The Health Insurance Portability and Accountability Act (HIPAA) was enacted and signed into law by Bill Clinton on August 21, 1996.
HIPAA defines specific requirements for protecting patient privacy and information. This protected patient information is referred to as PHI (Protected Health Information), ePHI (Electronic Protected Health Information), or IIHI (Individually Identifiable Health Information).
While customer privacy and cybersecurity are critical regardless of the industry, security is especially important in the healthcare industry, as it remains the largest target of data theft. Which can be kept safe by running a HIPAA security risk assessment regularly. Health data, including patient medical records, are the most valuable forms of data on the black market, adhering to HIPAA is more important now than ever.
So, what exactly does it mean to be HIPAA compliant? Let’s take a closer look at each segment of the act.
Does HIPAA Apply To Me?
HIPAA applies to the following three parties:
- Patients
- Covered entities (CE)
- Business associates
The patient is who HIPAA was designed to protect. The main goal of HIPAA is to keep their information (PHI) private and secure.
There are 18 “Identifiers” that fall under PHI, including:
Names | Photographic Images | Vehicle Identifying Numbers |
Addresses | Social Security Numbers | Device Identifying Numbers |
Dates | Medical Record Numbers | Web URLs |
Phone Numbers | Health Plan Numbers | IP Addresses |
Fax Numbers | Account Numbers | Biometric Identifiers |
Email Addresses | Certificate/License Numbers | Any Other Unique Characteristics |
Covered entities: an organization that electronically transmits protected health information (PHI), including:
Healthcare Providers
Healthcare providers must be in compliance with HIPAA regulations at all times, including hospitals, doctor’s offices, telehealth, and software platforms that are involved in patient care.
Health plans, insurers, and clearinghouses
Health plans, insurers, and clearinghouses are involved with PHI from multiple patients and are therefore considered to be CEs.
Business Associates: vendors, contractors, and hired subcontractors that do work for covered entities must also be HIPAA compliant.
Business associate categories include vendors and third-parties such as:
- Software vendors
- Legal
- Finance
- Accounting
- Actuarial
- Data Aggregation
- Consulting
- Accreditation
- Management/Administrative
Startups and software development companies
Startups, including software development companies, that exchange PHI from CEs: health providers, hospitals, and insurance companies, are usually considered to be BAs and need to be HIPAA compliant.
Note: signing a Business Associate Agreement (BAA) alone doesn’t make your organization HIPAA compliant. At the same time, using software that is HIPAA compliant doesn’t necessarily mean you’re in compliance either.
In order to ensure your business is in total compliance with HIPAA, you must do the following:
1. Perform a security risk assessment: Any business that wishes to become HIPAA compliant must do this first and foremost. Security risk assessments are designed to help your business better understand how ePHI is created, maintained, received, and transmitted.
Although you may not have direct access to ePHI, if your team has administrative or remote access to a client’s network, then technically you have access to sensitive data (even if it’s encrypted) and therefore you need to be HIPAA compliant.
2. Create a risk mitigation plan: Once you have successfully completed a security risk assessment, you’ll then need to use that data to put together a risk mitigation plan. In your risk mitigation plan, you’ll need to address and mitigate all of the issues discovered throughout the security assessment.
3. Last but not least, you need to get your safeguards in order: This is an extensive process; be sure to keep reading as we break it down in detail.
What are the HIPAA safeguards?
HIPAA compliance mainly consists of a series of policies, procedures, and thorough documentation outlined via various rules.
The HIPAA Security Rule
The HIPAA Security Rule was created in order to define the exact stipulations required to safeguard electronically Protected Health Information (ePHI).
Under the HIPAA Security Rule, healthcare organizations must ensure that specific data security policies are in place, including administrative, physical, and technical safeguards.
Administrative Safeguards
Administrative policies cover how an enterprise creates and manages its employee policies and procedures, ensuring they comply with the Security Rule. For best results, be sure your policies include the following topics:
Risk Assessment: Security risk assessments must be performed on a yearly basis. Consider creating a process that breaks down how you’ll respond to risk assessment and analysis. Be sure to perform a risk assessment analysis with a third party to ensure no internal bias is present. Afterward, carefully go over the results and make adjustments.
Security Roles: Appoint a HIPAA security and privacy officer. It’s your security officer’s duty to set all technical security standards to ensure PHI remains protected. Your newly appointed privacy officer will be in charge of all HIPAA administrative standards; this includes hosting staff training and maintaining policies. If your organization is small, both roles may be covered by one officer.
Staff Training: All new employees must be provided with security training within 90 days of employment. In addition, staff security and awareness training must also occur once annually.
Incident Response Plan: An incident response plan must be developed that can be acted on quickly in the unlikely event of a security breach. This plan should explain how both staff and clients can report a potential security threat. It should also explain how your security team will review and resolve incidents.
Disaster Recovery (DR) Plan: Backup and disaster recovery measures that ensure PHI remains safe in case of data deletion or availability issues must be put in place. Be sure to test your disaster recovery processes often to ensure all PHI is securely backed up.
Business Associates Agreement (BAA): All vendors that manage PHI must ensure that a business associates agreement is in place in order to be compliant with HIPAA.
Physical Safeguards
Physical safeguards refer to physical controls are how they’ll be implemented into any and all digital devices that hold ePHI. In addition, all physical servers/machines must be secure and employee access restrictions must be put in place.
Utilize HIPAA Secure Infrastructure: PHI data must be stored within HIPAA compliant infrastructure in order to build HIPAA compliant applications. Cloud providers, like Amazon Web Services (AWS), can sign a business associates agreement that enables teams to build compliant solutions under the shared responsibility model. It’s recommended that a business only consider a reputable infrastructure provider that is willing to sign a BAA and meets all of the necessary physical and technical safeguards when selecting a HIPAA-compliant cloud or hosting provider.
