With rising cyber threats and more people working from home, securing endpoint devices has never been more critical. In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) protects private and sensitive patient data by requiring organizations handling healthcare information to pay closer attention to their protocols and institute airtight security safeguards. Hospitals, insurance companies, healthcare providers, BPOs, and other private or public business associates working in connection with the healthcare industry must all follow HIPAA compliance.
Below, we explore what HIPAA compliance means in today’s digitalized context and how protecting endpoint devices can help healthcare businesses and their associates better protect their patients’ and clients’ private data, all the while staying on top of the latest regulations.
Table of contents:
- What is HIPAA?
- 4 common trends in HIPAA data breaches
- HIPAA Privacy Rule: why protected health information (PHI) must be secured
- Who is required to follow HIPAA?
- HIPAA compliance when working remotely
- 8-step HIPAA compliance checklist for remote workers
- Why is HIPAA important for employees?
- HIPAA Compliance for remote employees
- HIPAA compliance with TypingDNA’s ActiveLock – continuous endpoint authentication
What is HIPAA?
HIPAA is a United States federal law that stands for the Health Insurance Portability and Accountability Act of 1996. The U.S. Congress passed this landmark law to provide the following:
- Portability of insurance
- Protection and privacy of healthcare information
- Standardization and efficiency in healthcare data
- And prevention of discrimination and fraud
Under HIPAA, the U.S. Department of Health is responsible for adopting rules that safeguard the protected health information of individuals and patients from unauthorized disclosure. It establishes a national set of security standards for protecting certain health information held physically or transferred in electronic form.
In addition to privacy and security, administrative provisions are also part of HIPAA to improve the efficiency and effectiveness of the healthcare system. These include:
- Specific transaction standards and code sets
- National standard and unique identifiers
- Data Security and electronic signatures
HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business associate, requiring regular performance of risk assessment to track access to protected health information, periodic evaluation of the security measures put in place, and re-evaluation of potential risks to protected health information.
4 common trends in HIPAA data breaches
Since the regulation appeared in 1996, we have seen several major HIPAA offenses that cost businesses from $100 to $250,000 per violation, with a maximum penalty of $1.5 million per year. This can be intimidating for any organization.
Here are 4 common reasons for HIPAA breaches:
- Lack of employee cybersecurity training – Almost a third of healthcare employees said they have never received cybersecurity training in the workplace.
- Medical record mishandling – Using paper records increases the risk that protected health information will be left exposed, but so does leaving devices unlocked and unattended.
- Lack of identity and access control and proper technological solutions to data management – As protected health information (PHI) enters your company’s databases, systems, and devices, it’s essential to regulate the access employees have to sensitive data. This process is called Identity and Access Management and helps you manage your authorized and authenticated employees’ access to various levels of sensitive information.
Hacking and Malware – Protected Health Information (PHI) is worth ten times more than credit card information, a fact that incentivizes malicious attackers to go after such data.
HIPAA Privacy Rule: why protected health information (PHI) must be secured
In short, any private or public body with access to physical or electronic protected health information (PHI or ePHI) has to abide by HIPAA’s regulations.
Protected health information, as defined by the U.S. Department of Health & Human Services, is any information concerning a person’s health condition, health care service, or health care payment that is generated or collected by a Covered Entity (or a Covered Entity’s Business Associate) and may be linked to that person. This is defined as any component of a patient’s medical record or payment history.
Under the HIPAA Privacy Rule, privacy and security aspects of PHI are addressed. There are three primary purposes which include:
1. To protect and enhance the rights of consumers by providing them access to their health information and controlling the use of that information
2. To improve the quality of healthcare in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care
3. To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.
Who is required to follow HIPAA? Covered entities & business associates
The Act refers to the organizations and individuals concerned by its provisions as “covered entities” and “business associates.” Employers are to be compliant with HIPAA only to the extent that they operate in one or more of the three groups mentioned below or if the respective employer offers health care and treatment to employees on-site.
First, let’s see the types of covered entities that must be HIPAA compliant, and then we’ll move on to explaining how business associates are also affected by HIPAA.
