Site icon

HIPAA and Internal Security Controls

In June 2023, the US. The Department of Health and Human Services (HHS) reached an agreement with Yakima Valley Memorial Hospital over a significant breach of privacy and security rules. Specifically, HHS found that several security guards had inappropriately accessed the private records of up to 419 patients. 

This settlement demonstrated administrative and internal security is essential to Covered Entities and Business Associates. We will discuss these controls and what they mean for HIPAA-regulated organizations. 

 

Physical and Insider Threats Under HIPAA

HIPAA sets specific requirements for Covered Entities and Associates to safeguard PHI. While we’ve often discussed cybersecurity as it relates to HIPAA, it’s also just as critical to have measures in place to prevent unauthorized individuals that work under a CE or BA from viewing or stealing information they are not supposed to have. 

Generally speaking, here are some of the expectations related to protection against physical security threats and insider threats:

Physical Security Threats

 

Insider Threats

In the case of Yakima Valley, the primary issue was that security guards (who have no reason to access PHI) were doing so with credentials gained during their job.

 

What Are HIPAA Administrative Controls?

A different but parallel requirement for organizations to follow includes managing administrative controls. These differ from physical security controls in that they refer to training, policy creation and enforcement, and access management rules. These may overlap with physical security but do exist on their own. 

Under the HIPAA Security Rule, Covered Entities (CEs) and Business Associates (BAs) are required to meet some of the following administrative requirements:

While administrative controls might seem unrelated to the Yakima Valley case, consider that the offending individuals could access this data freely. This means there was a breakdown of credential and access control–an administrative issue. 

 

Penalties for Breaches Due to Insiders or Lack of Administrative Controls

HIPAA will typically include standard penalties for data breaches and HIPAA violations. However, there is some flexibility regarding how these penalties are applied. Furthermore, HHS wants healthcare organizations to meet their regulatory requirements, which means that they can help organizations remediate issues… if that organization is willing to do that work. 

In the case of Yakima Memorial, the Office for Civil Rights (OCR, the office within HHS managing HIPAA compliance) decided to reach an agreement limiting fines to $240,000. 

Additionally, OCR and HHS expect Yakima Memorial to adhere to a set of requirements, including:

These corrective actions have been made public through the HHS website and detail some of the issues that arose with these actions. 

 

Stay Ahead of HIPAA Regulations with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version