HIPAA Privacy Compliance

The HIPAA Act was effective in 1996, the HITECH Act in 2009, and the Final Omnibus Rule in 2013 and despite years passed by, HIPAA Privacy compliance is still a challenge for many healthcare organizations. We have several breach incidents relating to PII and specifically PHI. Organizations are still facing challenges in compliance and most findings relate to basic security hygiene such as risk management, policies, data minimization, and encryption. Organizations are being fined millions and their names appear on the Wall of Shame by HHS.

HIPAA Cyber Challenges

With today's technologies are evolving, and the healthcare industry has moved away from paper processes and now relies heavily on electronic information systems to store and process data. The cloud movement has an impact on healthcare industry challenges as most organizations have moved to the cloud for its various benefits.

Today, healthcare providers use clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems majority hosted in some sort of cloud environment.

Cloud environments are not safe. One of the top cloud risks is misconfigured servers which can lead to data breaches. Another major risk is insecure APIs. Organizations use APIs to transfer data to business partners without a secure architecture in place. They also do not conduct proper vendor due diligence and evaluate the data flow lifecycle risks.

As required under the HIPAA rules healthcare organizations are required to have a Business Associate Agreement with their vendors or the third-parties. It is equally important to understand the data security controls of their business associates.

HIPAA Compliance Requirements

Healthcare entities and related business associates (BA e.g., health plans, health care clearinghouses, exchanges, health care providers, and organizations that conduct certain financial, research, and administrative functions) are being asked with increased frequency to demonstrate that they meet the common security and privacy requirements of HIPAA and that they have taken appropriate measures to:

  • Secure their environment.
  • Be vigilant in anticipating what might occur in the evolving security landscape.
  • Implement appropriate measures to detect and react to existing and emerging threats.
  • Be resilient in their ability to recover operations when a security incident does occur.
  • Use encryption technologies to de-identify PII data.

SOC 2 Type 2 for HIPAA

The SOC 2 compliance report provides assurance to internal and external stakeholders of the organization, the specific controls implemented, and/or operating effectively for complying with privacy regulatory requirements. A single SOC 2 report can provide information about the organization’s controls over protected health information (PHI) based on HIPAA requirements and AICPA’s Privacy Trust Services Criteria. These were formerly known as the Generally Accepted Privacy Principles (GAPP) by AICPA.

This SOC 2 examination can provide service organizations with the ability to increase transparency and communicate through a single deliverable to customers, business partners, and stakeholders both in and outside the healthcare sector. Healthcare-covered entities should also demand a SOC 2 report from their business associates, and CSPs to understand and have assurance over the controls implemented and/or operating effectiveness of the controls at the business associate or CSP over PHI Data Security and Privacy.