Mobile Devices and Disposable Media Security: If they store PHI data, mobile devices, including phones laptops, and USB drives must be secured. All workstations and portable devices that store PHI must be encrypted, restricted only to necessary personnel, and be equipped with automatic logoff features that satisfy HIPAA’s strict regulations. Should PHI data no longer be stored on a mobile device, it must either be securely wiped or, if necessary, destroyed. A team may limit mobile device exposure by storing PHI data exclusively architecting and securing all data in the cloud.
Facility Access: Facility-based access to PHI must remain restricted at all times. Any organization that operates within the public cloud must ensure that all facility access restrictions are outlined in the business associates agreement. If PHI is stored on-premise or local workstations, then access requirements must be addressed.
Technical Safeguards
All networked computers and devices that transmit ePHI when communicating with each other, must be secure.
Encryption: HIPAA requires that an organization encrypts its PHI both “at-rest” and “in-transit”. In short, all PHI data must be stored on encrypted drives and follow SSL/TLS standards when delivering data via the internet and other networks.
Controlling Access: In order for an organization to be in compliance with HIPAA, access to PHI must strictly be limited to the lowest number of people necessary. In order to limit access to sensitive data, strict access control systems must be implemented in order to ensure that staff members do not have more access to PHI than is required to perform their duties. For best results, consider implementing role-based access control on all applications and systems that store PHI data.
Audit Logging: In order to be compliant, HIPAA requires that all teams diligently collect all logs relating to PHI access and modification. Consider collecting all logs and events relating to PHI from cloud infrastructure, operating systems (OS), and application-level logs. Even logs containing PHI identifiers are considered to be sensitive PHI and must be encrypted accordingly with limited access only to necessary personnel.
Automatic Logoff: Systems that store PHI must be equipped with an automatic logoff feature. Workstations and devices that store PHI are required to automatically log off when not in use. This will protect sensitive data from any prying eyes.
Detecting Unauthorized Access: In order to become HIPAA compliant, all organizations that handle PHI must have integrity controls in place to ensure that PHI data is not improperly modified or disposed of. Intrusion detection solutions (IDS) that scan for vulnerabilities and detect any potentially malicious behavior offer a great way for teams to limit unauthorized access to production services.
What Are The Other HIPAA Rules?
The HIPAA Privacy Rule
This rule ensures the protection of identifiable health information, including private information relating to the mental and/or physical health of patients, medical treatment, and payment history.
Healthcare organizations and providers are responsible for protecting information containing PHI and personal identifiers in all forms and media from electronic sources, to paper and oral forms.
Furthermore, the Privacy Rule covers how a healthcare provider can use patient data. This includes patient consent and what information can be disclosed and to who. This rule guarantees a patient’s right to access the majority of their PHI, including medical records. Under this rule, healthcare providers must create and implement privacy policies for staff and patients to ensure they clearly understand these policies.
The Omnibus Rule
In 2013, The Omnibus Rule was passed which expanded potential liability for covered entities significantly. This rule extended accountability to all Business Associates (BAs).
Thanks to this rule, a new set of provisions were established by the Health Information Technology for Economic and Clinical Health (HITECH) Act — part of the American Recovery and Reinvestment Act of 2009. Now, Electronic Health Records (EHR) are far more common throughout the entirety of the United States. As a result, HIPAA security and privacy protections were strengthened, and legal and financial penalties for non-compliant organizations have been reinforced.
The Breach Notification Rule
Under this rule, CEs and BAs are required to notify the Office for Civil Rights (OCR) in the event that ePHI has been breached. This rule also dictates which types of breaches must be reported and how to go about doing so.
The HIPAA Enforcement Rule
This is the rule that empowers the HHS to enforce the Privacy and Security Rules. The Enforcement Rule gives the OCR power to investigate HIPAA complaints, conduct compliance reviews, perform education and outreach, and levy serious fines and monetary penalties of up to $1.5 million USD.
Ensure Documentation Is Up-to-date
In a case where your team is audited by HHS/OCR, OCR will want to review all evidence relating to your HIPAA compliance efforts, including privacy and security policies, risk assessments, remediation plans, and staff training efforts. Be sure to keep track of every scrap of evidence and always have a copy on hand, ready to hand over.
Continuous Improvement
Periodic review to make sure standards remain constant is required by HIPAA. Teams need to review administrative policies periodically to ensure security protocols are implemented across cloud services and up to date.
Monitor and Maintain Compliance With Dash
Dash provides companies that operate within the healthcare sphere with an all-in-one solution for effectively managing HIPAA administrative policies, technical controls, and cloud security. Digital health and mHealth companies can quickly overcome compliance obstacles and build and manage security and regulatory compliance standards in Amazon Web Services and the public cloud.
Furthermore, Dash ComplyOps can help your team with the implementation of all necessary technical safeguards, including disaster recovery (DR), encryption, vulnerability scanning, and intrusion detection — everything needed to monitor compliance configuration in the cloud.
Before they can do business with hospitals and enterprise healthcare companies, typically, digital health companies are vetted via a vendor risk assessment. Dash specializes in providing healthcare companies with the foundation needed to build and validate a security posture to achieve HIPAA compliance quickly and effectively.
Dash works closely with your team helping you create security policies and generate compliance reports. They even provide hospitals and enterprise partners with internal controls and security information.
Learn how your team can leverage Dash to address regulatory compliance concerns and get to market faster by requesting your demo now!