Discussion around the Health Insurance Portability and Accountability Act (HIPAA) often centers on doctors’ offices and hospitals and what it takes to ensure HIPAA compliance. It’s important to note that while these are the most common associations with HIPAA, there are many types of businesses that require the right framework for handling compliance.
Determining which types of companies need to be HIPAA compliant can seem a bit vague. The U.S. Department of Health and Human Services provides some guidance on which organizations need to restrict the release of medical information, referring to those companies as “covered entities.” Understanding exactly who falls under the banner of covered entities requires a deeper look:
- Healthcare plans, including HMOs, Medicare and Medicaid are all covered entities, as are private insurance companies. Also included are human resources and school employees that handle patient information.
- Any billing or collection company that handles patient information is included.
- Health care providers, including doctors, dentists, surgeons, optometrists, hospitals, clinics, nursing homes and pharmacies are all covered entities.
- Any business associates of the above are also included.
While doctors, hospitals and health insurance companies are more obvious covered entities, many people don’t realize how far the arms of the regulation extend out to business partners. Companies that handle medical processing, data processing, consultants, accountants, auditors, and any other third-party organization that handles protected health information are all covered entities.
Assessing risk of HIPAA compliance violation: The Office of Civil Rights (OCR) conducts HIPAA compliance audits, and when they visit an organization the first thing they ask for is the company’s security and risk assessment from the prior three years. Every covered entity should consider, given that OCR regularly imposes fines for a lack of compliance, whether they have adequate risk assessment in place.
A risk assessment identifies potential risks and vulnerabilities as well as the integrity of private health information. This applies to data that is created, stored or maintained, transmitted, or received. The following considerations should be included in the assessment:
- Determine whether the private health information is transmitted, received or stored
- Identify any threats or vulnerabilities
- Determine the current security approach
- Identify the likelihood of a threat
- Assess the impact if a breach were to occur
- Estimate the level of risk of that breach occurring
- Document the security measures in place to combat the threat of a breach
Identifying potential risks helps an organization mitigate the potential of a breach of private health information, and it also prevents fines for the organization in the event of an audit.
Most problems with HIPAA compliance occur as the result of employee error, so prioritizing HIPAA training is important for any covered entity. This should include the correct handling of private health information, how to report suspicious activity surrounding that information, and how to protect the company from a breach.
At SimpleWAN, we help you leverage the best technology to make HIPAA compliance easier, such as segmented network traffic to help you identify and isolate any threat to your systems. Contact us for more information.