6 Steps to HIPAA Compliance

Updated on November 25, 2017

Brian Vecci, Technical Evangelist at Varonis By Brian Vecci

Whether you are a seasoned tech leader or new to healthcare IT, ensure your organization is taking the necessary steps to help ensure HIPAA compliance.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a regulation that, among other things, protects confidential patient healthcare data and sets standards for safeguarding electronic patient healthcare information (e-PHI) – including but not limited to names, social security numbers, DOBs, medical and health plan IDs, geographical data and more. In addition to HIPAA, subsequent legislation also provides mandatory rules regarding when breaches must be reported to the HHS to post publicly on their website.

Noncompliance can have a major negative impact on an organization’s bottom line. Along with financial penalties, failure to comply can cause long-term damage to the reputation of your business. Patients trust organizations to protect their sensitive information. Compromised data places patients at risk.

All organizations that handle personal health information – including healthcare providers, HMOs, doctors’ offices and even service and technology companies that work with these entities – must comply with HIPAA regulations. 

While most organizations are aware of HIPAA and strive for compliance, you could be in violation and not even know it. If you’re not keeping a close eye on the data in your environment – everything including your SharePoint sites, emails, files and servers – you’re leaving the door open to noncompliance.

To be compliant, organizations must maintain “reasonable and appropriate” administrative, physical and technical safeguards to ensure the integrity and confidentiality of patient information.

Are you taking all the necessary actions to ensure the security of personal identifying information? Here are six steps to help your organization strengthen its security posture:

  1. Be Smart About Authentication: Assign one unique login ID per user and do not permit shared logins. That way, in the event of an incident, you will be able to trace specific actions back to a single user. Given the popularity of mobile devices, it’s more important than ever to implement two-factor authentication, require strong passwords, expire passwords periodically and enforce automatic logoff.
  2. Inventory e-PHIs: Data classification software, also known as data discovery or content classification software, scans the information in your environment and tells you where you have e-PHI stored, who has access to it, who is using it and what your risk is. The right software will allow you to act to restrict access and take action while providing an audit trail.
  3. Strive for “Least Privilege”: Knowing who has access to e-PHI at all times is critical. Create and review permissions reports for servers and locations with e-PHI to verify that access is limited to legitimate users who need that data to do their jobs. Assign data owners and have them review permissions reports regularly to prevent “permission creep” from setting in. Review your access control lists (ACLs) and eliminate global access groups, which are extremely dangerous because they can unlock access to sensitive data. 
  4. Audit Access to Data: Track access on every platform where e-PHI is stored. That way, in the event of a breach, you will have a list of actions that occurred with that data – you will know who accessed it, when they accessed it, and what they did (saved, deleted altered, emailed, etc.) with that data.
  5. Restrict Transmission of e-PHI: An organization that sends unencrypted e-PHI over the Internet is not compliant with HIPAA because that data could be compromised. To help ensure compliance, monitor corporate email activity and provide a secure file sharing solution that allows authorized parties send sensitive documents via HTTPS and private links. It’s wise to encrypt data at rest in every instance: That way, if a computer or hard drive is stolen, the data would be encrypted and the incident would fall under HIPAA’s safe harbor provision – and would not require reporting.
  6. Stay on Top of Risk with Alerts: Hardly a day passes where a breach is not in the news. Risk is inevitable and mistakes happen. Knowing about risk and acting to reduce that risk in your environment can help. Set up alerts for privilege escalations, unprotected repositories with e-PHI, and abnormal user behavior. In fact, unusual user activity – for example, file access for a user jumps significantly — can indicate a breach or other critical event. If you’re aware of the situation, you can investigate and mitigate damage.

Get a full view of what is occurring in your organization with a no-cost HIPAA compliance assessment that provides a full audit of your file systems, Exchange, Active Directory, and your SharePoint environment. Visit https://www.varonis.com/solutions/healthcare/ for additional HIPAA-related resources and to learn more.

Please note, these suggestions should serve are guidelines only and not be considered legal advice.

Brian Vecci is Technical Evangelist at Varonis.

The Editorial Team at Healthcare Business Today is made up of skilled healthcare writers and experts, led by our managing editor, Daniel Casciato, who has over 25 years of experience in healthcare writing. Since 1998, we have produced compelling and informative content for numerous publications, establishing ourselves as a trusted resource for health and wellness information. We offer readers access to fresh health, medicine, science, and technology developments and the latest in patient news, emphasizing how these developments affect our lives.