SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA). It specifies how organizations should manage customer data. The SOC 2 framework is applicable to all technology service providers or SaaS Product companies that store customer data. They are required to ensure that security controls and practices are designed and implemented effectively to safeguard the privacy and security of customer data. There are several benefits of being SOC 2 Compliance.
This security framework does not provide a specific list of controls and tools. It merely cites the criteria required to maintain a high level of information security. It is up to each organization to establish the practices and processes relevant to their own objectives and operations. SOC 2 Certification is based on 5 Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy of customer data.
Basics of SOC 2 Compliance
There are several components of becoming SOC 2 Compliant, a SOC 2 gap assessment, implementation of identified gaps, a SOC 2 audit and SOC 2 report that needs to be understood before you begin this journey. Getting SOC 2 Compliant fast is a marketing gimmick.
SOC 2 Compliance versus SOC 2 Certification
Being SOC 2 Compliant is essentially having a valid SOC 2 report by an independent third-party CPA firm. Technically, SOC 2 is not a certification – it is the auditor’s opinion of control efficacies on protecting data, also known as a ‘SOC 2 Attestation’. A SOC 2 attestation is based on the Trust Services Criteria and is provided by a registered CPA firm authorized by the AICPA. Usually, a SOC 2 report is valid for a year and the organization is required to engage the same or a different CPA firm to conduct the next SOC 2 audit.
*We would like to share that the official term is ‘SOC 2 examination’. In the industry the term ‘SOC 2 compliance’ is used interchangeably. Similarly, the official term is ‘reporting’, while the commonly used term is ‘certification’ interchangeably to help put the content into the appropriate context.
Experts at databrackets have extensive experience in supporting organizations align their processes with AICPA’s Trust Services Criteria and prepare for a SOC 2 Audit. Our unique approach to SOC 2 readiness not only brings in experts from the industry but also leverages our assessment platform to identify controls, collect the required evidence and collaborate with auditors. If you would like to connect with an expert to better understand SOC 2 and plan your SOC 2 journey, do not hesitate to schedule a consultation.
Explore security regulations for the Healthcare industry as Clinics, Hospitals, Diagnostic Centres, Health Insurance and Healthcare Services pursue benchmarks to secure patient data
The healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (HIPAA) since 1996. Hackers have found innovative ways to create a data breach, leverage the high value of Protected Health Information (PHI) and create severe disruptions in the healthcare ecosystem. Over the last two decades, they have benefitted from loopholes in the IT architecture of healthcare organizations and the lack of security awareness training imparted to healthcare employees. Even today, it is not uncommon to hear about the next big data breach in a reputed chain of hospitals, diagnostic centers, or healthcare insurance companies, despite the growing advancements in security software, firewalls, and numerous methods to prevent a cyber attack. However, the truth about hacking attempts that failed is unknown.
There are many security regulations with benchmarks that make healthcare organizations consistently vigilant, including HIPAA. These contribute to the hidden success stories of failed hacking attempts and secure patient data. One such initiative is by the Office for Civil Rights (OCR), which enforces HIPAA compliance and shares regular updates about the dynamic nature of cyber threats to ensure the healthcare ecosystem is able to take preventive action.
Customers, vendors, regulatory bodies, and shareholders associated with the healthcare ecosystem have made a series of demands about compliance, regular attestation, and at times, certification. We have identified the top 5 security regulations in the healthcare ecosystem which are being considered by organizations and would like to share their differences regarding validity, impact of violations, cost, number of controls, etc. for your benefit.
HIPAA:HIPAA is a set of mandatory standards to manage the use and disclosure of patient data or Protected Health Information (PHI). HIPAA compliance is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, and any organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability and help the healthcare ecosystem prevent cyber attacks. The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.
Organizations need to demonstrate HIPAA compliance by designing policies and procedures, conducting regular staff training, and ensuring their IT architecture and data privacy protocols are aligned with all HIPAA rules. They are also responsible for ensuring that their vendor contracts include mandatory HIPAA compliance protocols. HIPAA violations can lead to penalties, fines, and even jail time.
