Time To Get Serious About HIPAA - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:45 PM

Time To Get Serious About HIPAA

If your company qualifies as a covered entity under HIPAA, now is a good time to review your compliance efforts and fill in any gaps -- before the feds come calling.

6. Expect The Worst
HIPAA isn't just about protecting data from unauthorized access. As more information needed for patient treatment and billing becomes electronic, it's crucial to ensure that systems are available and the data is trustworthy. Your contingency plan must cover backup and recovery of personal health information, along with preparations for recovering from disasters. Your plan also needs to include preparations for operating under emergency conditions--how business can continue without access to the electronic personal health information, and how you will continue to protect data on your systems during disasters.

7. Control Your Media
The management of devices and media used to store patient information is another top source of HIPAA violations, according to CMS. The Security Rule includes four provisions covering devices and media. HIPAA also includes provisions for tracking storage media and devices as they're moved around the facility and disposed of, as well as data backup.

8. Train Users, Then Remind Them
Users are crucial to security, but it's very easy for information security pros to assume they already understand the issues. All members of your workforce need ongoing security training. HIPAA leaves it up to you to decide what's appropriate and how training should be conducted, although the provision describes the training as "periodic security updates."

chart: With which regulations is your organization required to comply?
9. Log/Audit
HIPAA requires that covered entities record and examine activity in systems that store or use personal health information. The type of high-risk threats you identified in your risk assessment will help you decide what needs to be logged in order to meet this requirement, but it's important to understand the context. The Security Rule goes to great pains to ensure that users are uniquely identified and authenticated. Oftentimes, in a medical setting, it's hard to predict who will need to access which patient's data, and strong limits on this access could cause dangerous delays in treatment.

Instead, reasonable access restrictions should be implemented and followed up with audits of access trails to ensure that employees aren't looking at or modifying records they shouldn't.

10. Clean Up Old Data
This step will simplify your HIPAA compliance efforts by reducing the amount of data you need to protect. Hopefully, when you did your inventory for your risk assessment, you didn't just focus on the systems in day-to-day use but scoured the data closets for older gear and unused databases.

Once you've used your inventory to identify outdated data and systems, you need to make the classic closet-cleaner's decision: toss or keep? If there's reason to keep the data, does it need to be accessible? If not, archive it to durable media and store it in a vault or with an off-site data storage company. Data on a tape in a vault isn't susceptible to hackers or curious employees.

Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll