The Health Insurance Portability and Accountability Act (HIPAA) aims to create a national standard to protect sensitive patient information. With emphasis placed on sensitive medical data, HIPAA ensures patient information is not disclosed without direct consent from the patient.
In the modern digital world, this can be more challenging since the majority of companies utilize digital record-keeping to store their customers’ information. To this point, business operators should familiarize themselves with this compliance standard to ensure they remain compliant.
First, though, how does a business become HIPAA compliant?
Today, we’ll take a closer look at this by establishing who needs to be compliant and how to achieve compliance. In this piece, readers will gain an understanding of the type of information included in the framework, the four core rules of HIPAA, and how to incorporate penetration testing in this process.
Finally, we’ll review the estimated costs associated with this compliance process. With the basics covered, next will be a review of how businesses can remain HIPAA compliant through a variety of tactics to round out a complete overview of this compliance system.
Do you have to be HIPPA certified? is a commonly asked question. A simple answer, any business handling sensitive customer information specifically related to medical records is considered a Covered Entity.
Generally speaking, businesses should be HIPAA compliant if they store any data related to an individual's medical records. This includes:
There are several controls in place to ensure businesses protect their customers’ sensitive health records. The basics of which can be covered concisely by protecting customers’ health records stored digitally. The compliance framework breaks these down into more easily digestible pieces with four core safeguards. Before looking at these core safeguards, first, we need a good understanding of what constitutes Personal Health Information (PHI).
HIPAA Application Safety Requirements state that businesses need to safeguard their customers’ Protected Health Information (PHI).
PHI encompasses all data able to personally identify an individual’s health record, such as health history, demographics, test results, insurance information, or other types of information used to provide healthcare.
To help prepare businesses to protect this information, HIPAA outlines four primary rules. Understanding these basic rules allows businesses to confidently understand they’re following compliance requirements and the consequences of not being compliant.
Overview: The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information (PHI). It applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.
Importance: This rule represents the essence of the HIPAA compliance framework, ensuring that users’ sensitive data remains private and secure, which should be a top priority for businesses.
Overview: The HIPAA Security Rule sets standards for the protection of electronic protected health information (ePHI). It requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
Importance: The Security Rule brings together practical applications of how businesses can secure their customers’ sensitive information, ensuring that ePHI is protected from unauthorized access and breaches.
Overview: The HIPAA Enforcement Rule establishes guidelines for investigations into HIPAA compliance and the penalties for violations. It gives the Department of Health and Human Services (HHS) the authority to enforce HIPAA rules and impose penalties for non-compliance.
Importance: The Enforcement Rule ensures that there are consequences for non-compliance, encouraging businesses to adhere to HIPAA regulations and protect patient information.
Overview: The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI.
Importance: This rule ensures transparency and accountability, requiring businesses to promptly inform affected individuals and authorities about data breaches, thereby helping to mitigate potential harm and maintain trust.
Precise details for each of these rules can be found on the Government’s HIPAA website.
With an end goal of identifying that health information remains properly secure, pentesting can bring businesses a few steps closer to HIPAA compliance. While the framework doesn’t explicitly require pentesting or vulnerability scanning, both aspects will often be a core component of the business’s risk analysis, which is required.
The penetration testing process involves trained security professionals attempting to break into your systems, thus finding vulnerabilities that need to be remediated. As the testers discover vulnerabilities in your network or application, these teams work closely with business operators to relay the real-world impact of different vulnerabilities.
Through the pentesting process, businesses gain a better understanding of the weaknesses in their systems that put patients’ PHI at risk. After remediating these vulnerabilities, businesses can better demonstrate the actions they’ve taken to keep that data secure.
The cost of HIPAA compliance depends on the size of the business and the number of digital assets to be covered. With this in mind, smaller businesses should expect to pay less than a larger entity.
The systems requiring coverage would be any system that stores or interacts with a customer's PHI. A good place to start for any business looking into a compliance framework would be to build a strong understanding of its existing digital systems and how they interact with one another.
For HIPAA compliance, the precise cost ranges from hundreds of dollars for a small business with simple digital systems to upwards of $80,000 for a single physician’s office. Many small to medium-sized businesses will more easily complete the compliance requirements without a dedicated compliance officer as well, helping to save costs.
For larger corporate businesses and enterprise firms, they should expect to pay more. Again, depending upon the exact number of digital systems their personal health information touches, the price of compliance will range. With an increase in the number of systems, the price will also rise.
For example, comparing an enterprise to a small business, the enterprise will need more penetration tests, vulnerability scans, likely discover more vulnerabilities in their systems, require more team members to manage and remove vulnerabilities, more processes, programs, and computers — all of which lead to higher expenses.
Finally, if a company requires a full-time compliance officer, this will naturally increase the total costs of compliance.
For larger corporate companies and enterprises, compliance with HIPAA requires a dedicated privacy compliance officer. While this is dependent upon the size of the business seeking certification, at the very least, businesses will have to dedicate someone internally to understand the entire process.
The information outlined above aims to empower businesses to complete their HIPAA compliance process more efficiently.
Once complete, businesses then need to start considering how to maintain this important security requirement, which includes a variety of different tasks. Put simply, these tasks involve an ongoing process similar to the initial certification process, such as employing a compliance officer, completing an annual risk assessment, and completing vulnerability scans and penetration testing regularly.
Naturally, when any vulnerability or risk is detected by these processes, a business should quickly remediate it. Finally, the last aspect relates to ongoing training for team members with access to PHI. Anyone who regularly interacts with this data should be aware of the HIPAA requirements. Furthermore, new staff members should be trained and old staff members properly removed from the systems when they depart.