We have seen an expansion of data-collection in recent years. This became prominent with the growing amount of time we spend online. Not only that, but the need for improving processes and networking means that a lot of businesses have this data available on a network somewhere in virtual space. Sometimes the data-collection is justified, while other times it isn’t. Laws, such as HIPAA in the US and GDPR in the EU have been introduced to protect sensitive data.
It is common knowledge that all our medical information is confidential. We know this from the Doctor-Patient confidentiality premise. HIPAA recognizes this, but also the fact that nowadays these records include a lot of sensitive data which, if in the wrong hands, could potentially harm the patients.
What is HIPAA?
HIPAA (Healthcare Insurance Portability and Accountability Act) of 1996 is a law that sets standards of protection of health information (PHI – protected health information) so it is not disclosed without the consent of the patient.
These standards are a part of the HIPAA privacy rules which need to be obeyed by covered entities including healthcare providers, entities that provide health plans, healthcare clearinghouses, as well as their business associates providing services for one of the previously-mentioned covered entities (billing, data analysis, etc.).
If you are not certain whether you fall under the covered entities category or if HIPAA Privacy Rules apply to you, you can find the criteria online.
HIPAA has 5 main directives and while some of them refer to taxation rules, what most people refer to under HIPAA compliance is following the privacy rule, as well as the security rule and the enforcement rule as a part of it.
In Case of a Breach
If the healthcare database you hold gets compromised you need to create a breach notification and include the details such as the type of data compromised, who it was that managed to gain the unauthorized access to data, was the info only exposed to them (viewing) or do they now actually hold the data (acquirement), as well as risk mitigation techniques you applied.
Depending on the extent of the breach, for under 500 records, you need to notify the people involved as well as the HHS department. For breaches involving more than 500 records, you need to make media aware as well. You have 60 days to do this.
HIPAA Database Compliance
HIPAA compliance happens on several levels.
HIPAA Privacy Rules
To enforce HIPAA privacy rules you need to start by raising awareness and addressing what’s right and what’s wrong:
- Staff Training. Make sure people understand what PHI is.
- Anti-Corruption. Maintain the integrity of PHI.
- Patient authority. If you need to use patient data, make sure you have the patient’s authority to do so.
- Data sharing notice. Notice of privacy practices is mandatory and every patient needs to be aware of it.
- Prompt response. 30 days to respond to patient requests.
- Keep track of changes. Add a reference to the authorization re-changes in school immunizations, patients’ rights to the electronic records, and information restrictions when disclosed to health plans.
- Check HIPAA Omnibus Rule.
HIPAA Administrative Rules
On the administrative side, you need to:
- Train your staff. Again, the human factor is a risk factor to privacy so ensure your staff is well informed and equipped to recognize and react to any security risks.
- Assess and manage the risk.
- Build ant test in contingency. Create and test contingency plan; create a backup system.
- Access authorization. Be sure to limit access to PHI to only those parties that have the authority to view it. Make sure you have business associate agreements signed with your business partners.
- Report and document security breaches. Regardless of the fact of whether the data has been compromised or not.
HIPAA Technical Requirements
Technical requirements are essential for the safekeeping of the PHI.
- Encryption. Network (NIST cryptographic standards) and device.
- Access control. Each user should have unique credentials.
- Activity control. Logging activity to document all PHI access attempts and PHI modifications.
- Identify PHI. Correctly identify to authenticate PHI to apply appropriate safeguarding measures.
- Automatic logoff. Enable automatic logoff and thus restrict access to data when it is not being used.
- HIPAA compliant servers. You need on-site infrastructure or HIPAA-compliant web hosting.
Needless to say, even with all the external technical safeguards and internal authorization configuration, you still need to have on-premises safeguards and ensure you:
- Track and limit (when possible) access to your facilities, define workstations that can access the data and closely monitor them.
- Pay attention to any mobile devices used for accessing PHI, and ensuring that no information is passed onto another user via a mobile device.
With this simple checklist, you can easily keep your PHI secure. If you are a small business partner of a healthcare provider and HIPAA compliance has got you concerned, there is nothing to worry about.
The smaller you are the easier it will be for you to control the access to data. Also, luckily for you, if you cannot cope on your own, a lot of the technical requirements are being met with the help of agencies and server hosting providers who specialize in HIPAA related consultancy and services.