In part 1 of this blog series we looked at what HIPAA is, who is regulated by HIPAA, and what data HIPAA regulates, in this blog we are going to look who checks whether organisations are HIPAA compliant, the penalties for HIPAA violations, and how to become HIPAA compliant using mobile app security testing.

Who checks whether your organisation is HIPAA compliant?

The Office for Civll Rights of the Department of Health and Human Services(OCR) aims to perform its first audits HIPAA business associates in 2016. The OCR examines each organisation on several modules which include privacy, security, and breach notification. More details on the audit protocol here.

Your Customers & Partners will ask for evidence of HIPAA compliance before sharing PHI data with you. Customer audits are a near guarantee and will vary depending on the size of the customer or partner. Customer and partner audits may include:

• Security and compliance questionnaires
• Risk assessment reviews of your answers
• Negotiation of remedial controls and timelines for implementing those controls
• Requests for third-party assessments of your risk and security management program (vulnerability scans, penetration tests, HITRUST/SOC/ISO certifications, etc.)
• Requests for direct evidence of your risk and security management program (policies and procedures, audit logs, training records, subveyndor contracts etc.)

Third-Party Auditors you hire to assess your organisation. Consulting firms will conduct HIPAA-specific assessments or the now established Health Information Trust Alliance (HITRUST) which has a Common Security Framework (CSF) for organisations to create, access, store or exchange sensitive and/or regulated data.

Penalties for HIPAA violations?

The HHS can impose penalties for a violation of any part of the HIPAA rules aside from whether or not there is a breach of PHI.

There is range of financial penalties going from $100 per violation up to $50,000 per violation with a cap of $1.5 million in penalties per year. These are determined by the degree of reasonable cause and wilful negligence that it’s possible demonstrate. For more information on HIPAA violations and Enforcement take a look at the American Medical Association’s page here.

How do we become HIPAA compliant?

This is a problematic question due to the complexity, ambiguity, and uncertainty around HIPAA compliance. Only the OCR is able to determine whether an organisation is compliant and this will be done as the result of an investigation or enforcement action. A ten point plan to becoming HIPAA compliant might involve these questions:

1. Which of the HIPAA rules apply to me.
2. How does our technology stack relates to the rules.
3. What is a strategy that is easy to repeat, and scale, for tracking compliance events. This ought to cover the whole organisation and mobile app considering how to review, track, and log access, as well as documentation, legal contracts, and incident tracking.
4. What sort of risk management framework do I need to begin with a preliminary risk assessment.
5. What are our internal administrative controls.
6. What are our training methodologies and assessments for employees.
7. What security controls do we need to, implement, and maintain.
8. Conduct regular mobile app security testing and reviews of risk policies.
9. Understand how to respond to potential privacy and security incidents.
10. Repeat all of the above at regular intervals.

This is a lot of work, it’s possible to hire in-house, go to consultants, or buy a product that will help to ensure HIPAA compliance. These services range from $50,000 – $100,000+.

Codified Security will help you to meet HIPAA standards for secure mobile app development, for HIPAA mobile app security testing try a demo of Codified Security.