Through working with many healthcare and health related companies here at CTInfoSec, we often hear the questions, “I need to be HIPAA compliant; how do I make sure I am? Where do I start?”
Understanding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule and its components is critical if your organization is handling Protected Health Information (PHI). There is a lot to know, but as the familiarity with information security has grown, most of the controls should look familiar to you.
If you are feeling stuck, below we have outlined a basic path forward.
Do your research.
Understand components of the Privacy Rule vs the Security Rule and the professionals needed to assist with each. For the Security Rule (where our expertise lie), understand the controls associated with the rule (https://www.hhs.gov/hipaa/for-professionals/security/index.html). Reference National Institute of Standards and Technologies (NIST) Special Publication (NIST SP 800-66) for more detailed guidance https://www.nist.gov/programs-projects/security-health-information-technology/hipaa-security-rule.
Understand the controls.
There are three main categories of controls for HIPAA compliance. These are Administrative, Physical and Technical Safeguards. Below is a brief description of each. More information on these control categories can be found in the links above.
- Administrative Safeguards – Controls, policies, standards and procedures regarding security management, security personnel, information access management, workforce training and management and ongoing evaluation processes.
- Physical Safeguards – Controls, policies, standards and procedures regarding facility access and controls, as well as workstation and device security.
- Technical Safeguards – Controls, policies, standards and procedures regarding access controls, audit controls, integrity controls and transmission security.
Understand your current gaps.
Review the detailed controls within the rule and assess where you are with each. Document potential gaps and mitigating controls that might be in place to meet these compliance requirements.
Set a plan of attack.
We find that many times the initial assessment shows a large percentage of compliance, but also several gaps. Many of these gaps tend to fall within documentation (policy, standards, procedures) which can be quickly addressed in most cases. Where this is not the case, it is important to outline mitigating controls and/or a plan to address the gaps.
If you need additional guidance, we are here to help you.