It’s been more than two decades since the Health Insurance Portability and Accessibility Act (HIPAA) was introduced, but many nonprofits are still working to implement policies and procedures that ensure the safe handling of all personal health information (PHI). HIPAA compliance for nonprofits can be complex, but the following tips will help to keep you on track.
Technology Considerations for HIPAA
The core principle underlying HIPAA is that any organization that provides health services, and which is entrusted with personal health information in the course of providing those services, has a responsibility to do whatever it reasonably can to keep that PHI confidential and safe.
From a technological standpoint, that means your nonprofit should be:
- Encrypting sensitive information at all times, both “at rest” (where it is stored) and “in transit” (as it is being processed, submitted, updated, etc.) by way of full-device encryption and secure messaging services such as Zix and Office 365 email.
- Defending all systems that process or store sensitive information from inappropriate and malicious software, misconfiguration, and unauthorized access. This generally entails enrolling all end-user devices in a remote management and monitoring toolkit such as Comodo, Kaseya, or Autotask, and/or a Mobile Device Management platform such as AirWatch, MaaS360, or Intune—and configuring these tools to enforce the prompt application of software updates, the presence of up-to-date anti-malware tooling, short screen lock timeouts, and other key security settings. It may also be useful to enroll end user devices in a tool such as DeepFreeze, which allows PCs to be rapidly restored to a clean configuration at every reboot.
Setting Policies and Procedures
HIPAA compliance is primarily assessed by lawyers, which means your nonprofit is probably going to need to consult with an attorney and/or with a firm that specializes in HIPAA compliance to generate the documentation trail you need to prove compliance. Speaking of documentation, a big part of HIPAA compliance is having a suite of policies and procedures that cover all of these topics:
- Baseline security configuration of all IT systems and platforms—what software should be installed, what settings should be applied, what permissions should be given, etc.
- Software approval and update protocols—list of software that is approved for use in the organization, how frequently all software and hardware in use in the organization is checked for software/firmware updates, what procedures are followed to test new software before it is approved and software updates before they are applied.
- Account management—what must be done to properly on board new staff and off board departing staff.
- Data classification and access rules—a list of the various types of personal health information (PHI) the organization handles, who has access to each type, and for what purpose, with an emphasis on making sure that no one ever has more access to PHI than they absolutely need to do their job.
The last important aspect of HIPAA compliance is regular testing of the processes and protections that an organization has established, to confirm that these defenses are actually keeping the PHI the organization works with sufficiently safe. Any HIPAA-compliant organization must perform annual risk assessments, including penetration tests—simulated attacks that test how well the organization is defended against common digital threats.