WHAT ARE THE RESPONSIBILITIES OF A HIPAA COMPLIANCE OFFICER?

Question 1

The Healthcare Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to have a HIPAA compliance officer.

Answer 1

This position may be filled in by an existing employee or a new employee can be recruited to take on the role.
It is also permitted for the position to be outsourced temporarily or permanently.

Question 2

What do HIPAA Compliance Officers do?

Answer 2

The volume of work of a HIPAA compliance officer depends on two things: The size of the covered entity or business associate and the number of patients/amount of protected health information (PHI) that is created, used and maintained.

Question 3

The duties of a HIPAA compliance officer in large healthcare organizations are often divided between two individuals –

Answer 3

A HIPAA security officer and a HIPAA privacy officer.

Question 4

The responsibilities of a HIPAA privacy officer include:

Answer 4

1) Developing and maintaining a HIPAA-compliant privacy program
2) Ensuring the enforcement of privacy policies
3) Overseeing the privacy training of employees
4) Conducting a risk analysis and creating HIPAA-compliant procedures where needed
5) Monitoring compliance with the privacy program
Investigating and reporting incidences of data breaches
6) Ensuring the protection of patients’ rights in accordance with federal and state laws
7) Keeping up-to-date with pertinent state and federal laws

Question 5

The responsibilities of a HIPAA Security Officer are similar to those of a Privacy Officer. That individual is also responsible

Answer 5

1) for developing security policies,
2) implementing procedures,
3) conducting training, and
4) performing risk analyses and
5) monitoring compliance.

Question 6

Where the role of a HIPAA security officer differs from a HIPAA privacy officer is the security officer’s focus is more

Answer 6

about compliance with the administrative, physical and technical safeguards of the HIPAA Security Rule and general Security Rule compliance.

Question 7

Specific duties of HIPAA security officer can include

Answer 7

1) developing a disaster recovery plan,
2) implementing mechanisms for preventing unauthorized PHI access and
3) mechanisms for secure electronic PHI transmission and storage.

Question 8

HIPAA regulations do not give an exact definition of the duties and responsibilities of a HIPAA compliance officer. It is up to the covered entity or business associate to determine what duties are required according to the organization’s specific requirements.
In order to be effective,

Answer 8

it is essential for HIPAA compliance officers, security officers, and privacy officers to have a thorough working knowledge of HIPAA regulations and the HITECH Act, and to be families with state laws concerning the privacy and security of personal and health information.

Question 9

HIPAA PASSWORD REQUIREMENTS

Answer 9

Like many requirements of the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA password requirements are written in a way that covers many different present and future scenarios. Consequently, the requirements can be a source of confusion for Covered Entities and Business Associates.

Question 10

Employers – despite maintaining health care information about their employees – are

Answer 10

not generally Covered Entities unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP).

In these cases they are considered to be “hybrid entities” and any unauthorized disclosure of PHI may still be considered a breach of HIPAA.

Question 11

On January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that

Answer 11

have implemented recognized security best practices prior to experiencing a data breach.

Question 12

HR 7898

Answer 12

The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework.

The update requires the HHS’ Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches.

The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices.

Question 13

President Trump yesterday signed into law a bill (H.R. 7898) containing provisions that require the Secretary of Health and Human Services to consider certain recognized cybersecurity best practices when making determinations against HIPAA-covered entities and business associates victimized by a cyberattack.

Answer 13

For example, the bill recognizes cybersecurity practices established under the National Institute of Standards and Technology Act and approaches established under Section 405(d) of the Cybersecurity Act of 2015 by the Healthcare and Public Health Sector Coordinating Council (HSCC) Working Group, whose members include the AHA.

Question 14

The HR 7898 bill defines these security practices as:

Answer 14

1) Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
2) The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
3) This standards are already defined by other institutions like the NIST and others. Although in theory you should already be doing these things, the government has decided to incentivize good practice.

Question 15

HR 7898 Not a Safe Harbor

Answer 15

While some have referred to HR 7898 as a HIPAA Safe Harbor, the provision does not help healthcare covered entities or business associates avoid liability for HIPAA violations. The law clearly states that “Nothing in this section shall be construed to limit the Secretary’s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate’s obligations under the HIPAA Security Rule.” Instead, it requires HHS Office for Civil Rights (OCR) to consider if the covered entity or business associate adequately demonstrated that it adopted certain recognized cybersecurity practices for the year preceding an audit or investigation. If so, OCR should consider this when determining the length and outcome of the audit, fines, or resolution agreement terms.

