HIPAA, the Health Insurance Portability and Accountability Act, was passed to secure patient records. It applies to health care providers, hospitals, insurance companies, and any organization that has access to protected health information (PHI), especially electronic health records (EHRs). While EHRs have become a real asset for medical practitioners, making it easier to store and share patient data, EHRs also pose a new challenge for IT professionals who have to meet the informational needs of caregivers while still maintaining privacy as outlined under HIPAA.
Of course, maintaining secure EHRs are only part of HIPAA compliance. The HIPAA Security Rule require healthcare providers to implement a list of 75 security controls to secure databases, applications, and systems that contain electronic PHI. HIPAA compliance goes beyond simply maintaining a secure data infrastructure but also encompasses policies and procedures, audits, and other elements that can be complex to set up and manage. And failure to meet HIPAA security compliance can be costly, starting at $50,000 per violation and ranging up to $1.5 million in fines per year. That’s why healthcare IT professionals are enlisting the help of HIPAA experts to help them stay compliant.
What Does the HIPAA Security Rule Cover?HIPAA regulations cover all aspects of protecting personal data, including secure creation, storage, and transmission of patient files, protection against improper use or disclosure, and ensuring that employees handle ePHI securely. The HIPAA Security Rule also extends to maintaining the integrity of ePHI, which means records cannot be altered or destroyed without proper authorization. The data also has to be available, meaning that any authorized person can have access to ePHI on demand.
According to the Department of Health and Human Services (HHS), the HIPAA Security Rule requires administrative, physical, and technical measures to safeguard ePHI:
1. Administrative SafeguardsThese include security assessment, management, and training. HIPAA regulations require a comprehensive analysis of the potential risks to ePHI so there is a clear inventory of risk levels. Security personnel must be in place, including a security officer who has responsibility for implementing security policies and procedures. There also has to be information access management rules in place to limit access to personal information to the “minimum necessary” based on job function. And there has to be workforce training and management to ensure that all staff members understand and apply the appropriate security policies and procedures. Finally, there has to be a periodic evaluation of all administrative safeguards.
2. Physical SecurityThis is required for facility and systems security. The physical facility must have access control so only authorized personnel are allowed admittance. There also has to be device and workstation security, which includes securing mobile devices; any electronic resource that can access ePHI.
3. Technical SafeguardsThese have to be in place to protect electronic data. These include access control so only authorized personnel have e-PHI access. There have to be audit controls in place to record and monitor access from hardware and software. Integrity controls have to be in place to make sure that e-PHI is not altered or deleted. And there has to be transmission security to protect data in transit.
In addition, HIPAA requires risk analysis and management, as well as documentation and written policies and procedures.
Practical Measures for HIPAA ComplianceTo promote HIPAA security compliance, IT professionals have to be judicious in implementing all 75 security controls outlined in the HIPAA Security Rule. However, they don’t have to tackle it alone.
There are a number of areas where an IT service provider can be an invaluable ally:
1. Independent AssessmentTo ensure regulatory compliance it’s always a good idea to audit the systems before the auditors. An IT service company that is familiar with HIPAA regulations can perform an independent security audit, walking through the HIPAA compliance protocols and identifying potential problems before they turn into fines.
2. Hardware ManagementAn independent IT specialist also makes it easier to manage equipment, including implementing the necessary password protocols and authentication. A service provider can help standardize and manage hardware security and authentication, providing systems with pre-installed security software.
3. Mobile ComputingIncreasingly, healthcare providers are adopting tablets and handheld computers to facilitate on-site patient care; computing devices that can be stolen or misplaced easily. An IT service partner can help with mobile device management, including systems configuration, auditing, data encryption, and even wiping the system remotely if it is lost or stolen.
4. Remote MonitoringAs part of security oversight it’s useful to have an external watchdog. An IT service provider can offer remote monitoring services, watching for data traffic anomalies, maintaining access logs, and looking for other issues that may signal a security problem.
5. Cloud ComputingUsing cloud computing and offsite data storage makes it easier to manage and protect e-PHI. Cloud storage is extremely secure and can be protected with two-tier authentication and data encryption. Cloud systems are also easy to audit, and they are elastic so you can store an ever-increasing set of patient records for as long as regulations or medical practice procedures dictate.
Maintaining a complex IT infrastructure is challenging enough without having to be an expert in HIPAA security compliance as well. Bringing in an outside expert makes it easier to assess and manage data security, including ensuring compliance with HIPAA regulations, and hiring outside an expert will more than pay for itself, especially if you consider the cost of paying the fines if you overlook something.
What are critical ways you have ensured HIPAA compliance in your healthcare organization?