The past year has catalyzed a new era in healthcare, an era in which telehealth visits increased because we relied on online communication to keep us informed and healthy. These adoptions also come with new challenges and considerations, and in this case, more e-health data. This influx is forcing us to re-examine the HIPAA security rule to ensure that healthcare entities protect patient information.
An introduction to the HIPAA security rule
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to improve the efficiency and effectiveness of the US healthcare system as well as patient privacy. Over the following years, several additional rules were added to ensure the protection of patient health information (PHI).
In short, the HIPAA privacy rule explains what data should be protected and who should comply with those rules, while the security rule was designed as a national standard to protect patients and how to protect the ePHI.
The law requires that health care providers, plans and others entities respect confidentiality, privacy and patient safety, and calls for three types of guarantees: administrative, physical and technical.
The covered entities are required to implement administrative guarantees: policies and procedures that describe how the organization intends to protect the ePHI and ensure compliance with the security rule. Examples include preparing a data backup plan and password management processes (among others). These standards are set out in §164.308 of the safety rule.
These processes include (but are not limited to) the implementation of the following key standards:
- Security management: This includes performing a HIPAA risk assessment. This risk assessment can be done more easily with a compliance solutions provider. A complete business analysis can reveal gaps and do so more effectively and thoroughly than a manual assessment. This precaution is mandatory.
- Security personnel: Appoint a privacy officer responsible for enforcing policies and procedures.
- Information access management: Restrict unnecessary access to ePHI. This cuts across physical and technical safeguards. Managing access to information limits who can monitor and view certain files and their copies, regardless of their location (on servers, cloud, etc.)
- On-the-job training and safety awareness: Require employees to take annual HIPAA training and learn about their organization’s specific security procedures. You may wonder why this is so important. While most assume that hackers are not present in our organizations, errors and human errors such as falling into the trap of a phishing attack are increasingly common. Giving employees the knowledge to manage data securely, identify unusual emails, or eliminate unsafe habits is essential to maintaining a strong defense.
- Emergency plan: Make sure that processes are in place for unknown future circumstances related to the ePHI. This is valuable in the event of an emergency or a malicious attack. This rule (§ 164.308 (a) (7) (ii) (A)) requires covered entities to “establish and implement procedures to create and maintain accurate and retrievable copies of protected electronic health information”.
These guarantees concern both the physical structure of an organization and its electronic equipment.
Policies and procedures include monitoring and correcting:
- Access control: Limit access to installations that contain computers and servers. This may include implementing procedures that physically protect equipment and facilities from unauthorized personnel. It also means that organizations must have a policy in place to record and track maintenance records and reports that can impact the physical security of a site.
- Workstation use and safety: Protect workstations, including any computer, and the information on it, including controls such as locking the screen saver and privacy screen protectors to prevent ” eavesdropping ”.
- Device and media controls: Implement policies on how devices containing ePHI can be removed from a facility if necessary. This rule also requires that procedures be adopted to manage the disposal of material containing the ePHI.
This component includes the policies and procedures that determine how the technology protects the ePHI, as well as who controls access to that data. Typically, due to the level of technical knowledge required to understand this regulation, it is the most difficult for entities to understand.
Technical guarantees include the following:
- Access controls: Implement technical policies and procedures that allow only authorized persons to access the ePHI. This standard also requires individuals to use a unique user ID to view the ePHI, have modes that allow emergency access, and have engineering controls to force automatic logout after a certain amount of inactivity.
- Audit controls: introduce hardware, software or procedural mechanisms to record and inspect access in information systems that contain or use the ePHI.
- Integrity checks: Apply policies and procedures to ensure that the ePHI has not been and will not be inappropriately modified or destroyed.
- Transmission security: Take technical security measures that protect against unauthorized access to the ePHI that is transmitted over an electronic network, this includes invoking encryption.
Protect your ePHI
At present, the United States Department of Health and Human Services has hundreds of connected cases of entities that failed to protect health information and suffered a data breach, highlighting the severity of an incident that could affect hundreds to tens of thousands of patients. Health care information is very sensitive and requires the greatest protection. The three components of the HIPAA security rule may seem difficult to implement and enforce, but with the right partners and the right procedures, it is doable.
Compliance is never a one-off event. You and your organization must take a stand to ensure ongoing compliance, because the risks of not doing so are far too great. Beyond the hefty fines and penalties, data breaches can also dissolve the trust of patients, customers and clients, an even more costly consequence.