reputational loses to a certain amount of money.
A combination of these approaches, though, can help you to come up with a most cost-beneficial security strategy for your organization. You also must have sanction policy, defining who and how to punish if some PHI is disclosed and processes to review activities in your system, that will automatically log everything that is happening there.
Hire (or assign) Security Official
The next requirement of Administrative safeguards tells that you should hire (or assign) a “security official” that will implement all nice security things you have came up with as Security Officer.
Actually, HIPAA requires you to have both Security Officer and Privacy Officer. They could be one person (Compliance Officer), that depends on the size of your organization and the scope of both’s responsibilities. Generally, the Privacy Officials are responsible for complying with the Privacy Rule on the corporate level: establish risk assessment and management approaches in within your workforce, run training programs, maintain documentation, addressing complaints, etc. Security Officials, though, operate mostly on ensuring technical, administrative, and physical compliance of your business, develop contingency plans, and so on.
Establish PHI management and security process
The next administrative safeguards cover employees’ and other entities’ access to parts of your systems that interact with protected health information.
Workforce security. The system that contains PHI must have mechanisms that authorize employees, allow to supervise their activities, and terminate their access, if necessary. A bit of a Big Brother vibe here. At the same time, this safeguard requires the authorization process to be smooth and comfortable, so your employees — or physicians on providers’ side who use your system, — access information quickly, without damaging the quality of care.
Information Access Management. If you, for instance, conduct clinical trials for a pharmaceutical company, or your investors are very interested in users’ engagement within your app, you have to ensure they can’t access the PHI.
Same works for healthcare clearinghouse your software is connected with — it’s third-party software that processes providers’ claims, transforming them into transactions, and sends them to, for instance, insurers. If the clearinghouse is part of a large insurance company that has different branches and functions, you have to make sure this software can protect PHI from other functional parts of insurance companies.
Same works for subcontractors or software vendors you hire to help you with your system. That is the obligatory requirement.
Additionally, you must install smooth onboarding mechanisms as a part of Access establishment and modification safeguard that allows to grant access for PHI, if there’s a new connected software or workstation, processes, or people.
Ensure security awareness, training, and incident management
Employee training is one of the obligatory HIPAA aspects, and it is one of the Administrative Safeguards. We wrote an article on how to build effective employee training, and the one thing that is left to note is that you need to teach your employees how to work with antiviruses and how to report security incidents, such as antivirus danger reports and, for instance, unsuccessful log-in attempts. The latter should be tracked as a part of your security management strategy.
A good practice, and another, addressable Administrative Safeguard is installing security reminders that convey important aspects of regulations and best practices your employees should be aware— as well as updates in regulations, new software installations, and so on. You also may employ notifications as a part of hands-on training: the only recs are to use clear language and be mindful of possible disruptions.
The last Administrative Safeguard which is also a part of your risk-management strategy is to establish process and policies of responding and reporting security incidents. These policies should, among other things, include the check-lists of what employees have to do when, e.g., someone stole PHI, the storage device where PHI was contained occurred to be corrupted, there was a break-in, there is an access report from the account that should have been terminated, someone posted a part of PHI on Facebook, etc. Some of those things are pretty common, some are rare, but your employees, in any case, must know how to:
- Preserve evidence of the incident, untouched
- Minimize risks of further incident development;
- Figure out the cause of an incident;
- Document it, and its outcomes;
- Evaluate the incident within the risk-management framework.
Such a rich list of requirements that are obligatory for your employees give more reason to run an effective, continuous training program.
Contingency plan: When everything is not fine
A contingency plan is, obviously, rather a big part of your risk management strategy. HIPAA protects integrity and availability of patient information as well as their privacy, so when a hurricane hits your servers or trojan virus lays your system down, you still are obliged to ensure doctors and patients can get their health info, untouched.
Backup of all patients’ data, including scans, notes, case management info, etc., stored in a safe, protected place are a must, as well as recovery plans:
- Disaster recovery plan, which ensures switching to backup sourcing when the mentioned hurricane comes. This recovery plan should consider the location of your organization or your servers, and, if needed, “a hurricane” must be accepted as a probable threat in your risk analysis documents.
- Emergency plan, which activates in case there is a threat, but there’s still a need to access information. The emergency plan should balance out, which info should be accessible always, which is accessible right at the moment, because, f.i., a provider required it, and what should be protected. The plan also includes contacts of people you should notify about an incident and instructions for manual security protection actions.
