HIPAA is the Health Insurance Portability and Accountability Act. It’s quite a mouthful. If you’re a life sciences company wanting to trade in the US, it’s also a vital standard that you need to make sure you’re meeting.
Because although it’s usually mentioned in the same breath as GDPR in the EU or UK, HIPAA has a much narrower scope – health data. But it also has some rules that can be more specific.
HIPAA is organisation-centric. If your organisation operates in the US and you handle the medical data, you need to be compliant.
The penalties for failing to do so are severe. Up to $50 000 for an individual violation to a maximum of a $1.5 million fine per year. You can also face jail time if you are the one responsible for protections not being in place.
So let’s find out a little bit more about the HIPAA. And, more importantly, what to do to make sure you’re compliant.
The Health Insurance Portability and Accountability Act was enacted in the US in 1996. It’s a set of rules and regulations that cover how to use and disclose Protected Health Information (PHI).
The HIPAA rules also govern how to secure PHI and what happens if there is a PHI breach – who you need to inform, when, and so on.
The combination of COVID-19 and recent technological developments have created huge opportunities for patients’ health data to be compromised.
Even if the penalties for failing to be HIPAA compliant weren’t so harsh, it would still be smart practice to get the right protections in place if you want to protect your patients, your clients, and your company.
The first step in HIPAA compliance is to identify the areas where your organisation uses PHI and the ways it could be accessed.
A risk assessment shouldn’t be a one-time-only activity. Carry out assessments on a regular basis to identify and manage newly developed risks, both in the way your organisation handles data and the emerging threats in the outside world.
Make sure your users have unique usernames and passwords. You must also control who has access to Protected Health Information within your organisation.
Plus, there should be controls in place to test and verify that PHI has not been changed or deleted by someone not authorised to do so.
There is a part of the HIPAA that governs devices management. First of all, you must have automatic system log-offs in place when a device that can be used to access PHI has been inactive for a certain time.
You also need any device that can access PHI to have a remote wipe capability. This means that if it is stolen or lost, you can use mobile device management tools to delete any data that is on it.
Any messages that are sent outside of your immediate network need to be encrypted to NIST (the US National Institute for Standards and Technology) standards.
Any devices that can be used to access PHI should log unauthorised attempts to access and log any data that is accessed during that attempt.
If you’re based in the UK, HIPAA regulations aren’t something your team are likely to naturally know about. This makes staff training something that needs to be a priority if you want to make sure you’re compliant.
The HIPAA says that you should document all training and include regular assessments of PHI-related procedures to make sure you’re up-to-date.
Overall, your team needs to know what to do in the event of a cybersecurity situation, including a full data breach.
Prevent parties that don’t need to have access to the PHI your organisation controls from being able to get at it, even accidentally. This includes both people inside your team and third parties like vendors or parent companies.
What will you do in the event of a data breach where PHI is exposed? You need to write up a set plan that governs:
This isn’t a truly exhaustive list of HIPAA compliance measures that international life sciences organisations need to bear in mind when doing business in the US. But it’s a solid start on the path to making sure that you, your organisation, and your clients and patients are properly protected.
Let’s talk. Dial A Geek helps nearly 1000 businesses in and around Bristol with their cybersecurity.
Organise a chat with Chief Geek Gildas Jones today by following this link to his calendar. There’s no cost or commitment. Just all the information you need to take the next steps to protect your business.