HIPAA Covered entities: Healthcare providers
Organizations or individuals who transmit any health information in electronic form and who provide bills or are paid in connection with their provided services. Examples include physicians, dental specialists, mental health providers, nurses, chiropractors, psychologists, radiology centers, pharmacies, durable medical equipment providers, hospitals, ambulance companies, home health workers, and social workers.
HIPAA Covered entities: Health Plans
These are any personal or group plans that provide, arrange for, pay for or reimburse a part of the cost of healthcare. Examples include insurance companies, Medicaid, and Medicare.
HIPAA Covered entities: Healthcare Clearinghouses
These public or private entities act as middlemen between the healthcare providers and the insurance payers, transforming on behalf of other organizations to conform to standards for data content and format as regulated by HIPAA. Healthcare Clearinghouses submit HIPAA-compliant transactions, like claims which are covered electronically. An example could be an outside billing service that ensures all information transferred between a doctor’s office and an insurance company complies with HIPAA. Learn more about how Business Process Outsourcing (BPO) works, and how they safeguard sensitive data when employees work remotely.
HIPAA Business associates
Since its inception in 1996, the HIPAA regulatory framework has seen several updates. The language of the Act has been modified to meet evolving technological possibilities, but the scope of the Act itself has been broadened to include business associates working for covered entities and handling protected health information.
Entities considered business associates include individuals or organizations which perform functions or activities on behalf of or provide services to a covered entity that imply the business associate is accessing protected health information (PHI). Examples include anyone with access to PHI or ePHI, such as technology companies, IT vendors, cloud service providers, legal service providers, laboratories, call centers, court reporters, suppliers, and manufacturers.
Business associates are required to protect PHI and ePHI at all times, having to follow HIPAA rules just like covered entities. In addition, business associates must comply with HIPAA by signing a contractual agreement with the covered entity they work with.
HIPAA compliance when working remotely
Imagine you are a Business Associate offering your services (e.g. financial, legal, human resources, manufacturing, etc.) to a covered entity through a business associate agreement. Because of HIPAA — provided that you are handling protected health information of your associate’s patients and customers, you are expected to uphold the same standards of privacy and confidentiality as the covered entity you work for. If you work in the BPO industry, read more about securing remote workforce environments here.
In this example, you are working from home. Thus, all ePHI you have on your laptop is now at risk of being accessed by unauthorized users, like your family or malicious users like hackers. A single wrong click on a phishing link can allow cyberpunks to infiltrate your computer. So how can employees stay HIPAA compliant when working remotely?
Stay HIPAA compliant with TypingDNA’s ActiveLock – endpoint continuous authentication
In 2013, because of three separate HIPAA violations involving an Advocate for Health Care subsidiary, more than 4 million patients’ data were affected. These breaches had to do with the lack of protection on the endpoint devices containing patient data. It’s important to note that those violations also involved the lack of security of endpoint devices of a business associate of AHC.
With TypingDNA’s ActiveLock, those endpoint devices would have had an added layer of continuous authentication which would have locked out any malicious attackers or thieves. ActiveLock continuously verifies users by the way they type. ActiveLock instantly locks the company desktop or laptop to protect your sensitive data if an unauthorized typing pattern is detected. So regardless if your employees decide to intentionally or unintentionally share a work device, or if someone tries to use one of your endpoints without your knowledge — the result is the same. ActiveLock spots the intruder based on their typing pattern and takes instant action to lock the system or trigger a silent alert, reducing the risk of unauthorized access.
8-step HIPAA compliance checklist for remote workers
🛡 Develop policies for security and privacy
Particularly relevant in today’s digitalized world, it is crucial to plan your response to potential cyber-attacks and, more importantly, to have protocols in place to prevent attacks.
📝 Have a privacy notice
Communicate to your customers that their information is secure in your company’s hands and let them know how you ensure this security. Having a privacy policy is an ongoing process. It is very likely the policy will necessitate updates and changes, which is why it’s best to have a confirmation from your customers that they took note of your privacy notice and are informed of all future changes.
👔 Hire a HIPAA specialist
This will allow you to have one or two people within your organization who can build on their knowledge of HIPAA compliance and standards and who can keep your company up to date with the latest requirements. These experts will also help you implement feasible procedures in the case of a security or privacy breach.