While the healthcare industry has been aware of HIPAA rules, due to the sharp increase in cyber attacks, their customers, vendors, and shareholders have begun asking for proof of compliance with other security regulations.
ISO 27001: ISO 27001 is a generic standard for information security developed and regulated by the International Organization for Standardization and is officially referred to as ‘ISO/IEC 27001’. It is part of the ISO/IEC 27000 family of standards for information security management. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.
ISO 27001 is a triennial certification with annual surveillance audits. Organizations usually pursue this voluntary certification to become eligible for RFQs for B2B or B2G contracts owing to its extensive list of controls, which prove that they can secure customer data. The impact of a violation is severe since they stand to lose their reputation and revenue from contracts that were signed with the condition that they maintain their ISO 27001 certification. While healthcare customers have a moderate level of acceptance for ISO 27001 certification, it is being considered by larger organizations in addition to HIPAA.
SOC 2: SOC 2 is a data privacy standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. Organizations undergo a SOC 2 examination and receive a SOC 2 Report, commonly referred to as a SOC 2 Certificate. The SOC 2 Certificate only assesses the maturity of controls during the time of the SOC 2 Audit period. Organizations need to renew their certification at regular intervals to prove their continuous compliance.
SOC 2 is popular in the US and is considered by healthcare organizations since it is moderately challenging to implement. At databrackets, we have supported several healthcare SaaS companies to prepare for their SOC 2 examination and test their controls before their SOC 2 audit. In our experience, the commitment to data privacy it commands is rigorous, and the benefits far exceed the financial investment.
NIST Security Guidelines: The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. While NIST guidelines do not lead to a certification by external authorized personnel, organizations use attestation to prove they comply with the specific NIST standard.
Regular maintenance and consistent vigilance are required to ensure you continue to comply with NIST CSF and NIST SP 800-53 rev 5. However, you don’t need to get re-assessed until a new version of the standard is published. Despite this flexibility, vendor contracts may require an attestation to a specific NIST Security Guideline because of the extensive controls which require substantial investment.
HITRUST CSF: HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards along with HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Several organizations view HITRUST CSF as the ideal benchmark for the healthcare ecosystem, which needs security protocols beyond HIPAA. Though this annual certification may sound like a panacea, the financial investment in implementing its dynamic mix of controls from various security standards is not viable for many organizations.
Comparisons
Comparing Top 5 Security Regulations for Healthcare
HIPAA and HITECH
ISO 27001
SOC 2
NIST Security Guidelines
HITRUST CSF (Common Security Framework)
Description
HIPAA is mandated by the HHS and enforced by the OCR. HIPAA Compliance is mandatory for covered entities, business associates and subcontractors. Under the Act, there are 18 HIPAA identifiers or types of PHI that must be protected by all organizations that store, process and transmit it. HIPAA applies to the entire healthcare ecosystem.
ISO 27001 is a generic standard for information security developed by ISO. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.
SOC 2 is a standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy.
The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders.
HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards alongwith HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.
Type of Data
PHI and ePHI – 18 HIPAA Identifiers
All processes included in the ISMS
Customer data
Depends on what is decided as the scope. It may be all the data that the organization works with.
PHI and ePHI
Controls based on
HIPAA Rules with emphasis on 3 safeguards – Physical, Technical & Administrative
ISO 27001 & ISO 27002 controls (140+ controls)
5 Trust Services Criteria (61 controls)
NIST CSF Version 2 (75+ controls) and NIST SP 800-53 revision 5 (390+ controls)
150+ controls
Certification / Assessment
Assessment
Certification
Certification / Examination
Assessment
Certification
Frequency / Validity
Annual
Triennial (once every 3 years) with annual surveillance audits
Annual
Maintenance is required to ensure you are continue to comply with NIST CSF / NIST SP 800-53 rev 5. You need to undergo a new assessment everytime a new version of the standard is published.
