HIPAA

The HIPAA Security Rule defines controls that must be implemented to protect PHI. This requires the implementation and documentation of administrative, physical, and technical safeguards. The technical safeguards require appropriate access, audit, and encryption controls. Software handling PHI must have these controls in place and they must be documented.

Conducting tests to ensure an implementation is performed appropriately in software that stores or transmits e-PHI demonstrates that HIPAA-required controls are successfully in place. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.

Synopsys can help organizations meet the software security-related regulations set by HIPAA. We can assist in evaluating an organization's overall control environment to determine if the various HIPAA Security Rule requirements are met.

Any organization handling healthcare data or PHI must ensure that their security program and software controls address the requirements of the HIPAA Security and Privacy Rules. Covered entities that meet these rules are able to process, store, and transmit PHI without fear of civil or criminal penalties.

Note that HIPAA rules establish a minimum standard for the implementation of IT and software security controls. Without these rules, organizations processing PHI have no specific requirements protecting their healthcare data (i.e., for maintaining the confidentiality, integrity, and availability of the data).

The enforcement of HIPAA standards by the U.S. federal government ensures that organizations take the implementation of PHI controls seriously. It also ensures that consumers of healthcare in the U.S. have an outlet if their PHI is mishandled.

Get started by establishing whether or not your organization is a covered entity. Once PHI is identified within an organization’s software or systems, a review of the covered entity’s security policies and procedures is the next step to identify gaps and implement controls.

The Health Information Trust Alliance (HITRUST) offers a common security framework (CSF) to help organizations implement HIPAA-required controls necessary for compliance. The HITRUST CSF allows for self-assessment to implement appropriate controls. However, some organizations may require a validated assessment that is performed by a HITRUST assessor. This assessment must then be submitted to the HITRUST organization for review and approval. Failure to achieve a HITRUST certification may prevent certain HIPAA-regulated organizations from receiving PHI from organizations requiring HITRUST compliance in their documented security requirements for third parties.

If a violation is reported to the OCR, your organization must be responsive to requests for evidence of HIPAA-required controls. Perform external reviews of your security program and implement technical assessments to demonstrate adherence.

Implement at least the minimum required testing and controls defined by HIPAA. Risks to PHI and the covered entity extend beyond checking a compliance box. As threats to privacy and security evolve and expand, expectations for implementing reasonable controls required by HIPAA will also continue to expand. The easiest way to handle evolving expectations is to be one step ahead.