The Health Insurance Portability and Accountability Act (HIPAA) was one of the most sweeping regulatory mandates in the history of IT. It applies to every business, and every person who handles IT. That’s why from owners to office managers, you need to understand the risks of ignoring HIPAA — especially with today’s technological advancements.
When HIPAA was enacted in 1996, the use of technology was nothing like it is today. Less than 10% of the population had a mobile phone, and those phones had nowhere near the features we enjoy today. Less than twenty years later, we now have everywhere-internet, texting, email and a high quality camera very nearly at all times.
But what are the possible repercussions when it comes to “Protected Health Information” (PHI) security? How do you protect your business from a breach and the fines that would follow?
Let’s start with a simple definition of HIPAA:
HIPAA was enacted in 1996 and sets the standard for protecting sensitive patient (and employee) data. Any company that deals with protected health information (PHI) must ensure that all required physical, network and process security measures are in place. This includes anyone who provides treatment, payment and operations in healthcare, along with any business associate, contractor or subcontractor with access to the patient/employee information.
HIPAA addresses how you save, access and share medical and personal information for any individual or employee. The HIPAA Security Rule specifically covers security standards to protect health data created, maintained, transmitted and received electronically (ePHI).
You need to protect the privacy and security of ePHI and employee records. There are 4 rules you will need to know.
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
The HIPAA Privacy Rule and the HIPAA Security Rule require appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI.
There are technical safeguards that focus on the technology that protects ePHI and controls access to it. The standards of the Security Rule are “technology neutral” and do not require you to use a specific technology. This covers Access Control, Audit Controls, Integrity, Authentication and Transmission Security. As you dig into these five standards there are a few key things you need to look at.
- Unique User Identification
- Emergency Access Procedures
- Automatic Logoff
- Encryption and Decryption
- Procedural mechanisms that record and examine activity
- Authentication that a person or entity seeking access is the one claimed.
Physical Safeguards also come into play and are a set of rules and guidelines that focus on the physical access to PHI and ePHI. Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. As you dig into these five standards, there are a few key things to look at.
- Contingency Operations that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plans.
- Facility Security to safeguard the facility and equipment from unauthorized access, tampering and theft.
- Access Control & Validation to control/validate a person’s access to a facility or system.
- Maintenance Records
- Workstation Use and Security
- Device and Media Accountability, Back-up and Disposal
The HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings and the Breach Notification Rule requires a company to notify patients/employees when there is a breach of unsecured PHI or ePHI. It also requires the entities to promptly notify HHS if there is any breach, and notify the media, and the public, if the breach affects more than 500 people.
In March of 2013, regulations were enacted within HIPAA to address concerns relating to patient privacy and the security of electronically protected health information (ePHI). The most significant legislation related to the using of technology and required an implementation of physical, technical and administrative safeguards.
- The Physical HIPAA safeguards require a facility security plan which protects the computer systems on which encrypted ePHI is maintained against fire, theft and other natural hazards.
- The Technical HIPAA safeguards require that mechanisms are introduced to monitor access to ePHI stored on computer systems, and provide audit trails to trace how it is communicated.
- The Administrative HIPAA safeguards require that a dedicated system administrator is appointed to develop best practice policies on accessing or communicating ePHI. They are also responsible for carrying out risk assessments to identify any threats.
Mechanisms exist to meet the requirements of HIPAA safeguards. Many covered entities have implemented compliant messaging technology to keep communications safe — predominantly apps for secure messaging which allow access to ePHI via a software-as-a-service “SaaS” or “On Demand” platform.
Secure messaging platforms have administrative controls to safeguard integrity and fulfill technical HIPAA safeguards, such as retracting messages which may result in a breach or the ability to remotely remove a mobile device from the system if it is lost or stolen.
Although these solutions were developed to aide in the use of technology for HIPAA compliance, many of them have enhanced staff workflows, increased productivity and raised the overall standard of patient healthcare.
- Automatic delivery notifications/read receipts help eliminate phone tag.
- Medical professionals can collaborate securely from any desktop computer or mobile device.
- Telemedicine physicians, home health associates, and emergency personnel can now communicate securely.
Make putting these safeguards in place to protect patient and employee health information a priority, and rest easy knowing that your business is protected. A few more tips:
- Limit use and sharing of PHI to the minimum necessary to accomplish a task.
- Have agreements in place with all of your service providers.
- Implement training for you and your employees about how to protect your information.
- Have tested plan for recovery in the event of a disaster, equipment downtime/failure, employee error or virus attack.
It’s a lot of information and it can seem overwhelming. But don’t put off learning how this affects your practice and how you need to prepare. If you have questions, please call me at 856-287-1866 or email me. radius180 is here to help walk you through the process.
This blog is not a HIPAA compliance checklist. You should assign a Privacy Officer to review HIPAA requirements. The U.S. Department of Health and Human Services is a great place to start.