10 Most Common Questions about HIPAA

HIPAA (Health Insurance Portability and Accountability) is a set of regulations that are legally required for security in any healthcare-related organization that deals with ePHI (electronic Personal Health Information). As we frequently work with organizations who are utilizing FileMaker and WordPress, we’ve come across the following common HIPAA questions.

Q. When can we say we are HIPAA compliant?
A. There is no definitive answer on this. However, based on the Office of Civil Rights, an organization will be considered HIPAA compliant if they make a “good faith” effort, which would generally include the following:

• Performed a recent SRA (Security Risk Analysis)
• Implemented an active Risk Management Process
• Have Policies and Procedures which specify how patient data is protected
• Have signed Business Associate agreements
• Trained employees within the last year
• Documentation evidencing the above and other aspects of your HIPAA compliance program

Q. What are explicit HIPAA requirements and what are just recommendations?
A. HIPAA has requirements called safeguards; there are 3 sets: physical, administrative and technical. To be considered HIPAA compliant, you must be adhering to these safeguards. A Risk Assessment provides recommendations on how to better align your organization with the safeguards.

Q. Who do I need a Business Associates agreement with?
A. A Business Associate is a vendor of a CE (Covered Entity) or a BA (Business Associate) that needs access to or stores Protected Health Information as a regular part of the services they provide. Common examples of BAs are IT companies, billing companies and transcription companies. Cleaning companies are not BAs.

Q. Do I need to retrain my employees every year?
A. As a practical matter yes. If you don’t train your employees every year, it will be called out as a risk.

Q. Can I send email to patients?
A. There are two circumstances in which it is permissible to email patients. If you have encrypted email, it is always fine to email patients. If you do not have encrypted email, but a patient signs a release saying it is OK to email, then you are fine. This is hard to keep track of and will generally be impractical. Best practice is to just electronically communicate with a patient through a portal. This is secure and also keeps track of all communications for you.

Q. Is Ransomware a reportable breach?
A. It is very possible it may be, but an investigation of the facts is required to confirm. Click here for more information. Every effort should be made to prevent a ransomware infection. Make sure all systems are patched, have a recent vulnerability scan and train your employees to recognize and avoid phishing emails. This is best practice for cybersecurity no matter what industry you are in.

Q. What is the difference between a security incident and a breach?
A. Anytime the Security Officer suspects that somehow ePHI (electronic Protected Health Information) was disclosed in an unauthorized fashion there is a security incident. The security incident must be investigated before it is determined to be a breach.

Q. How often should we perform a Risk Assessment?
A. The HIPAA regulations allow organizations to perform Risk Assessments on a frequency they deem appropriate. However, CMS/HHS (Centers for Medicare and Medicaid Services and Health and Human Services) requires SRAs for Meaningful Use, MACRA and the Diabetes Prevention Program to be performed yearly. So this is now the de facto standard. As a best practice, and to meet HHS standards, everyone should perform an SRA at least once per year.

Q. Do I need to do a vulnerability scan?
A.Yes. Identifying technical vulnerabilities is a requirement of the HIPAA Security Rule. According to HHS: “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.” However, the HIPAA Security Rule does not specify the frequency in which this should be performed. How often you get a Vulnerability Scan completed is considered a discussion you should have with your IT department or IT vendor. Remember, a vulnerability scan helps not just with HIPAA, but also with your organization’s cybersecurity posture. We have seen horrible breaches that could have been prevented if a vulnerability scan had been run.

Q. Do I have to encrypt my laptops?
A. If a laptop is lost, that is a security incident. It is then incumbent upon the organization to perform an investigation to see how much and which ePHI is stored on the laptop. This is virtually an impossible task. However, encryption offers a “safe harbor”. If a laptop is encrypted and it is lost, it is not a breach. Encryption is very cheap and easy these days and it is a recommended best practice for all organizations, not just HIPAA Covered Entities.

The LuminFire team talks security every day, and specializes in keeping FileMaker solutions, WordPress websites, and macOS’s secure. We can assist your organization with a security plan that addresses both HIPAA compliance as well as PHI, ePHI, FERPA, GDPR and other requirements. Contact us today to reduce your security risk.

Bonus specific question:

Q. What is different about HIPAA compliant FileMaker or web hosting?
A. HIPAA compliant FileMaker or web hosting requires specialized security, logging, and monitoring. It also requires a signed BAA (Business Associates Agreement).