Annual
Cost of Implementation, Readiness Prep and Assessment / Certification
>= $25,000
$25,000 – $50,000
$25,000 – $50,000
>= $25,000
$50,000 – $200,000
Readiness Prep
Optional
Recommended
Recommended
Optional
Recommended
Mandatory / Voluntary
Mandatory
Voluntary
Voluntary
Voluntary
Voluntary
Reports are reviewed by
OCR/HHS
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
B2B, B2C or B2G customers / vendors
Level of Difficulty while implementing
Low
Moderate
Moderate
Moderate
High level of complexity
Impact of violation
Penalties, Fines, Jail time
Certification will be revoked. Loss of business if clients make it mandatory.
SOC 2 Report will be revoked. Loss of business if clients make it mandatory.
It is a voluntary compliance standard. Loss of business if clients make it mandatory.
Certification will be revoked. Loss of business if clients make it mandatory.
Acceptance Level by Clients
Mandatory / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance
Voluntary / Moderate Acceptance
Voluntary / High Acceptance
* This comparison is based on our experience while supporting healthcare clients for over a decade.
** The cost is indicated in USD.
With over a decade of experience with healthcare clients, we have observed the benefits of complying with a security standard beyond HIPAA. While customer requirements, RFQs, and vendor contracts usually drive this choice, we recommend organizations review their cyber hygiene from the perspective of risks they want to be prepared for and business priorities while selecting the appropriate additional standard to manage them.
Partner with databrackets to secure patient data
The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses. With over a decade of industry experience and technical excellence, a dedicated team at databrackets can help you protect your organization from threats and adapt to healthcare industry’s unique requirements.
Keeping yourself protected from cybercrime isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Make sure you’re following these 9 best practices:
1. Patch Early, Patch Often
The exploitation of unpatched vulnerabilities was the root cause for almost half of cyber incidents investigated by Sophos in 2021.¹ The earlier you patch, the fewer holes there are to be exploited.
2. Back up regularly and keep a recent backup copy off-line and off-site
73% of IT managers whose data was encrypted were able to restore it using backups.² Encrypt your backup data and keep it off-line and off-site. Practice restoring data from backups regularly.
3. Enable file extensions
File extensions in Windows are hidden by default. Enabling them makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript files.
4. Open JavaScript (.JS) files in Notepad
Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.
5. Don’t enable macros in document attachments received via email
Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!
6. Be cautious about unsolicited attachments
Cybercriminals often rely on an ages-old dilemma: knowing that you shouldn’t open a document until you are sure it’s legitimate, but not being able to tell if it’s malicious until you open it. If in doubt, leave it out.
7. Monitor administrator rights
Constantly review local and domain admin rights. Know who has them and remove those who don’t need them. Don’t stay logged in as an administrator any longer than necessary.
8. Regulate internal and external network access
Don’t leave ports exposed. Lock down your organization’s RDP access and other remote management protocols. Furthermore, use two-factor authentication and ensure remote users authenticate against a VPN.
9. Use strong passwords
A weak and predictable password can give hackers access to your entire network. We recommend making them impersonal, at least 12 characters long, using a mix of upper and lower case, and adding random punctuation Ju5t.LiKETh1s!
References:
The Active Adversary Playbook 2022 – Sophos
State of Ransomware 2022
This educational material is brought to you in partnership with Sophos Ltd. and Connectwise Inc.
Explore the differences between an audit, an assessment and a certificate to pursue B2B, B2C & B2G contracts and convince customers, vendors, and shareholders
Working on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.
Knowing the difference between an audit, an assessment, and a certificate will help your organization to streamline the work involved to assuage the concerns of customers, vendors, and shareholders and convince them to work with you. While evaluating the best way to convince them, you will come across a plethora of security frameworks, standards, regulations, The list is endless… You will usually be asked to provide more than one set of documents to meet the eligibility requirements of an RFQ (Request for Quote) by a potential customer or prove your compliance with a regulatory framework. Let’s dive deep into each of the three concepts from a practical point of view.
