According to the 25th Annual HIMSS Leadership Survey, the top concern for healthcare IT leadership is compliance with the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH). While these regulations are designed to safeguard protected health information (PHI), they can be hard to interpret and implement. Following are some guidelines for achieving HIPAA compliance that are designed to point you in the right direction. HOSTING recommends that organizations interested in achieving a strong HIPAA compliant posture engage an experienced Chief Information Security Officer (CISO) to review each rule in its entirety.
Requirements for becoming HIPAA compliant
HIPAA was introduced in 1996; pre-dating the rise of the consumer Internet as well as the advent and evolution of mobile devices. Due to its dated, complex language, healthcare organizations and developers are often stymied in their attempts to determine whether or not their activities are enabling them to achieve and maintain HIPAA compliance. Multiple changes to HIPAA privacy and security rules over the years have only added to the confusion.
Simply put, Covered Entities and their Business Associates need to ensure the privacy, security and availability of protected health information (PHI) at all times. In order to do so, they must dissect and address four specific rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards for the protection of PHI. This rule refers to identifiable health information that can be linked to a particular person such as:
- The individual’s past, present or future physical or mental health
- The provision of healthcare to an individual
- The past, present or future payment for the provision of healthcare to the individual
The Privacy Rule requires Business Associates to do the following:
- Prevent any impermissible uses or disclosures of PHI
- Provide breach notification to the Covered Entity
- Provide either the individual or the Covered Entity access to PHI
- Disclose PHI to the Secretary of Health and Human Services (HHS), if required to do so
- Provide an accounting of disclosures
- Comply with the requirements of the HIPAA Security Rule
HIPAA Security Rule
The HIPAA Security Rule addresses the technical and non-technical safeguards that organizations must put in place to secure individuals’ PHI as outlined in the privacy rule. The rule protects PHI whether it is stored electronically or as a printed copy.
The HIPAA Security Rule requires implementation of three types of safeguards.
HIPAA Security Rule – Physical Safeguards
There are 4 standards in the Physical Safeguards section.
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
When you break these standards down, the following policies and controls are what you need to implement:
- A Facility Security Plan – this includes policies and procedures to safeguard the facility, servers, etc. from unauthorized access
- Access Control and Validation Procedures – these procedures control and monitor visitor access, as well as access to software programs on the servers
- Maintenance Records – these document repairs and modifications to the physical components of a facility that are related to security.
- Workstation Use – these policies and procedures specify the functions to be performed and the manner in which they are to be performed. It also details the physical attributes of the surroundings of specific workstations or class of workstation that can access PHI.
- Workstation Security – this lists physical safeguards for all workstations that access PHI, in order to restrict access to authorized users only.
- Device and Media Controls – these include disposal policies and procedures to address the final disposal of hardware or electronic media that stores ePHI.
- Media Re-use – includes procedures for removal of ePHI from electronic media before the media are reused
- Accountability – requires logging all movements of hardware and electronic media as well as documenting all people responsible for transporting that hardware
- Data Backup and Storage – this requires that the hosting provider create a retrievable, exact copy PHI, when needed, before equipment is moved
Most HIPAA compliant hosting providers distill these physical requirements into a standard checklist of features that include the following:
- A fully implemented firewall on all systems
- Two-factor authentication for access control on everything from control panels to any server-side software
- External data redundancy and off-site backup
- SSL access and up-to-date SSL certificates, including SSL VPN access and encrypted VPN sessions
- Private hosting environment for servers holding protected health information (PHI)
- Business Associate Agreement (BAA) signed with application developers
- Policies and procedures that outline who can access the servers at a hosting facility and the timeframe and methods in which to do so
Additional information about HIPAA physical safeguards can be found here.
HIPAA Security Rule – Technical Safeguards
Securing a HIPAA compliant hosting partner for an application only addresses part of the compliance equation. Developers also need to ensure that the Technical and Administrative safeguards outlined in the HIPAA Security Rule are also met in order to be fully compliant. The technical safeguards include the following features.
- Access Control
- Unique User Identification – a unique name or number to identify and track user identity in your application
- Emergency Access Procedures – these establish (and implement as needed) the steps for obtaining ePHI during an emergency
- Automatic Logoff – this terminates an electronic session after a predetermined time of activity
- Encryption and Decryption – these are mechanisms that encrypt and decrypt ePHI within your application
- Transmission Security
- Integrity Controls – include security measures to ensure that electronically transmitted ePHI is not improperly modified without detection
- Encryption Mechanisms – these allow for encryption of ePHI whenever appropriate
- Additional Controls
- Audit controls – for hardware, software and/or procedural systems including mechanisms that record and examine activity that contain or use ePHI
- Authentication procedures – to verify that a person or entity seeking access to ePHI is the one claimed.
Additional information about HIPAA technical safeguards can be found here.
HIPAA Security Rule – Administrative Safeguards
The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect PHI. The administrative components essential to implementing a HIPAA compliance program. Organizations are required to assign a privacy officer, complete a risk assessment annually, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with all partners who handle PHI.
There are 9 standards under the Administrative Safeguards section.
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
Additional information about HIPAA administrative safeguards can be found here.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings for organizations that fall out of compliance.
Learn more about the HIPAA Enforcement Rule here.
HIPAA Breach Notification Rule
As required by the HITECH Act, the Secretary of Health and Human Services must post a list of data breaches that comprise unsecured protected health information (PHI) affecting 500 or more individuals. Currently, the department’s “wall of shame” includes more than 1,000 data breaches.
Learn more about the HIPAA Breach Notification Rule here.
HOSTING Managed Compliance Services™
HIPAA compliance is complicated. HOSTING stands ready to help. HOSTING Managed Compliance Services™ empower organizations to effectively manage their compliance-related activities. Developed and tested by our team of certified security and compliance experts, our Compliance as a Service (CaaS) offering enables organizations to take measurable, proactive stances to address HIPAA and PCI regulations.