SUPERIOR, CO -- (Marketwire) -- 03/28/13 -- To help companies and organizations comply with the new U.S. Department of Health and Human Services (HHS) Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule that was announced in January and took effect on March 26, 2013, leading security and compliance companies StillSecure® (http://www.stillsecure.com/) and Coalfire® (http://www.coalfire.com/Home) released today an overview of what the exact changes are, as well as five tips to ensure a speedy transition.
While business associates have until September 23 to reach compliance, the Rule, which encompasses new requirements and modifications to the Privacy and Security Rules, could present some confusion in the marketplace. The rule formalizes and strengthens many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied for non-compliance.
The biggest change in the new regulation applies to business associates and subcontractors. For example a health information organization and its cloud service provider are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing an agreement, which essentially limited liability should HHS come knocking. Under the new regulation, any healthcare service provider that comes in contact with Protected Health Information (PHI), in either paper or electronic (ePHI) form, must sign a formal business associate agreement making the organization liable for a breach.
Here are StillSecure and Coalfire's top five tips to help companies and organizations reach compliance:
1. Know if you need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to PHI, regardless of their position and how far removed they are from the covered entity, is now in full scope.
2. Take a solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical and logical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
3. Conduct a risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any control gaps need to be outlined.
4. Control the flow of ePHI data via mobile devices. While there is not a specific requirement within HIPAA that addresses mobile devices, tablets and smartphones frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
5. Know the definition of encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see "encryption" and after evaluating what it entails, decide that it costs too much money or is too difficult to implement. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged, especially those that cannot be technically met. We cannot stress enough how thorough this documentation should be -- it should be supported through a risk management program and updated at least annually or with the introduction of new risks. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.
"We are busier than ever helping customers, prospects and partners get their arms around the new HIPAA Rule to comply by September 23," said James D. Brown, CTO at StillSecure. "Specifically, we have seen a tremendous amount of interest in our third-party audited compliance managed services, HIPAA Essential® and PCI Complete® that are helping companies and organizations to address compliance issues."
"We are hearing a lot of confusion from our customers about what the new rule actually means to their bottom line," said Andrew Hicks, Director, Healthcare Practice Lead at Coalfire. "These tips are a great resource for companies and organizations that are rushing to put a plan in place in advance of the September 23 compliance deadline."
StillSecure designs and delivers managed network security solutions and certified compliance solutions for IT executives facing escalating security threats and evolving compliance requirements, as well as data centers looking to cement long-term customer relationships. Unlike vendors with uncertified partial fixes or self-audited solutions, StillSecure unites security experts, certified processes and innovative technologies to provide holistic solutions that eliminate the need to juggle multiple vendors, http://www.stillsecure.com/blog, or follow us on Twitter at @StillSecure (http://twitter.com/stillsecure).
Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington D.C. and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire's solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, HITRUST, NERC CIP, Sarbanes-Oxley, FISMA and FedRAMP. For more information, visit www.coalfire.com.