HIPAA stands for the Health Insurance Portability and Accountability Act – the name of legislation first introduced in 1996 to organise the insurance market in the USA. Included within the act were regulations for providers on how they should protect the security of Private Health Information (PHI).
HIPAA does not contain a detailed checklist of requirements that need to be fulfilled. Rather it insists on there being a chain of responsibility for the protection of data, and that each person in that chain carries out all reasonable measures to safeguard it.
THE CHAIN OF RESPONSIBILITY
Healthcare suppliers are known as Covered Entities. If they work with third parties such as software companies or data hosting organisations, the Covered Entity needs to obtain signed Business Associate agreements ensuring they too apply HIPAA standards.
Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened.
HIPAA Security Rule
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards.
The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access.
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
Risk assessments are the major area of Security Rule non-compliance. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.
- Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
- The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
- Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
- In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
- The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
The difference between the “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist is that “required” safeguards must be implemented whereas there is a certain amount of flexibility with “addressable” safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all.
That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based.
The Importance of Data Encryption
The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks.
Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft.
Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.