Question 16

HR 7898 defines recognized security practices as:

Answer 16

“standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

Question 17

Currently, the two named practices identified within HR 7898 to consider are:

Answer 17

NIST Cybersecurity Framework

CSA of 2015 Section 405(d)

Question 18

If you represent a covered entity, it is important to remember that you carry a brunt of responsibility if your BA experiences a breach that affects your protected data. And, since the covered entity is responsible for reporting breaches,

Answer 18

you’ll want to operate with confidence that your BAs implement processes that keep your electronic personal health information (ePHI), personally identifiable information (PII), and other sensitive data safe.

Question 19

NIST Cybersecurity Framework

Answer 19

Your organization and your business associates have the leeway to determine which practices you adopt. The NIST Cybersecurity Framework is one you may want to consider.

This framework identifies five core functions:
Identify
Protect
Detect
Respond
Recover

Question 20

There are 22 related categories for those five functions, followed by almost 100 subcategories of security activities to help guide your program development.

Here’s a quick look at those core categories and how they relate to the five functions:

Answer 20

Identify
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Protect
Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Maintenance
Protective Technology
Detect
Anomalies and Events
Continuous Monitoring
Detection Processes
Respond
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover
Recovery Planning
Improvements
Communications
With the NIST Cybersecurity Framework, your organization can choose which controls and functions make the most sense today. Then you can implement additional controls over time to mature your cybersecurity posture.

Question 21

As mentioned above, there are numerous control catalogs and frameworks mapped to the NIST Cybersecurity Framework as informative references. These mappings provide flexibility to organizations when deciding on a control framework for their organization.

Answer 21

For example, NIST 800-53, ISO, and CIS controls are mapped to the Framework. Also, there is a mapping of Section 405 (d) to the Framework. This mapping can help organizations decide the extent of controls or elements of the Framework that are right for them, using the excellent information within the 405(d) documentation on recommended baseline controls for organizations of different sizes.

Question 22

An essential benefit of the NIST Cybersecurity Framework is that it facilitates the conversation between your information security team and your executives and key stakeholders. This conversation is often overlooked and is crucial to help frame your cybersecurity program in a way that not only protects and secures your sensitive data but also aligns it to your organization’s overall goals and objectives. It’s intended to facilitate these types of discussions at all levels across your organization.

Answer 22

You can use the five core functions, for example, as an outline to give your board members a high-level look at the heart of your program, what you want to achieve, and why it’s important. Then you can go a little deeper with your executives by breaking down those 22 related categories, saving the subcategories and individualized controls conversations for your teams responsible for managing and maintaining these activities on an ongoing basis.

Question 23

HIPAA Mapping

Answer 23

In addition to maturing your cybersecurity practices by implementing a framework similar to NIST, you can also get better insight into your HIPAA compliance performance by mapping your existing HIPAA-related processes to the NIST Cybersecurity Framework.

Doing this type of mapping can help you understand all of your compliance requirements. It can help measure performance and identify security gaps before you experience a breach. It can also help identify non-compliance before a regulatory body cites you or a valued partner calls into question your meeting of contractual requirements. You can also use this approach to understand better, assess, and manage your organization’s risks and risk profile.

Question 24

Ex: Phishing schemes are on the rise, and healthcare entities are prime targets.

Answer 24

What’s your risk of falling prey to a phishing scheme?
What would the impact of a successful phishing attempt be on your organization?
If a phishing attempt is successful at each level within your organization, what could the potential impact be?
How long would it take your team to find this breach?
What lateral movement could an attacker make within your organization? How can you mitigate these risks?
What plans do you have in place to stop an active breach, contain it, and recover to business as usual?
While HIPAA requires you to keep that sensitive data safe, mapping that requirement to your security and risk management frameworks can help you see where you have deficiencies so you can address them before a risk becomes a reality. If you can demonstrate to OCR you have these practices in place for the previous year; you should see reduced penalties if a HIPAA violation is found.

With HIPAA, we talk about having a cybersecurity program that’s reasonable and appropriate for your organization. There can be a lot of ambiguity there, but adopting a framework like the NIST Cybersecurity Framework can give you a solid structure for your program, and HR 7898 provides additional support that your program meets the reasonable and appropriate standard.

Question 25

Under section 405(d), HHS convened the CSA 405(d) Task Group to

Answer 25

enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use.