Audit: An audit is often the most misunderstood term. A good example of an audit is an IRS audit or a HIPAA audit by the OCR. These put the truth about audits into perspective. The purpose of an audit is to inspect or investigate against a set of rules & regulations and to find gaps at a point in time. An audit does not refer to the past or future health of your systems. It focuses on the ‘here and now’ or ‘point in time’.
An external party conducts an audit. Hence, it should not be confused with an internal audit. An internal audit is actually an assessment. The external party has trained personnel to review if an organization has violated rules and regulations set by the government or authorized body for your industry. You usually undergo an audit if they suspect you have deviated from the norms you are required follow. Hence the term ‘You’re being audited!’
Assessment: An assessment is an internal audit or an evaluation that an organization undertakes to identify gaps and implement a corrective action plan. You need to reference a set of guidelines or frameworks and adhere to best practices to assess if your organization is meeting a specific benchmark successfully. Conducting regular assessments and implementing corrective actions to meet the required frameworks can save your organization millions of dollars in fines and penalties. It can also save your personnel from jail time and your brand from a bad reputation. It also demonstrates your due diligence towards the requirement in the court of law.
Some examples of an assessment are a Security Risk Assessment or a HIPAA Compliance Assessment. You can conduct these in collaboration with a vendor, paid by your organization, to help you streamline the documentation and prove that you are complying with a framework. Vendors are also supposed to help you develop a corrective action plan, provide policies and procedures you can use as a benchmark, and ensure you have access to staff training to meet specific requirements. For example, when you conduct an annual HIPAA Compliance Assessment, certified experts at databrackets can guide you to meet the latest requirements announced by the Department of Health and Human Services (HHS); ensure your staff has access to HIPAA training; review your documentation; conduct the required Pen Test to assess your systems and ensure your policies and procedures meet the mark. This annual activity gives you the information and support you need to ensure that your systems have no scope for a HIPAA violation and will not lead to a penalty, a fine, jail time, and loss of trust by your customers.
Certification: A certificate is an official document that attests to the status or level of achievement by an organization. It shows the level of adherence of an organization against a specific process or technology. Certifications are not mandatory, and organizations pursue certifications to win contracts. Security certifications like ISO 27001 are popular globally, while SOC 2 is often a requirement for B2B contracts in the US.
Certification is more expensive than an assessment since it is managed entirely by an external certifying body, which is paid for by your organization. It follows very stringent processes, and there are no guarantees that you will get the certificate. One way to enhance your chances of getting the certificate you want is to undergo a readiness prep with a certified vendor to ensure your systems, policies, and procedures comply with the standard before the external party begins the certification process. Investing in readiness prep assessments can save a significant amount of time and money you would have to spend on remediation and a second attempt at certification. We recommend this 2-step process since you get financial rewards when you are awarded the certificate and can convert potential leads into business partners.
What’s the difference between an audit, assessment and certification?
A detailed set of differences between the three terms is included in the table below:
Audit
Assessment
Certification
Objective
To inspect/investigate against a set of rules & regulations, find gaps at a point in time
Type of an evaluation to help an organization identify gaps and implement a corrective action plan
An official document that attests to the status or level of achievement by an organization. It shows the maturity of an organization against a specific process / technology.
Usually short – based on guidelines fixed by the certifying body
Cost
N/A since it is borne by an external party
$$
$$$
Validity
Point in time / Past events
6 months – 1 year
1-3 years – based on the certification guidelines
Frequency of Engagement
Infrequent
On demand
Annual. For certificates which triennial there are usually annual surveillance audits required to maintain the certification
Impact / Result
Monetary fines, penalties and/or jail time for violations
Plan of action and milestones for improvements
Certificate
What you need to reference
Rules and Law
Guidelines, Frameworks and Best Practices
Manuals, Standards, Criteria etc.
databrackets can help you with an Audit, Assessment and Certification
With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations. The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses.
Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services as well. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.
We would love to hear your thoughts and feedback in the comments section below.
Explore the Administrative, Physical and Technical safeguards under the HIPAA Security Rule & the difference between addressable and required safeguards.
The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.
Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this.
i) What is the difference between addressable and required safeguards ?
Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.
Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.
ii) What are Administrative Safeguards under the HIPAA Security rule?
Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them.
Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.
Administrative Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Risk Assessment
Required
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Required
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Sanctions Policy
Required
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Required
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Required
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Addressable
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Addressable
Implement procedures to verify if an employee’s access to PHI is appropriate
Termination Procedures
Addressable
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
Required
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Access Authorization
Addressable
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Addressable
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Security Reminders
Addressable
Set up periodic security updates
Protection from Malicious Software
Addressable
Implement procedures for detecting and reporting malicious software
Log-in Monitoring
Addressable
Implement procedures to monitor log-in attempts and report discrepancies
Password Management
Addressable
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Required
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Required
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Required
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Required
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Addressable
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Addressable
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Required
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
Required
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.
iii) What are Technical Safeguards under the HIPAA Security rule?
Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).
Technical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Unique User Identification
Required
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Required
Establish procedures to obtain ePHI during an emergency
Automatic Logoff
Addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Addressable
Implement a method to encrypt and decrypt ePHI
Audit Controls
Required
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Required
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Addressable
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of
iv) What are Physical Safeguards under the HIPAA Security rule?
ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access.
Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.
Physical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Contingency Operations
Addressable
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Addressable
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Addressable
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Maintenance Records
Addressable
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Workstation Use
Required
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
Required
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Required
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Media Re-use
Required
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Addressable
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Addressable
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards for all organizations that work with Protected Health Information (PHI) of US Residents. It applies to all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, etc. The scope and applicability of the Act have been amended since 1996 to include additional rules.
The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. To ensure that businesses are informed of best practices, the OCR regularly publishes recommendations on new issues affecting healthcare. It also investigates common HIPAA violations on a regular basis.
The Rules of HIPAA Compliance are:
HIPAA Privacy rule
HIPAA Security rule
HIPAA Enforcement rule
HIPAA Breach Notification rule
HIPAA Omnibus rule
HIPAA Privacy Rule: This rule mandates appropriate safeguards to protect the privacy of PHI and ensures that patient data cannot be used or disclosed without patient authorization. It gives patients and their nominated representatives rights over their PHI, including the right to obtain a copy of their health records or examine them – and the ability to request corrections if required.
HIPAA Security Rule: This rule outlines the standards that covered entities, business associates, and subcontractors must follow to protect PHI that is electronically created, accessed, processed, or stored. These standards are also intended for ePHI when it is at rest and in transit. The HIPAA Security Rule includes physical, administrative, and technical safeguards that organizations are required to implement.
HIPAA Breach Notifications Rule: This rule outlines the protocol that organizations must follow in case of a data breach containing ePHI or PHI. As per this rule, they are required to notify patients when there is a breach of their PHI. They also need to notify the HHS and issue a notice to the media if it affects more than 500 patients. Breach notifications must be made within 60 days and without unreasonable delay, following the discovery of a breach. For breaches involving less than 500 patients, they must conduct an investigation and report them through the OCR web portal. The OCR requires these reports on an annual basis.
The HIPAA Enforcement Rule: This rule comes into effect after a breach of PHI or ePHI. Under this rule, the OCR investigates the breach and has procedures for hearings. Penalties may also be imposed on organizations responsible for the breach. Fines are imposed for each violation based on a tiered system. The total value of the fine is related to the number of records exposed in a breach. It also considers the risk due to the exposure of that data and the level of neglect that the organization permitted. Criminal charges may also be laid on organizations that knowingly deviate from HIPAA rules. Additionally, patients who are victims of a breach can also file civil lawsuits under this rule.
HIPAA Omnibus Rule: The HIPAA Omnibus rule focuses on areas that previous HIPAA updates had overlooked. The most important addition made by this rule was the expansion of HIPAA compliance regulations to include business associates, and subcontractors. This rule also focuses on streamlining Business Associate Agreements (BAAs). A BAA is a contract that must be signed and implemented between covered entities, business associates and subcontractors before PHI or ePHI is shared or transferred.
