The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, is a standard for protecting patient health information. You may have heard of instances where patient records were found in a dumpster (multiples times here in San Antonio over the last decade), or data breaches like the one that happened to a well know local pediatric clinic, but what does HIPAA mean for providers?
Often the protection of information is overlooked by clinics and medical providers. While not intentional, most cases we find it to be a laptop that was lost or stolen and didn’t have encryption to protect the data or worse there was a password written on a sticky note attached to the computer that would render encryption useless. These are fundamental principles we guide our medical clients to follow from the day we start providing services for them. We’re equally vested in protecting PHI and your health information. We’re patients too!
There are four rules to follow for medical entities and those that support them.
1. HIPAA Privacy Rule
The first HIPAA rule delineates when PHI can be used or shared.
2. Security Rule
The security rule determines how electronic health information is protected. This rule is very technical and specifies best practices.
3. Enforcement Rule
This rule describes how the HIPAA law is enforced and when corrective actions will be taken.
4. Breach Notification Rule
This rule determines when a covered entity must notify certain individuals and organizations of PHI breaches.
Whether your creating applications for the healthcare industry or merely trying to send an email containing PHI (Patient Health Information) it’s critical that you understand these rules and think about all the ways that it might affect protected information.
Fines for failing to meet any one of the rules above can be anywhere from $100 to $50,000 for a single incident. If you sent 500 of those emails, well that’s going to be a costly mistake. For instance, in 2010, Cignet Health was fined $4.3 million for breaking the privacy rule. In more recent times, Memorial Healthcare Systems was fined $5.5 million for not auditing its systems correctly.
1. Double check if you need HIPAA compliance
PHI is defined as any information that could be used to identify a person that was determined during healthcare treatment. While this naturally includes names, birth dates, and diagnoses, it could also include medical billing information, lab test results, email and phone records and personal health appointment scheduling information.
If that data is going to be stored locally or backed up to the cloud you want to make sure that you’re business associate provides the same controls to protecting information and that everything is shared through a secure and encrypted transfer.
For Rx IT Services servicing medical and related fields, we prefer only to allow vendors and products that come with a BAA (Business Associate Agreement) to protect patients information and make sure that all data is protected with that same standard. Whether that’s your company financials or a spreadsheet for the company holiday potluck, we’re going to defend it with the same level of encryption and handling that we do for patient data.
2. The Security Rule
The HIPAA security rule is a few pages long but it’s highly sophisticated in requirements, and a good IT support vendor can help navigate those issues.
The administrative safeguards ensure that you are categorizing health information correctly, creating security roles around protection of that data, employee training on HIPAA, and maintaining those best practices in an ongoing manner. This also includes how and who you’re sharing that information with and that they are also compliant and carry a BAA acknowledging that relationship.
There are three main areas here to consider.
First, how are you handling PHI and what access controls are in place? Can employee’s stay logged in permanently without a lockout? Does staff share a central workstation without logging out?
The second part of the safeguard deals with transmission of the data. Is it encrypted end to end? On the originating device (at rest) and during transmission via a secure encrypted channel?
The final part is auditing related. You need rules or a plan in place to regularly schedule audits to ensure that these safeguards are maintained. We are offering verification that can be operated continuously to provide safe handling practices around the clock. That method would be for larger institutions to monitor for anomalies or changes in processes that may lead to unintended exposure. Otherwise, a quarterly scan and report are sufficient for maintaining safe handling practices.
Physical security is probably the easiest but most often overlooked safeguard. How easy is it to access servers containing data? One organization we worked with had a walled in area, controlled access with, 5,000 lb. door locks, and actively monitoring log entries for everyone that entered that room. There was just one ventilation problem. The locked, metal door that led to the server room had an equalizing vent in the bottom half of the door. An electric screwdriver and about 30 seconds gave us physical access to the server without a log entry to prove it. It’s the little things, but sometimes it just takes a different set of eyes to spot these issues and correct any oversight.
3. Check for service provider agreements and hosting compliance
If you are going to use an outside IT support company, it’s imperative that they and any products and services they use are HIPAA compliant. Do they provide a BAA for that data? Do they understand and agree that they have access to PHI and need to be compliant?
Be sure to check this carefully before signing a contract with an IT service provider. Many providers avoid PHI entirely to avoid possible fees for noncompliance. Several providers are dedicated to HIPAA compliance with digital information and can work with both the physical and technical safeguards required.
4. Verify any potential HIPAA violations
Consider the most common HIPAA violations that occur on apps and through an online infrastructure and how technology can help prevent these violations. By ensuring that safeguards are built in for each of these, you will eliminate much hassle and many headaches in the future.
5. Get third-party audits
Regular third-party audits will help you ensure that your organization remains HIPAA compliant and that you are not at risk for expensive fines. That review should consist of a network assessment, physical vulnerability, workflow analysis, and making sure that employees are working with best practices and understand that a few seconds of saved time may mean a violation.
Rx Technology is a technology consultant providing HIPAA compliance and guidance throughout their suite of products and services. With over 20 years of experience in dealing with IT infrastructure and support, they have become a model of excellence when dealing with patient information and protection.