Consider your medical history. How would you feel knowing that it was easily accessible to strangers? What if that information was available to your current or future employer? Regardless of your medical history, knowing someone else has unconsented access to it would probably feel like a massive invasion of privacy.
Thankfully, we have laws and regulations governing the release of health information. If you’re in the healthcare industry, odds are you know the importance and ethics behind the laws governing patient privacy, a.k.a. HIPAA. Ensuring that patient protected health information (PHI) is strongly guarded is not only important for the safety and security of the patient, but also for the well-being of your business as a healthcare provider.
However, over the last ten years, the U.S. department of health and human services has added additional regulations and guidelines to the withstanding Health Information Portability and Accountability Act of 1996–or HIPAA.
These guidelines fall under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act outlines several goals and incentives for healthcare entities when it comes to better protecting patient information. In 2021, an amendment was added to the HITECH Act that would allow for the consequence reductions following audits and security breach investigations carried out by the U.S. Department of Health and Human Services, Office of Civil Rights (HHS-OCR).
In this article we’ll dive into how this amendment will impact healthcare entities and what you can do to ensure you’re meeting all the requirements (and reaping all the benefits) set forth by HIPAA and the HITECH Act and amendment.
Requirements set forth by DHHS
In addition to requirements laid out by HIPAA, healthcare entities are incentivized by the HITECH Act Amendment of 2021 to adopt specific procedures and methodologies.
What is the HITECH Act Amendment?
The HITECH amendment requires that the HHS-OCR take into consideration any recognized security practices an entity has had in place over the last 12 months when determining fines or other consequences related to HIPAA security violations.
The HHS-OCR is very clear that implementing an RSP does not free any entity from being liable for their errors. This amendment simply requires that the HHS-OCR take into account the RSP status of a provider when conducting an audit or a security breach investigation.
Why is the HITECH Act Amendment Important?
The goal of this amendment is to motivate HIPAA bound entities to create the most effective security framework for mitigating potential violations. However, organizations must provide ample evidence of compliance in order to be protected under this amendment.
To prove compliance with HITECH amendment standards, entities must follow the best practice processes outlined in one of the following:
● The National Institute of Standards and Technology Act (NIST)
● The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) Technical Volumes.
● “Other” programs that address cybersecurity recognized by statute or regulation
What are Some Recognized Security Practices?
Okay, we’ve talked about why RSPs are important and where to find them. Now, let’s talk about some recognized security practices that are important when building an RSP framework.
Risk assessment is the organization’s understanding of cybersecurity risks to organizational operations, assets, and individuals. This is an essential part of implementing RSPs.
Healthcare Entities should identify and document vulnerabilities both internally and externally. In addition, they should demonstrate an understanding of the potential business impacts. This can be done through an IT asset inventory or mapping out data flows.
Technical safeguards are increasingly more important due to the rapid advancement of technology. New challenges are emerging every day and health organizations must evolve with the times.
Technical safeguards help to establish security and resilience within digital and physical systems. They also help to protect assets using related policies, procedures, and agreements outlined by the company. Some of these solutions are:
● Audit records
● Utilizing software that makes sure communications and control networks are protected at all user touchpoints
● Failsafe mechanisms that are specifically used to achieve resilience daily and in adverse scenarios
Access controls give users the ability to access physical and logical assets such as information, programs, and files Health organizations and associated facilities are required to limit authorized users and minimize the necessary information to perform job functions.
This means that in order to be compliant, entities must use a combination of access and technical safeguards to protect information. These can include:
● Password protections
● Integrity controls for electronically protected health information (EPHI) that is being electronically transmitted
● End-to-end encryptions for EPHI’s being sent over electronic open networks
Incident response and reporting
HIPAA security guidelines state that during and after an incident, response processes and procedures should be carried out according to plans previously established.
In addition to this, those response actions should be communicated in full with staff, patients, and law enforcement agencies. It is expected that if there is a breach in privacy, all information regarding the incident should be responded to and reported within a timely manner.
