5 Things CISOs Should Know About HIPAA

The more advanced technology gets, the more chief information security officers have to worry about. And with hackers waging significant wars on major organizations like JPMorgan Chase and Anthem, their job has become more important than ever.

CISOs especially don’t want to get lax with HIPAA compliance. The penalty for non-compliance can reach hundreds of thousands of dollars. In fact, the largest HIPAA settlement to date occurred in 2014, when two healthcare organizations (NewYork-Presbyterian Hospital and Columbia University) were blamed for lapses in HIPAA compliance that jeopardized 6,800 patients’ electronic records. They reached a settlement, but the cost was astronomical — $4.8 million. If that kind of bill doesn’t get a CISO’s attention, perhaps jail time will? A CISO could face up to 10 years in prison for failure to comply with HIPAA regulations.

Here are five things CISOs should know about HIPAA Compliance:

1. HIPAA Isn’t Voluntary

The moment an organization comes into contact with protected healthcare information (PHI), it must spring into action with full HIPAA compliancy — or else. That means developing, implementing and thoroughly documenting every measure taken to protect PHI in four key areas of CFR 45 Subtitle A Subchapter C Part 164:

(1) Organizational Requirements

(2) Security Standards

(3) Breach Notification

(4) Privacy

2. HIPAA Requires Periodic Auditing

That’s right. Putting safeguards into place isn’t enough. HIPAA guidelines also mandate that the covered entity or business associate conduct evaluations every so often to ensure all necessary safeguards are in place and able to demonstrate their working order. These audits should be performed according to any changes that have taken place in the security environment (for example, new equipment introduced into the network) and should thoroughly scan for weak points that could put private data at risk.

3. HIPAA Mandates a Procedure for Reviewing Records

CISOs should be regularly investigating information system activity, such as audit logs, access reports and security incident tracking reports, which also means these components must be in place. If a security incident is detected, organizations are required by law (to the best of their ability) to respond, mitigate any ill effects, and document the outcome.

4. It is the Responsibility of the Covered Entity to Ensure Business Associates Comply

Via the Final Omnibus Rule of 2013, covered entities can extend coverage to business associates (or other third-party providers) who need to create, receive, maintain or transmit electronically protected healthcare information on behalf of the covered entity. However, it is the responsibility of the covered entity to ensure said business associate (or third party) is properly safeguarded. Assurances must be documented via some form of contract or agreement.

Also included in this rule are new procedures for notifying the Office for Civil Rights of a breach of PHI. Failure to report could result in federal investigation, civil action and (you guessed it) more fines.

5. Fines Are Outrageously High

The introductory scenario is a bit extreme, but that doesn’t exclude a covered entity or business associate from paying some serious fines if any discrepancies are found in compliance. As of 2013, a single HIPAA violation costs $50,000 per compromised patient record. Do the math — the NewYork-Presbyterian Hospital and Columbia University got off the hook easy with their $4.8 million settlement.

If you need help understanding what your privacy and security obligations are, consider working with a compliance services provider. They can help you design and implement procedures to ensure HIPAA compliancy, as well as test securities to confirm all safeguards are properly working to protect private information.