There are two additional HIPAA rules which focus specifically on electronic data.
a) HIPAA Transactions and Code Set rule: This rule ensures a uniform way to exchange PHI between entities in the healthcare delivery ecosystem based on electronic data interchange (EDI) standards. It is used for all healthcare-related digital transactions.
b) HIPAA Unique Identifiers rule: This rule focuses on Identifier Standards for Employers and Providers. It requires employers and healthcare providers to have standard national numbers to identify them instead of their business names and other identifiers.
Explore the 18 HIPAA Identifiers that constitute PHI or Protected Health Information under HIPAA & learn about de-identifying health data to reduce risk
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a set of mandatory standards to manage the use and disclosure of healthcare data, known as Protected Health Information or PHI. Complying with HIPAA is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability.
The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.
Protected Health Information (PHI)
Any identifiable health-related data used, stored, maintained, or shared by an entity is considered PHI. It covers every aspect of a patient’s information. The HHS has identified 18 HIPAA identifiers. They are:
HIPAA rules are focused on protecting PHI – HIPAA Security rule, HIPAA Privacy rule, HIPAA Breach Notification rule, HIPAA Omnibus rule and HIPAA Enforcement rule. There are specific safeguards and guidelines under each rule to ensure that Protected Health Information is handled with utmost care.
Organizations that are covered under HIPAA can avoid penalties, fines, and jail time for violating these HIPAA rules by ‘De-identifying PHI’. De-identification implies disassociating a patient from their health information. Once it is de-identified, the data set is no longer covered under HIPAA. The organization continues to be covered under HIPAA, but this security measure significantly reduces its risk. The HHS recommends 2 methods to de-identify health data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.
There are three types of organizations that need to be HIPAA compliant:
Business Associates (third-party service providers who work with covered entities)
Subcontractors (Business Associates of Business Associates)
Who is covered under HIPAA?
Covered Entities
Business Associates
Subcontractors
Description
A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House.
A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity.
Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant.
Examples
A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically
Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission; administrative; accreditation agencies, medical equipment service companies.
A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates.
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military
Some examples of business associate functions and activities include:
• data analysis, processing or administration
• claims processing or administration
• utilization review
• quality assurance
• billing
• benefit management
• practice management
• repricing
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa
HIPAA Compliance
Mandatory
Mandatory
Mandatory
Business Associate Agreement
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Business Associate and Contractor
Penalties, Fines & Jail Time
Applicable & Direct
Applicable & Direct
Applicable & Direct
All HIPAA rules are applicable to the healthcare service delivery ecosystem, which consists of organizations that fall into one of these three categories. Even if they are not directly engaged in delivering healthcare services, their employees and vendors need to undergo HIPAA Compliance Training every year to ensure they are aware of the organization’s security protocols and understand their accountability under HIPAA. They are required to have HIPAA-compliant policies and procedures and a Business Associate Agreement (BAA) with the entity that hires them or the entities they hire. They also need to prove that they are complying with HIPAA rules by undergoing an annual attestation.
Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.
If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.
Explore the benefits of HIPAA compliance for healthcare providers, healthcare SaaS companies and healthcare business associates. Connect with HIPAA Experts
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the rules and regulations with regard to the use and disclosure of Protected Health Information (PHI) by all businesses in the Healthcare industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it.
HIPAA Compliance is very beneficial for patients since it ensures their personal and identifiable information is protected from known and potential channels used for cyber-attacks. However, there are several benefits for HIPAA-compliant organizations as well. Some of the numerous advantages for Healthcare Providers, Business Associates, and Subcontractors are listed below.
1. Protect Health Records
HIPAA acts as a benchmark checklist for businesses that work directly or indirectly with Protected Health Information (PHI). It helps them plan a cumulative approach to security and data privacy. The Act equips the Healthcare industry and its allied businesses with the information they need to protect PHI from known, predictable, and potential channels and sources of cyber-attacks. The emphasis on annual staff training and preparation for an unannounced HIPAA audit ensures that businesses stay alert at all times.
