Seven best practices to enhance your HIPAA and cybersecurity programs

Jennifer Rathburn and Jennifer Hennessy, Foley & Lardner, LLP -

Two recent incidents involving ransomware campaigns that have affected health care organizations have highlighted the importance of preparedness in the event of a cyber-attack. One of the key elements is to revisit your organization’s compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

There are many cybersecurity frameworks that organizations are adopting to address cyber risk, but health care organizations at a minimum must comply with the HIPAA Security Rule. The HIPAA Security Rule is designed to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) by requiring that covered entities and business associates implement certain administrative, physical, and technical safeguards outlined in the Rule. The first step in that process of developing and implementing appropriate safeguards is conducting a security risk analysis. The Security Rule specifically defines a security risk analysis as an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. Organizations must use the results of the security risk analysis to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level in a risk management plan, and document those security measures in HIPAA Security Rule policies and procedures.

The Financial Impact of Cyber-Attacks
It is increasingly common for cyber-attacks to result in litigation, including class actions. It is also now standard for plaintiff’s counsel to use a health care organization’s failure to conduct a thorough and accurate HIPAA security risk analysis and implement a risk management plan as the basis for the claim that the organization was negligent in protecting individuals’ information. In addition, the Office for Civil Rights (OCR) was particularly active in 2016 and continues to be active so far in 2017. For example, the OCR announced more settlements in 2016 than in 2014 and 2015 combined and the OCR has issued nine resolution agreements so far this year, meaning it is on pace to beat 2016. In addition, in 2016 and 2017 the OCR issued the two largest penalties to date, of $5.55 million and $5.5 million, respectively. Many of these settlements, and the associated civil monetary penalties, involved insufficient security risk analyses. The OCR has released several pieces of cybersecurity guidance for the industry and has announced its intention to start investigating breaches affecting less than 500 individuals. The Federal Trade Commission has also indicated it intends to become increasingly active in this space.

We have guided many of our clients in their understanding of the evolving standard of care for cybersecurity compliance. We have synthesized industry best practices and regulatory and other standards applicable to our clients in bringing their policies, procedures, and practices into compliance with applicable laws and regulations and mitigating the risks of a breach and litigation.

Best Practices to Comply with the HIPAA Security Rule
Here are seven best practices to enhance both your HIPAA and related cybersecurity programs:
1. Review your current security risk analyses and identify areas for improvement and recommendations, such as improving documentation of the risk analysis to better ensure regulatory compliance, enhancing the attorney-client privilege of the risk analysis, and approaching future analyses in a way that maximizes their effectiveness and minimizes risk of a cyber-attack.
2. Assess risk management plans to ensure measures have been taken to reduce the risks and vulnerabilities identified in the security risk analysis and sharing best practice approaches used in health care and other industries.
3. Compare HIPAA and other cyber-related policies and procedures against best practice models and legal and regulatory requirements, and ensure they are updated based on the results of your most recent risk analysis.
4. Prepare security incident response plans that meet the requirements of HIPAA and other applicable laws to help your organization prepare to respond to a data breach.
5. Assess vendor management programs, including reviewing business associate, cloud, and other vendor contracts to ensure appropriate security controls are in place and liability and risk are appropriately allocated between the parties. Further, we help our clients determine how best to assess the security posture of vendors, such as through vendor questionnaires or third-party audits. We have developed best practice contractual approaches to manage the above issues and have been using them on behalf of clients for years.
6. Conduct table top exercises to see how your organization performs in a mock incident scenario.
7. Review and advise on cyber insurance policies, such as ensuring your organization has control to choose its data breach panel of experts, including your preferred legal counsel.

For more HIPAA security information and tips, please feel free to contact Foley HIPAA and Cybersecurity specialists, Jennifer Rathburn (JRathburn@foley.com) or Jennifer Hennessy (JHennessy@foley.com).

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.