Surely, no one ever has a good damage control mechanisms without testing them, so include revisions and leak drills in your security initiatives. Don’t forget to prioritize which data should be restored first after the incident.
The final Administrative Safeguards entitle you to have HIPAA-compliant relationships with your business associates (BA) that get to interact with protected health information, including external advisors, lawyers, vendors. The obligation to protect the privacy of patients’ information and ensure efficient security around it should be included in a written contract — Business Associate Agreement.
How to employ Physical Safeguards
Despite the fact that patient information is mostly digitized, there are still preventive measures providers and their associates should employ to protect it in the physical world. Covered by Security Rule, they are called Physical safeguards.
Protect and secure facility. So, as a part of facility access control, you should figure out how to access patients data if there is a sudden power down or a blackout in the area. There should also be a facility security plan that includes ID classification of employers and visitors, locked doors to archives and medical rooms, video surveillance, — you got the idea.
A good idea is to run maintenance records for repairs and renewals that are happening in the facility, and when they can be required, and when the repair works may interact with PHIs.
Control who and when can use workstations that interact with PHI. Next part of Physical Safeguards is workstation use and security control. A wonderful way to hack the system is to leave a malicious flash drive on the table of your employee.
There must be policies that restrict access to workstations, computers, laptops, and smartphones that interact with PHI. Monitors and screens of such workstation must be observed by people with authorization, only. It also, by the way, applies to people who work from home, etc. To implement efficient protection of devices that contain, in one or other way, PHI, you have to pass the same risk analysis steps we have talked about earlier. Password-protected smartphones must be included!
Moreover, one of the points of good access control is dividing areas of physicians of different professions in separate, inaccessible from one another sides. As an example, in the perfect HIPAA-compliant world surgeons can’t access records about persons’ mental health. This is not the case for most healthcare organizations, but this is a point to consider when constructing systems for them.
As a part of next Physical Safeguard, Device and media controls, you are required to:
- Make sure electronic media (these are memory devices, flash drives, memory cards, any e-storages, smartphones, etc.) that is not needed for you anymore doesn’t contain any PHI. You need to eliminate any trace of PHI. Ways to do that are, first, deleting/formatting hard drive, perhaps few times; the second way is degaussing traditional hard drives; third, SSD shredding. In other words, all the fun things.
- In case of the electronic media re-use, remove any PHI before reuse.
Things that aren’t required, but useful to consider: decide, whether or not smartphones should be used when working with PHI data; is there a way to log the activities of the same account from different devices. Also, it’s better to create a backup of PHI before relocation to prevent loss of PHI.
Basically, Physical Safeguards protect medical organizations from, mostly, natural disaster, inconveniences and rather bold criminals and frauds. It’s important to understand, though, that if you are a vendor that maintains software that interacts with PHI, you still need to consider all these safeguards: in our experience, while providers are more or less aware of HIPAA’s goal and the necessity of compliance, their tech partners lack understanding in that area.
How to comply with Breach Notification Rule
HIPAA obliges healthcare organizations to report if they have detected a data breach. By HHS’ definition, a data breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.” After data breach occurred, organizations must provide info about it to affected individuals, HHS Office, and, in some cases, media — all of it, within the first 60 days after the discovery of the breach. In the individual notice, providers should include:
- Types of information that, potentially, is harmed or disclosed;
- Step-by-step guide affected people should use to protect themselves;
- A brief note on the ongoing investigation
- Contact info
If the breach occurred within the business associate app’ that was using the provider’s health info, they should connect and decide on which behalf to address affected people.
Providers are obliged to notify media, if the occurred breach affected more than 500 residents of the USA residents, also within 60 days after the discovery.
As for the HHS, providers must notify Secretary within 60 days, if the breach affected more than 500 people. If there were fewer people, affected, breaches must be reported on an annual basis.
Despite the fact that Breach Notification Rule is a separate HIPAA standard, it tightly connects to Security Rule. Guidelines on how to react, document, and prevent the breaches must be outlined within security management strategy, and all preventive measures must be employed, both in medical organizations and people who provide software for them.
Non-hacking related attacks are pretty common for healthcare, and they are, in our opinion, the most simple to prevent. HIPAA compliant organization is an organization that trains its employees to think about their customers — patients, users, whatever — and teaches them to prevent fails rather than react to them. To prevent sickness, as we know, is always better than treating it.
Subscribe to our newsletter to get news from the digital healthcare industry and our guidelines and articles on market, trends, and software development tendencies within it.
Your submission is received and we will contact you soon