What is HIPAA Compliance?

Protecting the confidentiality, integrity and availability of patient information by healthcare organizations became a legal requirement via the Health Insurance Portability and Accountability Act, (HIPAA), which came into enactment in 1996.

HIPAA Compliance is a US federal law, designed to protect the privacy of individually identifiable patient information, both physically and electronically. It provides continuity and Portability of health benefits to individuals in between jobs and also provides measures to combat fraud and abuse in health insurance and health care delivery (Accountability).

HIPAA Compliance is applicable to 3 Covered Entities (CE). They are:

Health care providers who transmit information electronically (e.g., physicians, hospitals)

Health care insurance companies; and

Health care clearing houses (facilitators for processing of health information for billing purposes)

Obtain and Maintain Senior Management Support

Compliance requires substantial time and resources; and hence awareness and education of the Senior Management about the Security Rule is absolutely essential, to have their continual support throughout the compliance process. This is where NII’s role comes in – educating senior management about the necessity of HIPAA compliance; presenting them with the hostile consequences of non-compliance; explaining them how the Senior Management of CEs that do not comply with the Security Rule would fall in the limelight of auditors, lawyers and unhappy patients, leading to loss of goodwill; and also, as the compliance efforts progress, keeping the senior managers informed and up-to-date.





Compliance requires substantial time and resources; and hence awareness and education of the Senior Management about the Security Rule is absolutely essential, to have their continual support throughout the compliance process. This is where NII’s role comes in – educating senior management about the necessity of HIPAA compliance; presenting them with the hostile consequences of non-compliance; explaining them how the Senior Management of CEs that do not comply with the Security Rule would fall in the limelight of auditors, lawyers and unhappy patients, leading to loss of goodwill; and also, as the compliance efforts progress, keeping the senior managers informed and up-to-date. Develop and Implement Security Policies & Procedures

The first step, even before implementing security processes and techniques to protect electronic Protected Health Information (ePHI), is to carefully identify and define what security policies and procedures are needed to be developed and implemented for a particular CE. NII’s role would be to conduct a comprehensive gap analysis to understand the existing organizational environment and then to come up with the required policies for that organization, in order to achieve compliance. These would help define the organization's security related strategic goals by providing an overall security framework, and would provide a baseline for the selection and use of its security technologies.





The first step, even before implementing security processes and techniques to protect electronic Protected Health Information (ePHI), is to carefully identify and define what security policies and procedures are needed to be developed and implemented for a particular CE. NII’s role would be to conduct a comprehensive gap analysis to understand the existing organizational environment and then to come up with the required policies for that organization, in order to achieve compliance. These would help define the organization's security related strategic goals by providing an overall security framework, and would provide a baseline for the selection and use of its security technologies. Conduct and Maintain Inventory of ePHI

Ensuring the CIA of ePHI becomes difficult, if it can’t be located. So this task of regularly identifying and documenting the flow of ePHI throughout the organization is to be done by NII. Certain points which would be checked during this process are – whether there is regular exchange of its ePHI with any of the business partners, does any information system regularly send ePHI to any other information system, does the organization regularly send its ePHI over the Internet, etc.





Ensuring the CIA of ePHI becomes difficult, if it can’t be located. So this task of regularly identifying and documenting the flow of ePHI throughout the organization is to be done by NII. Certain points which would be checked during this process are – whether there is regular exchange of its ePHI with any of the business partners, does any information system regularly send ePHI to any other information system, does the organization regularly send its ePHI over the Internet, etc. Be Aware of Political and Cultural Issues Raised by HIPAA

Compliance with the Security Rule also requires significant changes in the organizational culture, particularly the way in which employees interact with ePHI.



For example, the development of new policies and procedures requiring monitoring and auditing of employee actions; or the changes to a CE's access control policy leading to the fact that employees, who had unrestricted access to ePHI previously, may now have only limited access. Such changes might arouse confusion, resistance or even ego/political clashes within the organization.



These issues can be mitigated by educating the employees about the requirements of the Security Rule, about the importance of protection of ePHI, and the methodology to be taken by the organization to comply with the rule. This entire exercise would be done by NII, in the first phase of the compliance process. Additionally, to have a better approach, soliciting feedback from employees and review on proposed security policies and processes could also be done as a part of this exercise.





Compliance with the Security Rule also requires significant changes in the organizational culture, particularly the way in which employees interact with ePHI. For example, the development of new policies and procedures requiring monitoring and auditing of employee actions; or the changes to a CE's access control policy leading to the fact that employees, who had unrestricted access to ePHI previously, may now have only limited access. Such changes might arouse confusion, resistance or even ego/political clashes within the organization. These issues can be mitigated by educating the employees about the requirements of the Security Rule, about the importance of protection of ePHI, and the methodology to be taken by the organization to comply with the rule. This entire exercise would be done by NII, in the first phase of the compliance process. Additionally, to have a better approach, soliciting feedback from employees and review on proposed security policies and processes could also be done as a part of this exercise. Conduct Regular and Detailed Risk Analysis a.Build the probable realistic threat scenarios that threaten patient data b.Determine the likelihood and magnitudes of threat realization c.Prioritize a set of the most cost-effective safeguards for the operation





Determine what is Appropriate and Reasonable

Using the risk documentation from the Risk Analysis process, NII would propose security controls that can mitigate or eliminate the identified unacceptable risks to ePHI. These controls would reduce the risk levels of ePHI and related information systems to an acceptable level. These recommended controls would then be evaluated; when the CE moves into the phase of risk mitigation.





Using the risk documentation from the Risk Analysis process, NII would propose security controls that can mitigate or eliminate the identified unacceptable risks to ePHI. These controls would reduce the risk levels of ePHI and related information systems to an acceptable level. These recommended controls would then be evaluated; when the CE moves into the phase of risk mitigation. Documentation

The Security Rule needs CEs to formally document a wide range of security policies and procedures, which have to be approved by the Senior Management and regularly reviewed and revised as necessary. A CE with nil or limited documentation would be at significant risk when visited by an auditor or a lawyer. They would also want to compare the organization’s security policies against the industry best practices and also see documentation of the addressable implementation specification decisions, which the organization makes. This entire documentation would be taken care by NII.





The Security Rule needs CEs to formally document a wide range of security policies and procedures, which have to be approved by the Senior Management and regularly reviewed and revised as necessary. A CE with nil or limited documentation would be at significant risk when visited by an auditor or a lawyer. They would also want to compare the organization’s security policies against the industry best practices and also see documentation of the addressable implementation specification decisions, which the organization makes. This entire documentation would be taken care by NII. Prepare for on-going compliance

CEs should comply with the Security Rule on a continual basis. So, the development and implementation of security policies, procedures, techniques, and controls is to be done keeping in mind that they must be regularly reviewed and updated as and when necessary. In the future, risks to ePHI and related mitigation measures are likely to change; so the organization must understand and be prepared to respond to these changes. Additionally, HIPAA being a federal law, the Security Rule is subjected to change by the US government. So, a regular monitoring for this rule, for any changes, needs to be done. This continual improvement and compliance process can be handled by NII.





Regardless of size or complexity, if an organization is a CE, there are 8 key steps it should consider when preparing to comply with the Security Rule.