HIPAA – the Health Insurance Portability and Accountability Act
According to the U.S. Department of Health and Human Services, HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. HIPPA and PCI Compliance closely mimic each other and E-Complish is proud to be compliant with both.
Failure to comply with HIPAA regulations can result in substantial fines being issued and/or criminal charges and civil action lawsuits being filed should a breach of PHI occur.
There are three parts of compliance; Technical, Physical and Administrative safeguards. Check out the steps that E-Complish takes to maintain HIPAA compliance.
The Technical Safeguards concern the technology that is used to protect PHI and provide access to the data. The only requirement is that PHI must be encoded to NIST standards once it travels beyond an organization´s servers. This is a requirement so that any breach of confidential patient data renders the data incomprehensible, undecipherable and unusable. Below is a listing of requirements:
- Implement a means of access control:
Assign a centrally exclusive username and PIN code for each user.
- Introduce a means to authenticate PHI:
This is essential in order to comply with HIPAA regulations as it confirms whether PHI has been altered or destroyed in an unlawful manner.
- Implement tools for encryption and decryption:
This standard relates to the procedures used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
- Maintain activity audit controls:
The audit controls are required to register attempted access to PHI and record what is done with that data once it has been accessed.
- Facilitate automatic logoff:
This function logs sanctioned personnel from the device they are using to access PHI after a specified period of time. This avoids unauthorized access of PHI should the device be left unattended.
The Physical Safeguards focus on physical access to Protected Health Information (PHI). PHI could be stored in a data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. It also specifies how workstations and mobile devices should be secured against unauthorized access:
- Facility access controls must be implemented:
Procedures have to be introduced to record any person who has physical access to the location where PHI is stored. The procedures must also include precautions against unauthorized physical access, tampering, and theft.
- Policies relating to workstation use:
Policies must be devised and implemented to restrict the use of workstations that have access to PHI. This includes the protective surrounding of a workstation to prevent viewing the screen of a workstation.
- Policies and procedures for mobile devices:
If mobile devices are allowed access to PHI, policies must be devised and implemented to govern how PHI is removed from the device before it is re-used.
- Inventory of hardware:
An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of PHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures that bring Privacy and the Security Rules together. Like PCI Compliance with regards to credit card processing and security, the elements of HIPAA compliance require that a Security Officer implement measures to protect PHI. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. The administrative safeguards include:
- Conducting risk assessments:
The compilation of a risk assessment is to identify every area in which PHI is being used, and to determine all the ways in which breaches of PHI could occur.
- Introducing a risk management policy:
The risk assessment must be repeated at regular intervals. A policy for employees who fail to comply with HIPAA regulations must also be introduced.
- Training employees to be secure:
Training schedules must be introduced that raise awareness of the policies and procedures governing access to PHI and how to identify malicious software attacks and malware.
- Developing a emergency plan:
In the event of an emergency, an incident plan must be ready to enable the continuation of critical business processes while protecting the integrity of PHI while an organization operates in emergency mode.
- Testing of emergency plan:
The plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of PHI and procedures to restore lost data in the event of an emergency.
- Restricting third-party access:
It is the role of the Security Officer to ensure that PHI is not accessed by unauthorized organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to PHI.
- Reporting security incidents:
The reporting of security incidents is different from the Privacy Notification Rule below. These incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.