2. Prevent HIPAA Violations, Penalties & Fines
Adherence to HIPAA rules helps Healthcare Providers, Business Associates and Subcontractors to prevent HIPAA violations. Since a HIPAA violation leads to fines and jail time, being HIPAA compliant ensures they can protect their organization, personnel, and brand reputation.
3. Enforce a High Security Standard for Vendors
HIPAA compliance is mandatory across the Healthcare delivery ecosystem. This includes mandatory protection of PHI according to HIPAA rules by Business Associates, Subcontractors, and any vendor, even if they have access to only a few elements of PHI like diagnostic images associated with a patient ID. While this may not seem like identifiable information to us, it is a gold mine for hackers, who find ways to locate the personal information associated with the patient ID from other sources.
4. Protect your Brand Reputation & Ensure a Patient-First Approach
Being HIPAA compliant is mandatory not only for Healthcare providers but also for their Business Associates and Subcontractors. This ensures that a patient-first approach is adopted across the Healthcare delivery ecosystem. Since HIPAA is mandatory, an organization’s brand reputation is damaged if they are penalized by the HHS. In order to retain the trust of patients, B2B customers and their brand reputation, it is critical for organizations to evaluate their level of HIPAA compliance regularly.
5. Develop a Security and Compliance Process
Adherence to HIPAA requires regular maintenance of security protocols, with particular emphasis on the security rule and the physical and technical safeguards outlined under it. This is achieved by developing an IT compliance process to review if all the safeguards are in place. Developing this process is beneficial as it allows organizations to detect deviations faster and take corrective actions to prevent a cyber-attack.
6. Ensure Compliance across the Organization
HIPAA mandates specific actions from the IT department and all stakeholders since its rules, amendments, and regular updates from the OCR ensure that compliance is a shared responsibility. The Act is mandatory for all businesses in the Healthcare Industry. As a result, businesses that are HIPAA compliant are protected from known sources / channels of data breaches. This ensures that ignorance of security protocols does not accidentally result in a vulnerability / loophole in the system.
7. Implement Security Best Practices to Prevent Cyber Attacks
The OCR has a subscription service to share security best practices with organizations and regular updates about the security measures that need to be updated. This helps organizations to stay informed and implement them.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards to manage the use and disclosure of Protected Health Information (PHI). It is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization directly or indirectly working with PHI.
The Department of Health and Human Services (HHS) regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.
While the Act was passed in 1996, there have been several amendments to keep up with technological advancement:
The Security Rule Amendment of 2003
Technical Safeguards
Physical Safeguards
Administrative Safeguards
The Privacy Rules Amendment of 2003
The HITECH Act and Breach Notification Rule of 2009
The Final Omnibus Rule of 2013
The Final Omnibus rule of 2013 streamlined HIPAA compliance rules to include any business that stores, manages, records, or transfers Protected Health Information (PHI). These businesses are called ‘Business Associates’ under HIPAA. This broad term includes all vendors and subcontractors who directly or indirectly work with Healthcare Providers.
Currently, HIPAA consists of 5 main rules:
HIPAA Privacy Rules
HIPAA Security Rules
HIPAA Enforcement Rules
HIPAA Breach Notification Rules
HIPAA Omnibus Rule
There are additional rules that relate to transactions and code sets, in addition to unique identifiers. HIPAA compliance focuses on specific data privacy rules to protect sensitive patient data. Its aim is to create a culture in the healthcare industry to ensure protected health information’s privacy, integrity, and security. Annual HIPAA training of all personnel who come in contact with patient data is one of many aspects of the Act that ensures all stakeholders are involved and they understand their role in protecting PHI.
We recommend that IT professionals, CTOs, and CISOs carefully examine the details of the Administrative, Technical, and Physical Safeguards outlined under the Security Rule to ensure their IT systems are HIPAA compliant.
The healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (
Keeping yourself protected from cybercrime isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Make sure you’re following these 9 best practices:
Working on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.
The Health Insurance Portability and Accountability Act of 1996 (