Monitoring and testing
In alignment with HIPAA security best practices, entities should create onion assessment checklists as a form of security self-evaluation.
These checklists should be used to regularly monitor Information systems and assets for potential cybersecurity threats. Threats can include malicious code, threatening personnel activity, or even threats within the physical environment of a covered entity.
This type of testing should validate the effectiveness of the RSP framework as a whole. Monitoring and testing also includes providing recommended corrective measures for any shortcomings detected by regular testing and monitoring.
Ensuring that employees are aware of their part in upholding HIPAA standards is critical to implementing RSPs. Healthcare organization’s personnel and partners should be trained in cybersecurity awareness.
This educational training should provide members with a detailed understanding of how to handle PHI and EPHI appropriately. This training should extend to anyone involved with a covered entity–doctors, nurses, business associates, subcontractors–who may come into contact with protected health information.
Disaster recovery planning
A disaster recovery plan is required within the HIPAA Security rules and asks that covered entities anticipate events that could compromise the security of important patient information. In this instance, recovery plans are documents that detail the resources, strategies, personnel, and data that are required to protect personal health information in the event of a disaster.
After recovery processes and procedures are executed, they should demonstrate a restoration of affected systems. Following the disaster, HIPAA also asks that healthcare organizations establish a way to identify lessons learned and update their strategies and processes in accordance with those lessons.
How Healthcare organizations can implement recognized security practices
Healthcare organizations are frequently the unassuming victims of cybersecurity breaches. Implementing RSPs is a great way to ensure that all your bases are covered when it comes to cybersecurity.
Maintaining inventory and mapping of IT assets
To begin, it’s essential to maintain an accurate inventory of IT assets. This includes hardware, software systems, or information that gives an organization value. Assets have a finite period of use and, therefore, it’s especially important to have an accurate and current record of your data storage. Having an inventory is also a great first step in mapping your organizational data flows.
When developing an RSPs framework it is to have a comprehensive understanding of what personal data is being processed. It also outlines what digital touchpoints between all parties who are able to access the protected data.
By mapping out data flows, HIPAA compliant organizations are better able to identify unforeseen or unintended uses of data. This will inform the subsequent building of an RSP framework.
There are a wide array of training programs available. For healthcare providers, having a HIPAA compliance education program for employees is an important step in developing strong security practices.
HIPAA has extensive training requirements when it comes to adequate training programs.
When it comes to choosing a training program, these should meet the minimum requirements laid out in the HIPAA Security Rule.
Entities should ensure that all employees are up to date on their HIPAA certification, as training does expire. Currently the HIPAA privacy rule states that training must be “as necessary and appropriate for the members of the workforce to carry out their function.”
Risk management software
One of the best ways a health organization can ensure that they correctly and effectively implement Recognized security practices is to employ the use of a risk management software.
For healthcare organizations both big and small, cybersecurity can be a full-time job. Outsourcing the training tools and risk analysis to a software such as papaya can help get businesses up to speed when it comes to compliance.
Challenges for healthcare organizations in implementing security practices
Understanding HIPAA compliance requirements is breeze when compared to actually implementing RSPs. The process of developing an adequate framework can be rife with challenges for smaller and medium sized businesses that may lack the resources or not have the manpower to institute the necessary adjustments.
For small and medium healthcare organizations, a lack of resources–whether that be funding or software–can present a sizable hurdle to jump when it comes to implementing recognized security practices.
Lack of expertise
In general, there is a shortage of cybersecurity professionals who are capable of implementing adequate RSPs for healthcare entities. This can be a two-fold challenge. The first part of the challenge is that organizations looking to hire and retain security staff far outnumber qualified security staff.
The second is that security threats and compliance rapidly evolve and require increased knowledge of complex environments and specific skill sets. The result is that, even for entities who do have a qualified team of security experts, the organization must ensure that those cybersecurity professionals remain experts in both the field of cybersecurity and compliance mandates.
