Although there are severe consequences for an organization that does not meet the HIPAA standards, many healthcare professionals and stakeholders do not fully appreciate the significance of this piece of legislation in their day-to-day operations. For an organization that collects and stores health information, failure to meet these standards can lead to disastrous consequences, including large fines, sanctions, and a tarnished reputation. Becoming HIPAA compliant and maintaining HIPAA compliance standards can be a cumbersome feat as organizations now, more than ever, heavily rely on electronic channels and cloud services to gather, store, and share confidential patient data.
What Exactly is HIPAA?
The Health Insurance Profitability and Accountability Act (HIPAA) dictates how patient data is to be stored and protected in the United States. Under this act, any organization that stores, processes, or transfers protected health information (PHI) must ensure that specific administrative, technical, and physical safeguards are in place. In short, by law, any organization or business that has access to personal health information (PHI) must ensure that HIPAA administrative safeguards have been implemented.
The Health Insurance Portability and Accountability Act is a five-pronged piece of legislation intended to safeguard individuals’ personal health data and their access to health insurance. It is enforced by the US Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR).
What is the HIPAA Security Rule?
In order to safeguard patient health data, the US Department of Health and Human Services (HHS) was directed under Title II of HIPAA, to develop a series of guidelines and standards. In addition, the HHS developed two decrees to ensure these new guidelines and standards were clear and effective. Today, they are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
As the official title of the HIPAA Security Rule suggests, the HIPAA Security Rule was created in order to define the exact stipulations required to safeguard electronically Protected Health Information (ePHI). In other words, the Security Rule regulates how this information is stored, secured, and transmitted between electronic devices.
There are three categories of standard protections that need to be assessed when it comes to implementing the measures of the HIPAA Security Rule.
1. Technical Safeguards for PHI
Technical safeguards refer to the technical aspects of any networked computers or devices that transmit information containing ePHI when communicating with each other, including enhanced network security, perimeter firewalls, access control, authentication protocols, etc. The HIPAA technical requirements can be broken down into the following four categories:
Access Control: These controls are central to regulating and delegating who is able to access ePHI. Limiting ePHI access to authorized persons helps prevent the misuse of patient data both intentionally, and unintentionally — due to negligence.
Audit Control: Covered entities and their business associates are required to record and examine access to ePHIby collecting logs across applications, software, and infrastructure.
Integrity Control: Integrity controls refer to electronic measures for verifying that ePHI has not been inappropriately destroyed or altered.
Encryption and Transmission Security: Whenever a covered entity transmits or receives ePHI via an electronic network, care must be taken to ensure it remains protected at all times.
Note: These technical safeguards are obligatory for all covered entities at all times. Regardless of whether ePHI is being used, transmitted, or stored, it must be governed by the above HIPAA-required safeguards.
2. Physical Safeguards for PHI
Physical safeguards refer to how physical controls are implemented into digital devices that store ePHI. These safeguards were designed to prevent devices that are used to access PHI from falling into the wrong hands. These physical requirements can be broken down into the following categories:
Facility Security Measures: These safeguards ensure that facility monitoring, maintenance, alarms, and authorized personnel restrictions are implemented and up-to-date.
Workstation and Device Security: Employees must have a relevant level of authorization in order to access ePHI, these measures ensure only qualified personnel are granted access to patient data.
Electronic Media Disposal Policies: Any media containing PHI must be wiped/destroyed in a way that does not expose that data to unauthorized personnel.
Although organizations that utilize public cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure will see many physical security standards within their signed Business Associates Agreement (BAA), nevertheless, it is an organization’s responsibility to ensure that portable devices containing PHI are secured.
3. HIPAA Administrative Requirements
Administrative safeguards cover how enterprises create and manage security policies and procedures, to ensure they comply with the Security Rule. HIPAA administrative requirements can be broken down into the following five categories:
Security Management Process: Any organization that handles ePHI must have an established process and timeline for identifying, analyzing, and reducing risks.
Security Personnel: It is an organization’s responsibility to appoint individuals, responsible for developing and implementing HIPAA compliance policies and procedures. Teams must appoint a Security Officer and a Privacy Officer to manage HIPAA security standards.
Workforce Training: All employees who come into contact with PHI need to be educated about their organization’s security policies. This includes being informed of disciplinary actions to be taken against employees who violate them.
Note: Policies should be written in plain-English to ensure all employees can understand them. Additionally, teams should set realistic goals that fit into their organization’s budget and capabilities.
Risk Assessment: Organizations must conduct periodic self-assessments in relation to how well it secures PHI and what improvements can be made.
Information Access Management System: Organizations must restrict PHI access to only those roles that require it. Access restrictions should be in the form of policies and technical/physical limitations.
Contingency Planning: Organizations must have a Backup and Disaster Recovery (DR) plan in place to avoid potential data loss.
HIPAA Security Rule Checklist
Be sure to consider the following checklist to ensure you’re in compliance with the HIPAA Security Rule:
- Perform a complete risk assessment on existing infrastructure
- Safeguard machines with anti-virus protection, firewalls, access control, VPNs, SSL certificates, and related technologies.
- Establish a daily backup system.
- Develop disaster recovery (DR) and business continuity plans.
- Adopt security policies and procedures for all of your operations, to include confidentiality statements, individually identifying information of system users, passwords, automatic logoff, acceptable use, email internet usage, authentication of workstations, monitoring and documenting unauthorized access, audit trails of users, sanctions for misuse or disclosure and termination checklists.
- Review physical security and address any potential risks as necessary.
- Write and provide job descriptions for Privacy Officer and Security Officer roles, as required by HIPAA.
- Review and update administrative policies annually (at the minimum).
Dash and the HIPAA Security Rule
If the requirements put in place by HIPAA and enforced by HHS seem intimidating — that’s because they are supposed to be. Their effectiveness and enforcement depend on strict guidelines.
Featuring an in-house team of compliance and cloud experts, Dash provides HIPAA cloud solutions that enable an organization to comfortably configure and manage HIPAA in Amazon Web Services, Microsoft Azure and the public cloud.
For any more questions surrounding the HIPAA Security Rule, head on over to Dash ComplyOps, and request a demo. Dash deploys to your cloud environment, and provides compliance management solutions including administrative policies, cloud security controls, and policy enforcement, in order to make it easily maintain compliance.