📓 Have a verification routine
You want to build on your security and privacy policy and procedures and constantly check and test your risk exposure. If you find anything suspicious or simply a weaker spot in the chain of your security, you must address it as soon as possible.
⚙️ Create specific policies for sharing PHI information and protect your employees’ devices
Encrypt everything you can, especially when sharing PHI information. Encryption is relatively easy and cheap to implement, especially when considering the benefits you will reap as your customers trust that their information is kept safe, giving you a competitive edge in the industry. What’s more, you should ensure your employees’ devices are protected from outside intrusions, especially in remote work environments.
Request a demo with the TypingDNA team to see for yourself how continuous endpoint authentication with ActiveLock helps you protect all your endpoints and employees’ devices.
⚠️ Regularly train, test, and prepare your team
Not everyone in your company needs to be a HIPAA expert, but everyone in your company needs to know the commitments you made to your clients’ and patients’ data security and to follow your policies and procedures accordingly. Nobody wants to be the reason for a HIPAA violation, so providing training and occasional reviews for employees also protects them as a team and as individuals from making costly mistakes.
📨 Inform your business associates of shared compliance and sign protocols
Most businesses have a team of business associates that they work with regularly. In the healthcare industry, such collaborations are also subject to HIPAA compliance. Make sure that business agreements include HIPAA compliance protocols and that your associates are aware of the risks and requirements for HIPAA compliance. Even if the associate company is only shredding your old archived documents or if it’s in charge of your finances but has access to the PHI of your clients or patients, they will still need HIPAA protocols.
🚒 Have a process in case of breaches
A step-by-step system should be in place for when potential breaches occur. From investigating the breach to taking the right immediate and long-term actions after a breach, such protocols can be the lifeline of your organization by softening the effects of such infringements on your company’s reputation, partnerships, etc.
Why is HIPAA important for employees?
Though failure to comply with HIPAA is not always the employees’ fault, healthcare personnel may face damaging professional and personal repercussions if they are sanctioned for a HIPAA violation. Penalties can vary from verbal warnings to the loss of professional certification, making it difficult for a healthcare employee to find future job opportunities.
What’s more, if the noncompliance ends in a criminal conviction, it will almost certainly be publicized in the media, which will have ramifications for the reputation of the employee. So, although more often an employers’ priority, HIPAA compliance is crucial for employees themselves. But, what can employees actually do to stay HIPAA compliant?
HIPAA compliance for remote employees
By keeping patients’ protected health information secure, HIPAA compliance helps professionals achieve better medical outcomes. That is simply because when patients are satisfied that their privacy is being protected, trust grows, allowing professionals to offer better treatment and achieve better health results. In return, better patient outcomes boost personnel’s morale and provide for a more enjoyable work environment.
Steps for employees on how to stay HIPAA compliant
- Protect the company laptop with authentication technologies, like TypingDNA’s ActiveLock that verifies users by the way they type to ensure only authorized employees can access company equipment.
- Don’t leave your devices unattended, especially if unlocked — even if you’re working from the comfort of home. Protected Health Information should only be seen by authorized employees.
- Don’t share your devices, even if it is in good faith, because you never know what links your friends or family may access by mistake.
Secure company endpoint devices to stay HIPAA compliant
The risk of data breaches continues to rise in all fields of work, as more people choose to work remotely and especially as cyberattacks are more common than ever.
Not only is the healthcare industry not exempt from these negative global trends, but with healthcare data being valued 10 times higher than credit card data, healthcare organizations and their business associates have no choice but to put in their best efforts in staying HIPAA compliant. Alongside developing policies, setting up procedures, monitoring, and reporting on your HIPAA compliance, we recommend you prioritize securing your company’s equipment, including computers and laptops.
Reduce the risk of privacy infringements and protect sensitive company data in real time with TypingDNA’s ActiveLock, an endpoint security solution that uses continuous authentication to ensure only authorized employees are accessing company computers.
Get your complimentary license to try ActiveLock on your own device and to see first-hand how it helps protect your endpoint and achieve HIPAA compliance. 👇
