HIPAA Compliance
One of the most common requests we receive from our clients is to assist them during their HIPAA compliance audits. This process can be stressful and daunting, but with our guidance and tools, Coastline clients will always have the support they need.
While no healthcare organization can eliminate the possibility of facing a data breach, implementing HIPAA technical safeguards can go a long way toward mitigating cyber risk.
Let’s start with the basics.
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information. Protected health information is “individually identifiable health information” stored or transmitted by a covered entity or its business associates. This can be in any form of media - from paper and electronic records to verbal communications.
HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). The OCR’s role in maintaining medical HIPAA compliance comes in the form of routine guidance on new issues affecting health care, performing compliance audits, and investigating HIPAA violations.
Through a series of interlocking regulatory rules, HIPAA compliance is an evolving practice that certain organizations must layer into their business in order to protect the privacy, security, and integrity of protected health information.
HIPAA regulation identifies two types of organizations that must be HIPAA compliant:
Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits protected health information electronically. Health care organizations that are considered covered entities include health care providers and health insurance providers.
Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters protected health information in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many examples of business associates because of the wide scope of service providers that may handle, transmit, or process health information. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, electronic healthcare record platforms, MSPs, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
While there are many layers to HIPAA compliance, Coastline can help ensure that all technical aspects of your infrastructure meet the technical safeguard requirements. According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Essentially, organizations that fall under HIPAA rule must implement security measures that allow them to reasonably and appropriately maintain the necessary standards for protection. This includes determining which security measures and specific technologies are reasonable and appropriate for their organization.
Before we go into specific technologies, let’s review some of the violations and risks that Coastline can help with.
Types of Potential Technical HIPAA Violations
HIPAA violations can occur in any number of ways, so it’s critical that you understand what a violation is and how they happen so you can take preventative measures.
Internal
The most common type of violation is internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked, or a paper file misplaced in a public setting — although not malicious — are the types of violations to be most wary of. A company who has a laptop stolen and doesn’t have a policy in place barring laptops being taken offsite or requiring they be encrypted would also be in violation of HIPAA. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a violation. By partnering with Coastline, you wouldn’t need to worry about these types of risks!
External
Data breaches and ransomeware situations are the two areas of concern when it comes to external risk. Utilizing default configurations, for instance, can leave your organization more prone to breaches.
The FBI's Internet Crime Complaint Center reported 2,084 ransomware complaints between January and July 31, 2021, and according to a report by the University of Maryland, there is a new attack somewhere on the web every 39-seconds.
Healthcare data breaches occur nearly every day, and hackers are constantly shifting their tactics and targets to adapt. In response to the ever-changing cyber threat landscape, it is crucial that healthcare organizations implement technical safeguards that are current, comprehensive, and compliant.
Examples of Violations
Stolen laptop
Stolen mobile phone
Stolen USB device
Malware incident
Ransomware attack
Hacking
Business associate breach
Electronic health record breach
Office break-in
Sending protected health information to the wrong patient/contact
Discussing protected health information outside of the office
Risk Mitigation
Coastline’s deep experience with healthcare clients and related vendors means we have the knowledge and tools ready to support you through a HIPAA audit. Here are some risk mitigation steps that should be taken with your technology:
Strong login measures: Coastline can ensure that only authorized users have access to protected health information by implementing strong permissions and standards for ID and password complexity. Users should change their default passwords on a regular basis, and having systems in place requiring that they change passwords regularly is a smart step. Strong, individual passwords are also paramount for security.
Regular activity logging: Coastline’s available monitoring tools log everything related to network activity, which will help comply with HIPAA. Our systems also monitor unusual activity and alert us immediately. This level of tracking and monitoring will comply with guidelines.
Take a multi-layer approach: User IDs and logins are just one layer of potential HIPAA breaches. By working with Coastline, you can rest assured that proper security measures are taken at various other layers, including network, systems, software, and firewalls.
Data backup and disaster recovery: By having Coastline’s data backup and disaster recovery tool, you’ll not only have a critical component to your technical infrastructure which can rescue your organization in case of ransomeware or disasters such as floods, but you’ll have a documented plan in place for data loss or breach, which are carefully observed by auditors.
Managed cybersecurity solutions: Coastline follows the recommendations of the most widely accepted and proven cybersecurity authorities: the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). The NIST Cybersecurity Framework is the de-facto standard for managed cybersecurity, whether you’re simply looking to protect your business from cybercriminals or need to meet compliance requirements, like CMMC, HIPAA, and many others.
Email protection: Coastline’s available email protection will filter out spam and phishing emails, locking them in a folder that can be reviewed and accessed at any time by the user. This helps minimize the risk that employees will click on unsafe links, download viruses, and more.
Partner with Coastline Technologies to get your IT infrastructure up-to-par and ensure HIPAA compliance. Start by giving us some very basic info about your organization and together we’ll review your needs, or just give us a call to get started!
For some more in-depth information and a helpful HIPAA checklist, click here.