Security by Design – The Key to Achieving HIPAA Compliance

Achieving HIPAA compliance can be complicated and costly, and it can take a long time and drain resources. At Thrive Global, we were able to achieve HIPAA compliance within 5 weeks because our Engineering Platform team applied security controls at each step in the data journey and development process to significantly reduce security gaps and vulnerabilities.

This article explains how we accomplished this from a compliance perspective.

Thrive’s Software-as-a-Service (SaaS) platform provides well-being, mental resilience and productivity solutions to its customers’ employees. Because some of our customers are considered medical service providers under HIPAA, and their users may share data on our platform related to their mental well-being, we are considered a ‘business associate’ under HIPAA law and are required to comply with HIPAA regulations. This milestone of becoming HIPAA compliant demonstrates Thrive Global’s commitment to protecting the safety and privacy of our users and their personal data. HIPAA compliance enables our partners and other HIPAA covered entities to more effectively integrate into our platform so that we can continue to help improve the health and well-being of millions of people around the world.

How to Become HIPAA Compliant in 5 weeks

Many small and medium businesses often struggle with understanding whether they need to be HIPAA compliant. If they do need to be compliant, they don’t always know where to start or how to become so in a cost-effective manner.

The consequences of non-compliance can be severe in terms of new customer acquisition, potential fines and damage to reputation.

Lack of understanding of HIPAA regulations and lack of resources can make achieving HIPAA compliance a daunting task. Despite facing similar challenges at Thrive Global, we were able to achieve HIPAA compliance within 5 weeks by utilizing the secure platform that our Engineering team built and by simplifying the process.

The first step is to determine if you really need to be HIPAA compliant. If so, the next and most important step is to gain the support of your executive team. If you do not have the executive support, and your engineering team does not apply the principle of “security by design” the rest of the steps in this article will be challenging.

The following flow chart provides a high-level overview of the HIPAA compliance process.

A screenshot of a cell phone

Description automatically generated

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) is the primary U.S. law governing the security and privacy of personal health information used by health insurance plans, medical providers, mental health professionals and their business associates.

What is protected by HIPAA?

  • HIPAA protects the sensitive health information that can identify an individual. 

PHI (Protected health information) is any individually identifiable health information relating to the individual regardless of the form in which it is maintained (paper, oral, electronic format, etc.).

Types of Organizations that are regulated under HIPAA

Covered Entity

The  original source of PHI that provides treatment, payment and operations in healthcare. 

Business Associate

A Person or entity that receives PHI from a covered entity or another business associate. 

What are the HIPAA Rules?

1. Privacy Rule — PHI disclosure rules. 

2. Security Rules — Standards to safeguard ePHI 

3. Breach Notification Rule — Must notify individuals & HHS within 60 days.

4. Enforcement Rule — How investigations are conducted. 

5. Omnibus Rule — It closed gaps in existing HIPAA and HITECH regulations. (Ex. Encryption Standards) 

HIPAA Privacy Rule 

These are  safeguards and protections for the disclosure of PHI from a people standpoint, which include:

Administrative Safeguards for the protection of PHI inside of the business

  • How we disclose/share data
  • How we educate new hires/contractors
  • How we store/retain PHI
  • How we handle breaches of data

The key to success in implementing this rule is to create the privacy policy and standards and to conduct a company wide training.

HIPAA Security Rule

This is the rule for the protection of PHI from an electronic standpoint which includes: 

Administrative, physical and technical safeguards for the protection of ePHI data processed and stored within the business infrastructure.

  • Ensure Confidentiality, Integrity and Availability of PHI
  • Protect data against physical disasters (fire, flood, etc.)
  • Protect data against unauthorized access

The key to successfully implementing this rule with minimal resources and costs is:

  1. Identify your champion from the Engineering group (Infrastructure/Platform and backend) and partner with them.
  2. .Ensure the following security safeguards are in place:

Administrative – Policies and procedures on how to comply with the security rule, such as:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Access Management
  • Security Awareness and Training
  • Security Incident Response Plan
  • Contingency Plan
  • Audit & Risk Assessment

Physical – The protection against unauthorized access, such as:

  • Door locks
  • Employee badges
  • Surveillance camera
  • Locked cabinets for records with PHI
  • Fireproof storage for records with PHI
  • Computer servers in locked rooms
  • Data backup stored offsite
  • Screensavers / screen locks

Technical – The protection of access and transmission of PHI, such as:

  • Access Control: Implement procedures to grant access where users have only the permissions necessary to do their jobs, logging and encryption 
  • Audit Controls: The detection of possible breaches, audit controls and trails to investigate file access and alterations.
  • Authentication Policy: Have policies and procedures in place to ensure that users accessing ePHI systems are the authorized users they say they are.
  • Data Integrity: ensure ePHI are secured against “improper alteration or destruction,” prevent unauthorized personnel from accessing the confidential information and making unauthorized changes.
  • Transmission Security: Implement technical security measures that protect ePHI in transit and at rest and ensure integrity after transmission.

