Achieving HIPAA Compliance Isn’t Just for Healthcare Providers
Businesses in industries subject to strict compliance and regulatory requirements are often anxious about migrating to the cloud for fear that a managed services provider will not be able to meet their compliance demands. If you’ve been involved in the increasingly complex world of business IT for long, you’ve probably already heard the term “HIPAA-compliant.” Perhaps, like many, you assume that HIPAA compliance is relevant only to businesses in the healthcare industry.
HIPAA stands for Health Insurance Portability and Accountability Act, which was written into public law after being enacted in 1996 under Bill Clinton. The act was introduced to ensure that employees would still have their medical insurance paid for them even after leaving the company. However, the act also introduced regulations designed to protect the privacy of patients by setting certain standards on the handling of information, including the storage and transmission of digital data.
Is HIPAA Relevant to My Business?
HIPAA applies to two types of entities: covered entities and business associates. Covered entities are simply health plans, health care clearinghouses, and health care providers who electronically transmit health information.
However, any IT department that creates, stores, sends or receives protected health information (PHI) on behalf of a covered entity falls into the broader category of a business associate. In other words, if your company has access to data owned by a covered entity, then you’ll certainly need to be HIPAA-compliant. Even if you don’t currently fall under that category, you might want to consider ensuring you can become compliant the moment a covered entity asks whether you can meet their requirements.
As part of the HIPAA law, covered entities are legally obliged to sign business associate agreements with any vendors or contractors that have access to PHI — regardless of how unrelated it is to the working relationship. These business associates may include, but are not limited to, technology providers, software providers, financial service providers, business services and legal services.
How Can My Business Achieve HIPAA Compliance?
Achieving HIPAA compliance as a business associate is imperative if you work with any covered entities, but simply signing a business associate agreement alone does not necessarily make you compliant right away. There are several steps you’ll need to take, starting with a security risk assessment of your business. At this stage, you’ll need to determine how information is stored and transmitted within your business.
Your risk management plan needs to cover administrative, physical and technical safeguards. Technical safeguards should, for the most part, already be taken care of, since data security is a crucial factor in any modern business anyway. Physical safeguards consider the various standards you set for physically securing your systems. Administrative factors are a little more complicated, since the ones outlined by the HIPAA legislation aren’t always relevant to every business.
HIPAA requires relevant entities to address four main rules, which pertain to privacy, security, enforcement and breach notification:
- Privacy establishes the standards for protecting patient health information.
- Security addresses both the technical and non-technical safeguards in place.
- Enforcement outlines investigations and penalties for failing to comply.
- Breach notification requires relevant parties to notify authorities of a breach.
For the most part, compliance is about documenting everything and abiding by the rules laid out by the HIPAA legislation. Failure to comply can lead to severe fines. It’s also important to remember that the biggest risk still comes from business associates rather than covered entities themselves. As such, if your company offers any business service to a covered entity, the reputation and the very future of your company hangs on your ability to protect their data.
Being HIPAA-compliant means satisfying the elements of the privacy and security rules while having the necessary resources in place to enforce them. It’s also important to remember that HIPAA compliance isn’t a one-time task – it’s an ongoing process that needs to evolve and change with technology to ensure that it stays relevant. After all, a single violation is often all it takes to put your company out of business for good.
Dyrand Systems provides a comprehensive range of IT services for businesses in various industries, such as manufacturing, finance and insurance. Talk with our experts today to start addressing the IT concerns of your business.
What Canadian Companies Need to Know About GDPR
If your organization does business with citizens of the EU, then you’ll need to make sure you’re up to date with the new GDPR legislation. The General Data Protection Regulation will become enforceable on May 25, 2018, and the penalties for failing to comply can reach up to 4% of your global annual revenue.
The big question that many companies based in Canada have been asking over the past year is how the legislation concerns them. The first and most important thing to understand is that GDPR is designed to protect the privacy of all EU citizens. It doesn’t matter whether you don’t have a physical presence within any EU territory – if your activities involve collecting the personal data of any EU citizen, then you’ll need to be compliant.
GDPR will apply to your company if it meets any of the following criteria:
- You monitor the digital activities of EU citizens, such as with tracking cookies.
- You have a physical presence or representation within any EU territory.
- You offer goods or services directly to EU citizens.
- You have business partners that process data within the EU on your behalf.
- You have any supply chain members or B2B clients based in the EU.
What Do You Need to Do to Become Compliant?
To avoid being hit by enormous fines and suffering severe damage to your reputation, it’s important to understand the purpose of the GDPR legislation. Unsurprisingly, the law aligns with Canada’s own PIPEDA law in many ways, which should make your journey toward compliance somewhat easier. However, there are some important differences between the two, so you’ll still need to conduct a separate compliance assessment for GDPR.
Unlike PIPEDA, GDPR defines two types of entities that must be compliant. There are Controllers, who decide how personal data is processed and for what purpose; and Processors, who process data on their behalf. For example, a cloud storage provider or a backup and disaster-recovery service might be considered a Processor. It is important that you understand this definition because, as a Controller, you’ll be legally obliged to conduct a Privacy Impact Assessment (PIA). Moreover, the responsibility falls on you to ensure that any company that processes data on your behalf is also compliant per their obligations as a Processor.
Since you don’t have much time left to become compliant, you’ll need to act as soon as possible by establishing a compliance roadmap. Once you’ve familiarized yourself with the legislation, you’ll want to start the process by identifying every data-bearing system and processor your business relies on. Create a complete list of internal and outsourced assets, including applications, file servers, backup and cloud storage facilities, hosted apps, and mobile devices. Once you have built a complete inventory of all your digital assets, you’ll be ready to conduct a risk assessment and deal with any potential gaps in compliance.
Although there is a great deal of crossover between PIPEDA and GDPR, GDPR introduces much stricter rules on data breach notifications and the appointment of a data-protection officer. By contrast, PIPEDA does not set any legal deadline for reporting data breaches, while GDPR demands that companies alert the relevant compliance authorities, as well as anyone affected by the breach, within 72 hours of it being discovered.
Once you’ve carried out a risk assessment and a thorough overview of your current compliance status, it will be time to fill in the gaps. The next thing you will need to do is appoint a data-protection officer who will be responsible for overseeing your data-protection strategy to ensure compliance. This member of your team will also need to routinely audit your business’s compliance efforts. This way, if you were to fall foul of the GDPR, you should have evidence to demonstrate that you took major steps to secure your data and protect customers’ privacy, therefore absolving yourself of a degree of responsibility.
What Are the Benefits of Achieving Compliance?
Despite the extra costs and red tape involved in becoming GDPR-compliant, there are a few ways it can directly benefit your business. For example, as organizations struggle to keep up with ever-changing regulations, you could view compliance as a competitive advantage. Furthermore, given how quickly things change, it’s always wise to stay one step ahead when it comes to matters of compliance and security. In fact, Canada’s very own PIPEDA legislation is due to be updated later this year with some additions that will bring it closer in line with GDPR.
Achieving regulatory compliance is much harder if you’re running a small business and doing everything yourself. Dyrand Systems is here to make technology easier and more effective all while helping you meet your security and compliance obligations. Talk to us today to get started with a free assessment.