Small and medium sized organizations may struggle to prioritize implementing recognized security practices that meet the standards set forth by the HHS-OCR. This may be due to cost, manpower, or simply the time it takes to run a business.
Benefits/ importance of implementing recognized security practices (RSPs)
HIPAA does not require that you adopt an RSP, however the Health and Human services–Office of Civil Rights (HHS-OCR) has offered incentives for those healthcare providers who do.
Thanks to a 2021 amendment to the HITECH Act, healthcare providers who have implemented RSPs will experience some amount of leniency when it comes to fines and penalties.
How HIPAA Audit Program plays a role
In order to ensure industry compliance in regard to PHI, the OCR implemented the HIPAA audit program in 2012. A full audit includes a 180 part checklist separated into three disciplines: 19 relate to HITECH breach, 89 regarding HIPAA Privacy, and the remaining 72 examine HIPAA Security.
During their audit, OCR implements the consideration of recognized security practices. If a regulated industry is selected for an audit, OCR will invite that healthcare entity to demonstrate their active implementation of RSPs. If proof is satisfactory, the OCR will take the organization’s preventative measures into consideration when determining fines should the audit reveal instances of noncompliance.
The result of adequately implemented RSPs is a reduction of fines or other Since 2016, HIPAA violation fines have been adjusted annually. Depending on the level of culpability, a financial penalty–also known as a civil monetary penalty–could be as high as 1.9 million dollars.
However, institutions that can adequately demonstrate 12 months of adherence to a recognized security practice framework will qualify for early, favorable termination of an audit.
Why ongoing compliance is important
The HITECH act provides an opportunity for healthcare organizations to be incented to invest in protecting their patients’ sensitive information. RSPs are not only a critical part of protecting PHI, but also an additional safeguard for companies who must keep up with evolving HIPAA guidelines and cyber securities.
As we discussed, one of the requirements for receiving the privileges laid out by the HITECH amendment is sustained instatement of RSPs. Ongoing compliance is critical for entities who wish to qualify for any privileges relating to civil monetary penalty reductions.
If there is a security breach or audit, the OCR will conduct an investigation. During such investigation, HIPAA bound entities will be invited to share their RSP framework. If the organization cannot clearly illustrate an RSP system that has been active for at least twelve months, the OCR will not consider them to be eligible for penalty reductions.
Utilizing an RSP not only makes you eligible for benefits, it helps ensure the security of information and protects your business from consequences of a potential security breach.
The cost differential between having a comprehensive RSP framework and paying fines can be quite large when you consider the true cost of a security breach. Especially for small and medium businesses, HIPAA violation can extend far beyond the fine imposed by the HHS-OCR. Loss of business, Loss of essential information, and even potential legal fees can destroy a business unprepared for a security breach.
In addition to this, Cybersecurity is an essential aspect of taking your patient-provider responsibility seriously from both a legal and an ethical standpoint.
Following the necessary steps to institute an RSP framework standard is important to maintaining ethical and legal standards. is simply the most ethical practice for healthcare organizations. By implementing RSPs healthcare entities are able to better protect the PHI of their patients and safeguard themselves from civilian lawsuits.
Tying it all together
Ensuring that your businesses clients’ personal health information is properly protected is essential to its longevity. Taking the necessary steps to implement HHS recognized security practices will allow you to reap the benefits of the HITECH Amendment, further supporting the best ethical and business practices.
Through the thorough implementation of recognized security practices, you can ensure that you’re set up for success.
See how Papaya Technologies can help you institute recognized security practices at your business today! The Papaya framework covers all recognized security practices set by the DHHS. You don’t need to be a security expert or HIPAA expert. Papaya offers easy to understand guidance content to walk you through how to implement these recognized security practices for HIPAA. We also offer a variety of tools to get you HIPAA compliant from self-guided risk assessments, custom HIPAA policies and procedures, and a Learning Management system to train your staff on regulatory and leading information security practices. Take charge today!