HIPAA Breach Notification Rule 

Investigate, Mitigate, Document, Notify 

A Data Breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

If < 500 records:

  • Notify the impacted individuals and/or entities that a breach has occurred.
  • If there are >= 10 individuals that cannot be reached, it is  required to either post the breach on the website for at least 90 days or post on a major media outlet.
  • Notifications to individuals must be completed ASAP but not to exceed 60 days.

If > 500 Records:

  • Must notify the media.
  • Must complete the media notifications ASAP but not to exceed 60 days.
  • Must notify the U.S. Department of Health & Human Services (HHS) no more than 60 days after the breach occurs.

Process for Becoming HIPAA Compliant

Understanding the HIPAA requirements and knowing what to do about them are two different things. The flow chart shows a list of the actual actions you will need to take to reach a state of compliance. 

Access Control 

For the production environment (Network, DB, OS, Apps, DevOps, Developers, DBAs, SysAdmin) and Enterprise IT

  • Privileged Access 
    • Users and Admin listings with roles and permissions 
  • Authentication
    • Password or authentication setting
    • Account lockout settings 
  • Access Management
    • Policies and Procedures
      • Access Control
      • Information Security
      • Hiring and termination
      • Authentication

Availability

  • Data Backup
    • Offsite backup contract and invoices
    • Backup policies and procedures
    • Backup configuration and restoration test
  • BCP/DR – Contingency plan policies and procedures
  • Asset Management – Inventory list of all systems

Data and Change Management

  • Software Development – File integrity monitoring (FIM) configurations
  • Data Retention, Handling and Disposal
    • List of all data disposals
    • Data disposal vendor’s contract
    • Data Retention and Disposal policies and procedures
    • Media inventory
  • Data Classification
  • Removable media configurations

Monitoring & Incidents

  • Incidents
    • Notification, Response, and Resolution
    • List of data breach
    • Incident Response Plan
    • Breach Handling and Notification policies and procedures
  • Logging
    • Audit log settings for the Production environment
    • Access logs
    • Security logging policies and procedures

Management 

  • Resources
  • HR
    • Employee manual/handbook and code of conduct
    • List of employees (new hire, terminated, current, transferred)
  • Disciplinary/Sanctions Policy and Procedure
  • Workforce HR Policy & Procedures and Training

Risk Management

  • Risk Assessment and Audit
    • Risk assessment policies and procedures
    • Conduct annual risk assessment
  • Vulnerability Management 
    • Monthly scan
    • Annual penetration testing

Systems Operations

  • Encryption
    • Encryption configurations for data in transit and at rest
    • Encryption policies and procedures
  • Firewall
    • Network diagrams
    • Firewall/Router configuration policies and procedure
    • DMZ configurations
    • NAT
    • FW ruleset configuration
  • Malware Detection
    • Anti-virus policies and procedures
    • Configuration settings 
    • IDS/IPS configurations
  • Mobile Device Management
    • Inventory list of all mobile devices
    • List of all employee owned mobile device

Summary Tasks

  • Implement privacy and security policies, procedures and standards that are mapped to HIPAA.
  • Designate a security and privacy officer and committee.
  • Implement technical controls to encrypt, ensure data backup, retention, handling and disposal. 
  • Grant the minimum necessary access to PHI and disclosure.
  • Conduct effective security and HIPAA training.
  • Conduct internal auditing & risk assessment.
  • Enforce standards through disciplinary guidelines.
  • Implement logging and proactive monitoring.
  • Implement change management and mature incident response process.

The largest obstacle in achieving compliance is the implementation of technical security controls (step 3 above). If security controls have not been built into your environment, this step alone can take 6 months to 1 year to complete. Our ability to achieve compliance in 5 weeks was largely due to the fact that our engineering team had adopted a ‘security by design’ approach, and had built security controls directly into the platform.

Disclaimer

This article shares a simplified method for becoming HIPAA compliant that was successful for Thrive Global. The information shared in this article does not qualify as legal advice, and the author does not guarantee that following these steps will result in successful HIPAA compliance. Please consult with your company’s compliance, privacy, and legal teams. 

By Hanna Sicker – Director of Security and Compliance at Thrive Global