Within the Health Insurance Portability and Accountability Act (HIPAA) are two fundamental rules that all covered entities (like health care providers) need to understand and follow.
The HIPAA Privacy Rule applies to Protected Health Information (PHI) broadly, and falling under that is the HIPAA Security Rule which focuses on electronic Protected Health Information (ePHI). ePHI refers to most anything that is created, received, maintained, or transmitted by a covered entity and stored in electronic form.
The HIPAA Security Rule says that organizations must have measures in place to “reasonably safeguard” ePHI against all manner of threats – which are basically anything (a person, an activity, or an event) with the potential to cause harm to an information system that could result directly or indirectly in a financial or data loss.
With information systems built on technology that is in a constant state of evolution, and with new malicious threats seemingly popping up daily, being able to “reasonably safeguard” most anything is hard work.
Taking a logical approach to threat evaluation
At ZZ Servers, we help our customers through a threat and control evaluation methodology to help prioritize and focus this important HIPAA effort. It starts by making a full list of the kinds of threats a given organization might face and then asking a couple of fundamental questions:
“Is this system exposed to this threat?”
“Is this system exposed to this threat less than or greater than normal?”
It’s all about gauging the true potential impact of a given threat.
In other words, an organization may find that some threats have a high likelihood of happening, but the real impact of that threat (i.e. compromised data, etc.) could be low. Conversely, the chance of some other type of threat happening could be minimal, yet the impact could be quite bad if it did.
Listing every technology/environmental scenario and spelling out exactly which threats apply and to what level a given system is exposed is a challenging proposition. The evaluation methodology described above takes a common sense approach and helps bring sanity to the process.
Doubling down on documentation
HIPAA is also all about documentation.
No matter how simple or complex your threat posture may be, documentation is critical.
In the case of a HIPAA audit or a data breach, regulators will want to see your organization’s analysis, procedures and policies (and more) in writing. In grade school, we had to show our work. For HIPAA we must do the same.
This includes documenting events, remediation steps, patient notices and the like in a timely fashion when situations such as data breaches arise. Lack of documentation was a factor in Memorial Hermann Health System’s recent $2.4 million HIPAA settlement for improper PHI handling.
When in doubt, document.
Help from the pros
Getting a handle on HIPAA compliance can be a demanding exercise, even for the largest organizations.
Your information systems and technical infrastructure are an incredibly important piece of the HIPAA compliance puzzle. Partnering with a trusted service provider like ZZ Servers makes business sense for many organizations, especially those with limited IT resources.
ZZ Servers can help organizations reach and maintain HIPAA compliance at a price that aligns with their budget and needs. We have packaged together the infrastructure, systems hardening and managed services into convenient offerings. Our portfolio includes fully dedicated, and semi-dedicated HIPAA-enabled hosting solutions.
And ZZ Servers staff will work hand in hand with your team throughout the HIPAA compliance, analysis, evaluation and documentation processes as needed.
Contact us today for more information on how we can help your organization.
