Before we jump into the full scope of HIPAA compliance, we will first define some key elements of HIPAA. The question to answer is if your organization is a Covered Entity (CE) or a Business Associate (BAA). Today, the distinction between business associate and covered entity has become less relevant from an enforcement perspective as the HIPAA Final Omnibus Rule of 2013 holds business associates as being directly responsible for the safeguarding of Protected Health Information (PHI) just like a covered entity.
- Covered Entity (CE): A covered entity is defined as any organization that is a health plan, healthcare provider, or healthcare clearinghouse. This includes doctor’s offices, dental offices, clinics, hospitals, nursing homes, and health insurance companies.
- Business Associate (BA): A BA is simply any person or organization who has access to PHI. This pertains to logical and physical access. These are typically organizations who interact with data on behalf of a health system or insurance company, or one of their vendors. This includes but is not limited to SaaS providers, data centers, print vendors, cloud platform providers, etc.
What is the Scope of Protected Health Information (PHI)?
Before we define the scope of PHI for your organizations, we will start with a brief overview of definitions. PHI is any information that can be used to identify a patient. This can include demographic information and often includes names, addresses, phone numbers, Social Security numbers, medical records, financial information, photos, etc. Any PHI that is transmitted and/or stored electronically is referred to as electronic protected health information (ePHI). From a HIPAA compliance perspective, the scope of PHI (physical or electronic) encompasses everywhere in your environment where PHI is stored or transmitted. This can include, but is not limited to:
- Application databases,
- User workstations; i.e. ePHI in spreadsheets or local databases,
- Logs and log backups; i.e. log of API call or batch failures that contain details about patient encounter or lab result,
- Legacy file shares,
- Cloud file shares; Box, Google Drive, O365
- Cloud visualization tool integrations; i.e. does the Tableau create a local cached data on a user’s workstation, or do other visualization tools have a cloud integrated component that could touch PHI?
What is HIPAA Compliance?
With better understanding of PHI and its scope related to your organization, we will look closer at how organizations demonstrate HIPAA compliance. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a series of regulatory standards which outlines the permitted use and discloses of an individual’s PHI. HIPAA makes the protection of your PHI a civil right, which is regulated by the Department of Health and Human Services (HHS), and enforced by the Office for Civil Rights (OCR).
HIPAA is regulation, and organizations cannot certify against HIPAA, rather they can demonstrate compliance. As a Certified Public Accountancy, Linford & Co. is able to provide “AT-C Section 315, Compliance Attestation” based on standards established by the American Institute of Certified Public Accountants (AICPA). Reports issued under AT-C Section 315 express an auditor’s opinion on an organization’s compliance with the requirements of specified laws and regulations; in this case, the HIPAA Security and Breach Notification Rule related requirements. A report issued in accordance with the provisions of AT-C Section 315 does not provide a legal determination of an entity’s compliance with specified requirements. HIPAA is a regulation comprised of multiple rules.
For most business associates, the scope of HIPAA compliance attestation focuses on the HIPAA Security and Breach Notification rule. As HIPAA is made of of many rules, below is an overview of the most important ones.
- HIPAA Security Rule: The Security Rule establishes standards for the protection of PHI throughout all phases of its lifecycle. There are also specific provisions for the protection of ePHI. This L&C blog post will further the Technical, Physical, and Administrative safeguards that CEs and BAs must establish.
- HIPAA Privacy Rule: This rule applies to covered entities (see below for definition). It establishes rules related to the privacy, integrity, and availability of PHI. The Rule outlines safeguards that must be in place to ensure the privacy of PHI. Much of the rule is only applicable to covered entities regarding the guidelines related to patient access to medical records.
- HIPAA Breach Notification Rule: This rule establishes the process HIPAA entities must follow in the event of a breach of PHI. A breach is defined as any access that compromises the security or privacy of PHI. Examples of breach include:
- A lost laptop, with an unencrypted hard drive with a local database containing patient data,
- Unauthorized access by employees, and
- Unauthorized access by third parties.
- HIPAA Omnibus Rule: This rule was comprised of multiple changes to HIPAA and significant changes regarding the compliance requirements of business associates. This change directly correspondes the increased used of Electronic Medical Record systems (EMRs), and the increasing volumes of patient data.
Learn more about HIPPA compliance in our article, What is HIPAA Compliance? Certification? A summary of HIPAA.
What is the Scope of a HIPAA Compliance Assessment?
For Business Associates, HIPAA compliance is primary focused on the HIPAA security and breach notification rules. Much of the privacy rule is specific to the handling of electronic medical records from the perspective of a healthcare provider and are not applicable to many technology focused business associates (data centers, SaaS providers).
The scope of a HIPAA Security Rule Compliance Assessment is focused on all elements of your environment that interact with PHI. Any application and supporting IT infrastructure which create, receive, maintenance, store, or transmit ePHI are inscope.
The Security Rule is structured to be both scalable and flexible, allowing for organizations of different types and sizes to implement the standards and implementation specifications in a reasonable and appropriate manner. Flexibility is achieved through the implementation specifications, which are “required” or “addressable.” The differences in these designations can be confusing, below are examples of each to help illustrate how they are applied.
- Required: An organization must implement the standard. These rules are either fully implemented or an organization is not in compliance with HIPAA.
- Addressable: These are generally technical requirements that organizations have the ability to implement differently to demonstrate compliance. For example, one organization might use RADIUS for authentication, another might use TACACS to authentication mechanisms.
