U.S. healthcare companies must comply with the data security and privacy standards defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of the legislation is to safeguard the privacy and security of protected health information (PHI) and electronic protected health information (ePHI). Failure to comply with HIPAA regulations can result in serious financial fines and reputational damage.
What Determines HIPAA Compliance?
Organizations need to follow three rules to comply with HIPAA standards.
The HIPAA Privacy Rule
The HIPAA Privacy Rule defines standards that protect individuals’ medical records and identifiable health information, known collectively as PHI. It requires organizations that use and store PHI to implement safeguards to protect their privacy and defines limits on how the information can be used. The Privacy Rule also provides individuals with certain rights regarding their medical records.
The HIPAA Security Rule
The HIPAA Security Rule is designed to protect the security of ePHI. It does not apply to PHI that may be recorded on traditional paper forms and stored in physical filing cabinets. The rule applies to health plans, clearinghouses, providers, covered entities, and business associates transmitting ePHI.
The Security Rule specifies that covered entities need to take the following steps to protect ePHI:
- Ensuring the confidentiality, integrity, and availability of all ePHI they handle;
- Identifying and protecting against threats to the security and integrity of ePHI;
- Protecting against the use or disclosure of ePHI;
- Ensuring HIPAA compliance by the organization’s workforce.
The Security Rule also defines administrative, physical, and technical safeguards that must be implemented to protect ePHI. We will look at these safeguards in more detail shortly as they form the framework of a computing environment that supports HIPAA compliance.
The HIPAA Breach Notification Rule
This rule defines the conditions under which an organization must provide notification of a data breach involving PHI or ePHI. When a breach occurs, covered entities need to notify the individuals affected by the data’s disclosure, the Secretary of Health and Human Services, and under certain conditions, the media. The repercussions of these notifications can cause long-term damage to a company’s reputation.
Constructing a HIPAA-Compliant Infrastructure
The HIPAA Security Rule defines the safeguards that must be in place to construct a compliant infrastructure. Understanding the discrepancies in resources available to large and small healthcare providers, the rule allows for flexibility in how these safeguards are implemented and which measures are put in place to protect ePHI. Covered entities need to consider these factors when determining how they implement ePHI security:
- The size, complexity, and capabilities of the covered entity;
- The current state of its hardware and software infrastructure;
- The costs of implementing enhanced security measures;
- The probability that ePHI will be put at risk by the covered entity.
Considering these factors, an organization subject to HIPAA regulations needs to conduct a risk analysis as defined in the administrative safeguards of the Security Rule. The main objectives of the risk analysis are:
- Evaluating the probability and impact of risks to ePHI;
- Implementing the appropriate measures to address these risks;
- Documenting the security measures and the justification for implementing them;
- Maintaining the appropriate security measures as an ongoing process that addresses changes to the environment.
Implementing the Security Rule’s administrative, physical, and technical safeguards is necessary to build an infrastructure that complies with HIPAA guidelines. Let’s take a closer look at what safeguards must be followed to construct a HIPAA-compliant infrastructure.
Administrative safeguards
The administrative safeguards that a healthcare organization must comply with are designed to protect ePHI. These include taking the following actions.
- Develop a security management process to identify potential risks to ePHI and implement security initiatives to reduce them.
- Designate a security official or focal who takes responsibility for developing and implementing robust security.
- Define role-based access management policies that minimize the number of individuals who are authorized to access ePHI. These policies will be implemented by the Security Rule’s physical and technical safeguards.
- Perform periodic reassessments of the infrastructure to evaluate the success of security policies and adjust them to address environmental changes.
- Provide workforce training for all employees or contractors working with ePHI on the company’s security policies and procedures.
Physical safeguards
HIPAA compliance demands that covered entities protect their infrastructure and any devices containing ePHI. At a minimum, this requires taking the following steps.
- Limit physical access to infrastructure components that contain ePHI while ensuring that authorized users are not impacted.
- Implement policies that specify how devices and media used to process or store ePHI are handled and disposed of when no longer needed.
Technical safeguards
Technical safeguards need to be implemented to protect the security and integrity of ePHI as it moves through an organization. These safeguards encompass a wide variety of computing activities and platforms that all revolve around the protection of ePHI.
- Access controls are required to ensure that ePHI is only accessed by authorized personnel. These controls may include policies and procedures that need to be enforced throughout the life of an item of ePHI.
- Audit controls use various methods to ensure that access control is being implemented and followed. Through audit controls, unauthorized attempts to access ePHI can be identified and used to strengthen security processes.
- Integrity controls must be in place to ensure ePHI has not been modified or destroyed.
- Secure transmission of ePHI needs to be ensured through technical security activities such as encryption to protect the information from unauthorized access.
Implementing the Necessary Safeguards
A HIPAA-compliant infrastructure is one that successfully meets or implements all of the previous administrative, physical, and technical safeguards. Following are some specific actions, procedures, and activities that companies can take to protect ePHI.
- Limiting physical access to infrastructure components can be accomplished with biometric devices, security guards, and photo ids. Real-time access tracking that includes logging activity should be implemented.
- Data breaches should be prevented through the use of intrusion detection systems and segmented networks. Firewalls should be dedicated to the HIPAA environment and separate from other applications or clients.
- Data loss prevention software that automatically classifies and enforces handling policies can be instrumental in protecting ePHI. Automated procedures can be configured to ensure ePHI is always handled and transmitted securely.
- Activity logging and access controls are required for all systems handling ePHI and may be needed for evidence during a HIPAA audit. Response plans must be in place to effectively address and minimize the damage of a security incident related to ePHI.
Two Ways of Implementing a HIPAA-Complaint Infrastructure
Companies with the requisite technical experience and computing resources can implement a HIPAA. This may involve considerable capital expenditures in areas such as physical security to ensure no unauthorized access is permitted. Many companies operating in the healthcare market are small in size and do not have the necessary skills, time, or finances to build an in-house HIPAA-compliant infrastructure.
Fortunately, there is another solution for businesses that must comply with HIPAA regulations. Many public cloud service providers (CSPs) offer customers a streamlined path to a fully HIPAA-compliant infrastructure. Companies can protect their sensitive ePHI without undertaking the construction of a compliant infrastructure from scratch. Taking advantage of these CSPs’ offerings may be just what a company needs when suddenly faced with implementing HIPAA compliance.
About Robert Agar
Robert Agar is a regular contributor and blogger for Atlantic.Net living in Northeastern Pennsylvania who specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.