How You Can Avoid HIPAA Penalties and Audits
If you are here you probably know what HIPAA is. You probably also don’t need us on the soap box preaching how important HIPAA compliance is. What is probably less clear is what it means to be HIPAA compliant. Some guidance has been fairly specific, and some has been more of a “we’ll know if it’s wrong when we do an audit” type of guidance. Of course at the other end of this “we’ll know it when we see it” type of compliance guidance are severe penalties, fines and public shaming on the HIPAA wall of shame.
A new HIPAA amendment signed into law on January 5th, 2021, called the “HIPAA Safe Harbor Law (HR 7898)”, is meant (in our own words) to provide a simplified path forward for HIPAA compliance. The icing on the cake for covered entities is that if they follow this simplified path, and can prove it, they will face significantly reduced fines and much shorter audits in the event of a breach or incident.
What is NIST CSF?
The new simplified path is to become compliant with a well-recognized security framework such as the NIST Cybersecurity Framework (CSF). While this is not exactly easy, it is clearer and more flushed out. The NIST CSF is broken down into five main functions:
• Identify
• Protect
• Detect
• Respond
• Recover
The five functions are divided into 23 categories, which are further sub-divided into 128 subcategories. The subcategories give a goal, but do not explicitly say how to achieve the goal. In order to achieve the goal, an organization must pick a specific control, or combination of controls, that work for them or can be modified to work for them. Recommendations are given for well know controls.
A NIST CSF Compliance Example
Function: Identify
Category: Asset Management
Subcategory: ID.AM-1 – Physical devices and systems within the organization are inventoried.
To be compliant with this goal the company needs to have a list of computers and other equipment it owns. At the simplest, a person can walk around and make a list. Now things will change so to really be compliant, an organization should have a written policy that requires IT to update the inventory list whenever a new PC is purchased or retired. A procedure outlining exactly how this will policy would happen would also be appropriate. Easy! ID.AM-1 can be scratched off the list!
We are not Attorneys
So align yourselves with NIST CSF and never worry about HIPAA fines again! … Is what we’d like to say. We are not attorneys and while we think this is a great summary, you should always consult your legal counsel before taking kind, well intentioned advice off the internet.