Who has to be HIPAA compliant?
HIPAA defines three categories of covered entities:
- Healthcare providers — Hospitals, clinics, medical laboratories, pharmacies, nursing homes, doctors, psychologists, dentists, chiropractors, etc.
- Healthcare plans — Health insurance and health maintenance companies, government programs such as Medicare and Medicaid, military healthcare programs
- Healthcare clearinghouses — Organizations that create, receive, maintain, edit, or transmit any protected health information (PHI)
Business associates (and their subcontractors) that work with healthcare organizations are also subject to HIPAA compliance requirements. Although they aren’t listed as HIPAA covered entities, these associates process PHI and therefore share the same responsibilities.
Healthcare business associates
In other words, any organization that deals with PHI must meet HIPAA requirements. The act is vague on the frequency of audits, but it’s generally recommended to conduct HIPAA audits and self-assessments yearly or after substantial changes in your IT environment.
Passing a HIPAA compliance audit can be quite a challenge and generally requires the use of dedicated software for monitoring and controlling users’ access to sensitive data.
Key HIPAA compliance requirements for data protection
HIPAA compliance requirements are laid out in several key rules:
HIPAA controls list for data protection are described in the first two rules.
The Privacy Rule establishes standards for PHI security and safeguards to protect PHI privacy. This rule also sets out conditions when such information may be used without authorization from a patient.
The Security Rule specifies security measures for electronic PHI (ePHI) and the required functionality of HIPAA compliance software. This rule determines the following safeguards:
- Administrative — Required practices, policies, and procedures to ensure ePHI security
- Physical — Measures to establish the physical security of buildings and devices that contain ePHI
- Technical — Technologies that provide access to ePHI and protect it from digital threats
HIPAA controls can be required or addressable.
Required controls are obligatory for any covered entity or business associate. Addressable controls must be implemented if it’s reasonable for your organization. You should document your choice in a relevant security policy. When you aren’t sure whether an addressable requirement is relevant for you, it’s best to implement it anyway — you can never be too careful.
Easily implement all critical administrative and technical safeguards
With Ekran System, you can easily implement all critical administrative and technical safeguards:
Isolating third-party access
Access establishment and modification
Response and reporting
Unique user identification
Emergency access procedure
- §164.312.A.2. (i) Unique user identification (Required). Each user should have unique access credentials. Ekran System manages credentials for each user and provides secondary authentication to distinguish users of shared accounts.
- §164.312.A.2. (ii) Emergency access procedure (Required). In case of an emergency, an entity’s administrator should be able to gain access to ePHI or terminate suspicious user sessions. Ekran System can block an activity, session, or user automatically when it detects a security breach. A security officer also can do that manually as well as grant emergency access to sensitive data by issuing one-time passwords.
- §164.312.C.2. User authentication (Addressable). A covered entity should have a mechanism to authenticate any user who changes or destroys ePHI. Ekran System does that with 2FA. Also, user monitoring functionality provides visibility into any actions with ePHI.
- §164.312.E.2.(i) Integrity controls (Addressable). It must be impossible to make undetected changes to ePHI in transit. With Ekran System monitoring, any interaction with data is recorded. Therefore if anyone tries to modify data in transit, an entity will have complete records of that event. Also, those records can be exported to a protected file for further forensic activities.
Let’s get the conversation started
Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.