HIPAA Compliance in Focus: Q&A with LMG's Steven McClain

HIPAA is fundamental to protecting patient privacy, requiring healthcare and legal organizations to be attentive to their compliance. Sometimes it takes an expert to unravel the details. LMG Security Consultant Steven McClain helps organizations assess and improve their HIPAA compliance, the Security Rule in particular. He performs Gap Analyses and Risk Assessments and aids in the development of remediation plans, policies, and procedures for better compliance.

I asked Steven a few questions to help clear up some of the fog around HIPAA. Send your own questions our way, and we will add them to the post!

Ali: Where do you find most organizations fall short when it comes to HIPAA compliance?

Steven: I find that one of the biggest barriers to compliance is documentation. Oftentimes, organizations have numerous security controls in place but do not have policies and procedures documented anywhere. There are many reasons to have comprehensive documentation of policies and procedures, including:

• It is required by the HIPAA Security Rule!
• Displays management’s commitment to information security
• Avoids misunderstanding of “understood” policies
• Creates consistency
• Clarifies responsibility
• Protects information

Ali: How are organizations interpreting the sometimes ambiguous language of the HIPAA Privacy Rule?

Steven: The language in the the HIPAA Privacy Rule is left intentionally vague to allow some flexibility in the implementation of controls. Since there is such a variety of covered entities and business associates, it makes sense to allow for some leeway in regards to compliance. This of course does not mean that small entities do not have to follow the rules! They must take into consideration their size, complexity, capabilities, technical infrastructure, hardware, software security capabilities, the cost of security measures, and the probability and criticality of potential risks to electronic protected health information (ePHI).

Ali: What is the penalty for a HIPAA violation?

Steven: Currently, individuals cannot bring criminal charges against a provider, but the HITECH Act does allow a state Attorney General to bring an action on behalf of the state’s residents. Fines imposed for non-compliance are on a four-tiered structure with the most extreme tier imposed for “willful neglect.” Simply ignoring a standard defined by HIPAA would most likely warrant the tag of “willful neglect.”

This table displays the four tiers of violations:

Ali: How about the section of the Privacy Rule that says organizations must make “reasonable efforts” to prevent unauthorized access to or disclosure of PHI? Organizations should encrypt their electronic communication, but does this mean they must use encryption?

Steven: Encryption is not required by HIPAA. However, HIPAA does not require notifications to be sent in the event of an ePHI breach if said ePHI is encrypted in accordance with Health & Human Services (HHS) guidelines. There is a popular example of a hospital that was fined $1.5 million in 2012 because a doctor’s unencrypted laptop was stolen. If the laptop had been encrypted, they would not have had to report the theft and would have avoided the fine. Not to mention, encryption also protects an organization from the reputational and financial repercussions that come with notifying the media of a data breach.

Ali: What’s the role of Business Associates under HIPAA? Are attorneys who handle PHI Business Associates?

Steven: Attorneys who deal with PHI are certainly considered Business Associates and as such are required to comply with certain subsections of the HIPAA Privacy Rule, most notably the majority of the provisions in the HIPAA Security Rule. These include implementing and documenting administrative, physical, and technical safeguards. Business Associates are subject to audit by the HHS Office for Civil Rights (OCR). In 2014, 800 covered entities and 400 business associates were surveyed as candidates for an audit.

Ali: What recommendations do you make to organizations beyond the minimum level of compliance?

Steven: Conducting a thorough Risk Assessment and correctly remediating areas where there is an unacceptable level of risk is critical to protecting an organization’s information assets, including ePHI. There is a common myth among small organizations that they do not need to conduct a Risk Assessment, and this could not be further from the truth. In larger organizations, the “tone at the top,” or management’s commitment to information security, is frequently inadequate. This attitude is definitely evolving in light of more recent, high-profile breaches, but a proactive approach to information security is critical.

If your enterprise is ready for a Risk Assessment or other HIPAA compliance analysis, contact LMG today.