How Healthcare Organizations Can Manage Evolving Regulations for Data Privacy

Introduction

Healthcare organizations have been concerned with data privacy for decades, well before the Health Insurance Portability and Accountability Act (HIPAA) of 1996. But that doesn’t mean it’s gotten any easier to keep up with data privacy regulations. In addition to protected healthcare information (PHI), healthcare organizations also process payment data and personally identifiable information (PII), such as social security numbers and biometric records. New rules, such as General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA), have made data security and compliance more complex.

Compounding the issue is that remote interactions between patients and healthcare professionals have soared during the global pandemic. An overwhelming majority of healthcare organizations use patient portals, and when practices had to close their doors, there was a further uptick in their usage. With more patients and personnel accessing PHI remotely, the odds of experiencing a data breach increase. Here’s what you need to know to maintain compliance and prevent the costs and reputational damage that come with data breaches.

Assess your security readiness

The HIPAA Security Rule is focused on standards for electronic records, and compliance requires that you have all the necessary controls and processes in place. The first step to compliance is to perform a security assessment to determine your ability to create and maintain a secure environment. Here are just a few of the many areas an organization must assess and periodically audit for HIPAA compliance.

Administrative Safeguards

• What is your security management process?
• Do you have a sanctions policy?
• What about your policy for reviewing information system activity?
• Who is responsible for those activities, and do they have a clear understanding of their role?

Workforce Precautions

• Who has the authorization to access protected data?
• When modifications are made, is express knowledge or consent required?
• Is there a way to audit that modification?
• What are your protocols for employee security awareness training?

Contingency Plans

• What are your procedures for data backups, disaster recovery, and emergency operations?
• Do you have testing and revision procedures?
• Do you perform application and data criticality analysis?
• What arrangements do you have in place in the event something goes wrong with your facility?

Facility Use

• Who has access to your facility?
• Do you have access control and validation procedures in place, and how do you maintain your records?
• How do you manage workstation access, including the devices and media housed at those workstations?

Media Use

• Since reusing media such as thumb drives is common, what are your procedures for scrubbing devices, so data isn’t shared unintentionally?

The questions listed here only scratch the surface. The National Institute of Standards and Technology (NIST) has put together a toolkit that walks you through the complete self-assessment process.

Best practices for maintaining compliance

Even without the NIST toolkit, it should be evident that maintaining adequate security protocols encompasses nearly every aspect of your operations, from people and processes to your facility and equipment. While this may seem an arduous undertaking, the following best practices can help improve data management and facilitate your HIPAA compliance.

1. Keep systems up to date - Make sure to update all of your computers with the latest operating systems and security patches. Your antivirus systems and firmware should be up to date as well. We recommend updating all devices and systems within 90 days of new software and firmware releases.
2. Engage an external auditor - Even if you have an internal compliance auditor, it is possible to miss potential security issues. It never hurts to have someone else check their work. A third-party auditor can be a second set of eyes to validate your internal review.
3. Train employees on security awareness - As data privacy concerns and cyber attackers’ tactics evolve, security awareness training is critical to preventing employees from unknowingly jeopardizing private information. Training should cover how to avoid malicious software, proper password management, login monitoring, data sharing do’s and don’ts, and general education on new regulations and potential vulnerabilities.
4. Use cloud-based architecture to minimize your risk exposure - Many organizations are adopting cloud-based IT architectures to address ever-changing security requirements and meet demands for rapid information access. The cloud offers infrastructure and tools that are less expensive than those of an on-premise setup, and it requires fewer resources to manage.
5. Consider HITRUST certification - Health Information Trust Alliance (or HITRUST for short) provides a common security framework to address the requirements across various compliance standards and security frameworks. These standards include Payment Card Industry Data Security Standard (PCI), Data Security Standard (DSS), HIPAA, NIST, ISO 27000, FTC, and Control Objectives For Information And Related Technology (COBIT), just to name a few. As the gold standard in healthcare security compliance, HITRUST certification spans the full range of data privacy concerns. Organizations that adhere to HITRUST standards can ensure their patients and employees that they’ve gone well beyond HIPAA when it comes to compliance.

How a technology partner helps you bring it all together

The complexity of the data privacy landscape will only grow, as will the number of regulations designed to protect healthcare patients and their data. A technology partner like JBS understands the healthcare landscape and can help you establish the processes and techniques needed to maintain compliance.

In addition to HIPAA regulations, we stay up to date on data privacy concerns as a whole. As data privacy regulations converge, it’s more important than ever to approach security holistically. After all, your organization must maintain strict data protocols 100% of the time—cybercriminals only need one opportunity to access your systems and cause severe damage.

JBS Solutions understands the hardware and software ecosystem used by healthcare organizations. We can provide the expert resources and solutions needed to maintain compliance with HIPAA and other privacy standards, including achieving HITRUST certification. We take a holistic approach to ensuring your people, processes, and systems align with the highest security and data privacy standards. Learn more about our healthcare technology services.

Ready to discuss your technology or security challenge? Contact us online to schedule a complimentary consultation.