Why Being HIPAA compliant is not enough
If there is a central key aspect of healthcare security, it is HIPAA. The Health Insurance Portability and Accountability Act of 1996 changed the way healthcare providers increased the security of patient data and information. Every person that works in healthcare, from the front desk person to a brain surgeon, learns exactly what HIPAA is and how they must incorporate it in their jobs. But is following the basic rules of HIPAA truly enough to be secure?
Why is HIPAA not enough?
First, the HIPAA Security Rule is meant to cover a wide range of medical practices, from the small single-doctor office to a huge university teaching hospital. The wide range meant that many of the security elements are necessarily vague. While this allows the Security Rule to apply to the wide range, it also allows for gaps in how patient data is securely treated.
Second, not every standard is required. This is because HIPAA provides guidelines and a framework for security, but it is not prescriptive. It is up to each company or clinic to define what compliance means to them. Addressable standards can be eliminated if the location can document a business reason for not addressing the particular standard. This allows companies to either not implement all the standards that they need or go too far using unnecessary safeguards.
Third, HIPAA does not have any official confirmation of compliance. Compliance is demonstrated through a risk assessment and control documents. This lack of certification means that human error can creep in and affect the security of patient data. It also makes it hard to know which vendors are really following HIPAA.
Finally, HIPAA was created in 1996, long before electronic health records were standard practice. Now that the healthcare industry relies on electronic records, HIPAA simply doesn’t address the concerns of a changing, connected world.
How can HITRUST change how you manage ePHI?
HITRUST, or Health Information Trust Alliance Common Security Framework, was created in 2009 to address the changing nature of how patient information was being used and transmitted. While it includes the HIPAA Security Rule as part of its framework, it also uses security standards from:
- Payment Card Industry Data Security Standard (PCI DSS)
- Control Objectives for Information and Related Technology (COBIT)
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
- International Organization for Standardization (ISO)
- Federal Trade Commission (FTC) Red Flags Rule
- Centers for Medicare and Medicaid Services Addressable Risk Safeguards (CMS ARS)
- State requirements
- Multiple other standards
HITRUST is a comprehensive set of standards that more adequately meets the needs of the healthcare industry today. It allows each organization to create a set of control standards that fits their specific risks and needs. And what happens when your organization grows beyond your current control guidelines? HITRUST allows for scaling to include the new risks and needs as you grow.
HITRUST is also kept up to date with the ever-changing security risks and laws. As recent events have shown, new regulations can be passed or existing ones change. HITRUST can adapt to these changes quickly so that you remain compliant without interruption.
HITRUST also makes proving compliance to clients and vendors easier. It uses a single, third-party assessment to show how your organization is compliant across multiple standards. And you receive an actual certification, showing that you are not only HIPAA compliant but also truly able to protect patient data from theft and misuse.
HITRUST is becoming the de facto standard for security in the health space. We have extensive experience with HITRUST implementation and certification. We are ready to be your full-service security partner
As Accorian, we have extensive experience with HITRUST implementation and certification. We are ready to be your full-service security partner as you transition to HITRUST. We will work with you to develop your HITRUST standards as well as implement the control policies. Feel free to schedule a consultation with us to see how HITRUST can serve your company, your clients, and ultimately the patients.