HIPAA Privacy Compliance
The HIPAA Act was effective in 1996, the HITECH Act in 2009, and the Final Omnibus Rule in 2013 and despite years passed by, HIPAA Privacy compliance is still a challenge for many health care organizations. We have several breach incidents relating to PII and specifically PHI. Organizations are still facing challenges in compliance and most findings relate to basic security hygiene such as risk management, policies, data minimization, and encryption. Organizations are being fined in millions and their names appear in the Wall of Shame by HHS.
HIPAA Cyber Challenges
New technologies are evolving, and the health care industry has moved away from paper processes and now relies heavily on the use of electronic information systems to store and process the data. The cloud movement has an impact on the healthcare industry challenges too as the majority of organizations have moved to the cloud for its various benefits.
Today, healthcare providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems majority hosted in some sort of cloud environment.
The cloud environment is not safe either. One of the top cloud risks is the misconfigured servers that can lead to data breaches. Another major risk is insecure APIs. Organizations use API’s to transfer data to the business partners without a secure architecture in place and without conducting a proper vendor due diligence and evaluating the data flow lifecycle risks.
As required under the HIPAA rules the healthcare organizations are required to have a Business Associate Agreement with their vendors or the third-parties. It is equally important to understand the data security controls with their business associates.
HIPAA Compliance Requirements
Health care entities and related business associates (BA e.g., health plans, health care clearinghouses, exchanges, health care providers, and organizations that conduct certain financial, research, and administrative functions) are being asked with increased frequency to demonstrate that they meet the common security and privacy requirements of HIPAA that they have taken appropriate measures to:
- Secure their environment.
- Be vigilant in anticipating what might occur in the evolving security landscape.
- Implement appropriate measures to detect and react to existing and emerging threats.
- Be resilient in their ability to recover operations when a security incident does occur.
- Use encryption technologies to de-identify PII data.
SOC 2 Type 2 for HIPAA
The SOC 2 compliance report provides an assurance to the internal and external stakeholders of the organization, the specific controls implemented, and/or operating effectively for complying with privacy regulatory requirements. A single SOC 2 report can provide information about the organization’s controls over protected health information (PHI) based on the HIPAA requirements and AICPA’s Privacy Trust Services Criteria. These were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA.
This SOC 2 examination can provide service organizations with the ability to increase transparency and communicate through a single deliverable to customers, business partners, and stakeholders both in and outside the healthcare sector. Healthcare covered entities should also demand a SOC 2 report from their business associates, CSP’s to understand and to have assurance over the controls implemented and/or operating effectiveness of the controls at the business associate or CSP over PHI Data Security as well as Privacy.More on SOC Reporting Services. More on SOC 2 vs ISO/IEC 27001,27701 PIMS.