These required and addressable requirements are applied to three areas of defined safeguards.
What are the HIPAA Safeguards?
As noted, the HIPAA Security Rule contains the standards that must be implemented to protect ePHI at rest and in transit. These rules apply to any person or organization who has access to ePHI. HIPAA Security is divided into three areas:
- Technical safeguards: These are technical mechanisms to protect PHI in transit and at rest. For example, logical access to information systems and encryption of patient/member data.
- Physical safeguards: These rules ensure PHI is physically protected. Safeguards include locked doors, server room cameras, etc. The safeguards extend beyond your office and also govern how PHI is protected by remote workers who may access data from their homes.
- Administrative safeguards: This outlines the governance of HIPAA compliance within an organization. It required the implementation of policies and procedures to protect against breach. This includes the training of employees and contractors, and the monitoring of vendors.
Example of Scope for Business Associates
The following are examples of the high level scope of HIPAA Compliance Assessment covering the HIPAA Security and Breach Notification Rules. For each of these examples, the processes for downstream vendor monitoring, business associate agreements, incident response, and breach notification processes would be considered in scope. Additionally, all of the elements of administrative safeguards outlined above would be in-scope.
Data Center Provider: The scope for HIPAA compliance assessments will vary drastically based upon the type of services an organization provides and how they interact with PHI. A data center, for example, is largely responsible for the physical and environmental protection controls related to protecting customers’ data. In most cases, it is the customer’s responsibility to implement and maintain the security of their hosted IT infrastructure. Generally, the data centers will have a management layer of systems and tools used to maintain the datacenter. As the availability of PHI is fundamental, logical access, change control, and other technical controls would be considered in scope IT applications and infrastructure.
Clinical Decision Support SaaS: This is “The Software Company” example for many SaaS providers who are 100% cloud based in a solution like AWS, Azure, or GPC. In many cases, the only managed IT infrastructure a company has is a switch (in a locked closet), a wireless access point in an office, and a firewall. From a HIPAA perspective, user workstations are always a risk. If, in the course of daily operations, individuals download or view PHI on their workstations, employee and contractor workstations would be considered in scope. Often, access to ePHI is controlled through a virtual machine (VM), and in these instances, the hypervisor and supporting infrastructure is in scope. Most importantly in this case is the scoping of the cloud environment. Just because AWS has a “SOC2” or a report of compliance, does not mean the SaaS provider is compliant with anything. For most cloud platforms the user entity, “The Software Company,” is responsible for configuring the cloud environment in a secure manner.
Strengthen the Scope of Your HIPAA Compliance
- Conduct a Risk Analysis: HIPAA Security rules specifically require organizations to perform a risk analysis. This analysis is defined as an assessment for risks and vulnerabilities that impact the confidentiality, integrity, and availability of ePHI. The risk assessment should evaluate all losses and impacts that could result if a security measure was not in operation. It is common for healthcare providers to not consider all forms of media such as hard drives, tablets, USB drives, BYOD devices, or any other portable electronic media. The risk analysis should be an ongoing process that is reviewed and evaluated routinely.
- Identify PHI in your environment: An inventory of all applications and systems should be maintained and classified based on a risk level. This goes beyond production databases and workstations. If users have the ability to download entire databases of PHI from their environment to a workstation, then all employee workstations may be in scope. Additionally, if application errors and batch errors contain PHI, organizations should evaluate the security of logging tools, and longer term cloud or offsite storage of legacy logs.
- Secure Authentication and Access: Across all areas of your IT environment, this pertains to the ability for users to access PHI or circumvent access controls. Many organizations that have their environment wholly in a cloud platform (AWS, Azure, etc) control access to cloud environments through the use of a jump host or VPN/MFA used in conjunction with approved user endpoint devices. However, if your organization is using a different SaaS platform for data visualization that is not controlled through SSO or other secure authentication, additional risks may be introduced into your environment,
- One of the biggest risks we explore with our clients is the public library scenario. For example, if access to an AWS/BPC/Azure counsel is not restricted behind VPN and MFA (or other mechanism) what controls would stop a developer from logging into your production environment from a public library computer, fail to log out of the session, and leave access to your environment open to the next person who sits down?
- Harden your systems: Organizations should work to develop security baselines for all types of devices to ensure that new deployments/implementations are secure.
- Workstation and Sever Hardening: Consider a centralized device management tool (Intune, Jamf, etc.). These tools can help control OS patching, antivirus installation, host-based firewall, approved application and some can help enforce password policies.
- Additionally, processes should be implemented to remove default accounts (i.e. change root passwords and admins accounts), and store passwords for system accounts in a password vault that is only accessible behind your organization’s firewall and secure authentication mechanisms.
- Data Encryption: Encryption is defined as an “addressable” specification for ePHI in transit and at rest. All to often, OIG investigations reveal that organizations have failed to evaluate encryption throughout their entire environment.
HIPAA Security Services and Resources
Linford & Company has deep expertise in delivering HIPAA Compliance audits, and helping organizations achieve their HIPAA Compliance needs. Most engagements are scoped to include the requirements of the HIPAA Security and Breach Notification Rules. Additionally, Linford has extensive experience in delivering HITRUST CSF assessments and a HITRUST assessor firm. Contact us to further discuss how Linford can help your organization meet your HIPAA audits and compliance needs.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.