Health Insurance Portability & Accountability Act (HIPAA) provides a range of conditions upon healthcare providers and their business associates. At the federal level, there is an overarching framework of law which mandates positive action being taken to ensure patient health records and information is protected. There are significant criminal and civil penalties for failing to comply, including multi-million dollar fines and jail time, not to mention the public shaming of violators and damage to business and personal reputations.
HIPAA is overseen by the Department of Health & Human Services (HHS), and they are responsible for overseeing compliance, prosecutions and the naming and shaming of offenders.
HIPAA affects anyone in the healthcare industry who collects, stores or uses private patient information, and those affected are known as Covered Entities. In addition, those who conduct business with a Covered Entity, and during the course of that business they are provided with access to private patient health information, then they are also caught by the HIPAA provisions – such entities are known as Business Associates.
HIPAA requires both physical and IT safeguards to protect private patient health information. The majority of the focus on compliance is on protecting data which is stored electronically, though Covered Entities and their associates should also ensure offline, real-world security is not ignored too.
In general terms, you must comply with the following:
The Privacy Rule
The Privacy Rule covers how private patient health information can be created, stored, transmitted and is maintained, but most breaches and violations of HIPAA occur because CEs do not implement controls over who has access to the data. This is particularly acute when it comes to employees of the Covered Entity or Business Associates, who allow employee access to the data, or easy access to work stations where the data can then be accessed, even if not authorized.
The Security Rule
This is a much more specific rule set which sets the national standard for protecting private patient health information, no matter how it is created, stored, transmitted maintained or accessed.
As a minimum, CEs and their associates MUST establish the following:
- Physical Security and Safeguards –
This includes controlling who gains access to physical premises, or to work stations providing access to protected data within those premises. This particularly applies to data centers, whether operated by the CE and their associates directly, or as is more usual, third-party data centers (who by definition fall to be classified as Business Associates too, and are thereby also caught by HIPAA provisions).
- Technical Safeguards –
This focuses on who has data access, and the measures required to ensure unauthorized data loss and access is prevented. Technical safeguards include measures such as adequate password policies, data encryption, auto-logging off of work stations after a time out period, and establishing a full audit trail and reporting logs of all activity involving patient data and the network.
- Network Security Safeguards –
There are two main issues here: protection of the network upon which data is created, stored or used, and also what happens when patient data is transmitted outside of the network itself. External threats such as hackers and cyber thieves are also covered here, and measures must be implemented to protect patient data from theft, unauthorized use or destruction.
Jensen Carlyle is a freelance writer focusing on technology issues and the healthcare sector, he currently writes for Swift Systems.