We recently hosted a webinar, “Annual HIPAA Requirements and Security Standards,” in which we discussed annual HIPAA requirements, document review, and the compliance procedures you need to have in place to prevent breaches and pass audits.
In the webinar, we spoke with Rob Chubbuck, an IT expert and educator, about logging, password standards, annual training and document review requirements, the expanding scope of PHI, and more. You can watch the webinar recording here or, if you’d like to read a summary, here are the five most important takeaways you should know about annual HIPAA requirements.
The definitions of Protected Health Information (PHI) and Personally Identifiable Information (PII) have evolved a lot in the last 20 years. Generally, PHI is defined as any health-related information combined with a unique identifier that matches a particular individual.
Identifiers include, but are not limited to:
- Date of birth
- Social security number
- Email address
- Phone number
PII, on the other hand, is any data that could be related to an individual. There is both sensitive and non-sensitive PII. Non-sensitive PII is any information that is public, like email addresses and phone numbers. Sensitive PII includes biometric information, Social Security Numbers, financial information, and health information.
These terms have some overlap, and their definitions are ever-expanding. For those tasked with protecting PHI and PII, any kind of information that can be traced back to a particular individual needs to be properly protected. In these cases, HIPAA compliance standards can be extremely helpful in establishing a secure framework for safeguarding information.
The training requirement for the HIPAA law states that organizations should “Implement a security awareness and training program for all members of its workforce (including management).” Now, what does that really mean? And how should it be implemented?
Well, in the first place, it means that your organization needs to have a comprehensive compliance program which gives employees practical guidance on how they should be safeguarding information and what the protocols are if they suspect there has been a breach.
We recommend annual HIPAA training because organizations change and technologies change, often faster than we realize. As hackers become more sophisticated, your cybersecurity standards need to too; and if your organization’s business practices change, or the information you harbor changes, your employees need to be equipped with updated compliance information. Furthermore, HIPAA compliance is complicated. It’s best to give everyone an annual refresher so they know what’s expected of them and how to carry it out.
A Risk Assessment (RA) is essentially a series of questions about an organization. Once completed, a Risk Assessment Report is produced. This documents the organization’s current state and identifies areas for improvement (vulnerabilities). The RA is the first document you should complete when you begin forming your HIPAA compliance plan, and is an essential component of your annual HIPAA requirements.
The risk register, or To-Do List, allows the organization to focus on and track the specific items that need to be completed to mitigate vulnerabilities. To keep your organization’s systems secure and free from vulnerabilities, an RA should be performed at least once a year.
Through this process, you’ll be able to review specific controls and security items, like implementing new patches and encrypting devices, to make sure they match the current state of your organization.
While conducting annual Risk Assessments may sound like a lot of work, it’s much better than the alternative: believe it or not, the average cost of a data breach is now 4.35 million (according to IBM’s 2022 report). A breach of this sort can potentially result in fines, loss of customer base, and even loss of business. Don’t leave yourself vulnerable: become HIPAA compliant.
How long should you be keeping logs? Well, HIPAA states that logs need to be kept for six years, but that can be cost prohibitive for some organizations. Are there affordable alternatives? Yes — you can use logging aggregators to align logging from system to application. That way, if there is a breach or problem with your system, logs allow you to see when the incident occurred, how widespread it was, and what you might be able to do to prevent it in the future.
From a regulatory and business perspective, it’s best to keep logs as long as you can. Once you reach six years, or whatever other point you’ve decided on, make sure you’re properly disposing of those logs and the information they hold.
In the last few years, NIST (the National Institute of Standards and Technology) has changed its guidance concerning how often passwords should be changed and password complexity standards. As it turns out, NIST has found that changing passwords more frequently can actually make them less secure, especially in cases where users are essentially using the same password as before, just with one character change.
In order to maintain good password complexity, we recommend using password managers like LastPass, which allow you to store all your passwords in one application which you access with one master password. One password is of course much easier to remember than a dozen!
You should also have two-factor authentication (2FA) activated on all business applications. That way, the application will send you a text or a message through a third party app, like Google Authenticator, which allows the user to confirm that they are the one signing into the application. This is an effective and easy way to add another level of security to your applications.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your organization.
Want to know more about our online HIPAA training or our customized compliance solution, HIPAA Prime? Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) compliant. Or, get started here.