What is HIPAA Compliance? Just the Facts...

If you work in the healthcare industry, there is zero doubt that you have heard about HIPAA Compliance thousands and thousands of times. The importance of keeping electronic protected health information confidential is pounded into us on a daily basis and for good reason. But what is HIPAA Compliance? We all know that it is a Federal Regulation specific to two types of organizations:

• Covered Entities (Health Plans, Healthcare Clearinghouses, and Healthcare Providers)
• Business Associates (Any person or entity that performs activities involving the use or disclosure of protected health information on behalf of a covered entity)

Today, both Covered Entities and Business Associates must follow the same exact requirements when it comes to complying with HIPAA. This is in big part to the final HIPAA Omnibus Rule back in 2013 that upped the ante for business associates, especially with the increase in outsourcing certain business functions.

To keep things simple, HIPAA Compliance comes down to three key tasks for the protection of ePHI that they create, receive, maintain, or transmit. Those three tasks are as follows:

1. Confidentiality - ePHI is not available or disclosed to any unauthorized person
2. Integrity - ePHI is not altered or destroyed in an unauthorized manner
3. Availability - ePHI is accessible and usable on demand by an authorized person

The challenge with HIPAA Compliance regulation is that it does not provide a definitive method on how to comply. Rather, it gives a few points for organizations to consider:

• Size, Complexity, and Capabilities
• Infrastructure
• Costs Associated with Security Measures
• Likelihood and Possible Impact of Risks to ePHI

HIPAA Compliance, unlike some of the other compliance requirements (PCI Compliance, for example) is very gray. Complying with HIPAA can be very different from organization to organization, which creates a challenge. Organizations look to find a specific model to follow and replicate, which is difficult at best. They key is to assess your risk on a regular basis, not treating HIPAA Compliance as an annual "check-the-box" requirement. Our recommendation would be to conduct a formal risk assessment at least annually and when you make significant changes to any technology in your environment.

New statistics suggest that in 2016, 34.5% of all data breaches occurred in the healthcare vertical. While this remains essentially flat from 2015 data, it does not show a track record of improvement. This is a major concern. When you combine this data with the ransomware attacks that targeted healthcare in 2016, compliance becomes even more important and more of a challenge. Please contact us with any questions that you might have regarding HIPAA compliance!