What it is all about or a brief introduction to HIPAA compliance
HIPAA stands for “Health Insurance Portability and Accountability Act of 1996” and it is a federal law enacted on August 21, 1996. The main purpose of HIPAA is to protect privacy and provide security for protected health information (PHI).
What is PHI? PHI is any information about health status, provision of health care or payment for health care that is created or collected by a Covered Entity or Business Associate of a Covered Entity and can be linked to an individual person. Examples of PHI data are names, phone numbers, social security numbers, email addresses, medical record numbers, photographic images, etc.
Another purpose of the act is to increase the efficiency and effectiveness of the healthcare system. And the last purpose, but not the least important, is establishing standards and rules for accessing, storing, transmitting and processing PHI data. HIPAA contains a couple of rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- HIPAA Enforcement Rule and The Omnibus Rule
HIPAA compliance rules checklist
HIPAA Privacy rules create national standards to protect individual healthcare records. It sets the rules about who can access PHI records and how, and enables patients to find out how their information may be used.
Security Rule explains who is covered under protection, what types of information have to be protected and what types of safeguards have to be in place.
Breach Notification Rule covers requirements and guidelines regarding notifications about security breach accidents.
In the Enforcement Rule, we can find details about money penalties in case of rules violations and procedures for hearings.
The Omnibus Final Rule is the implementation of the number of provisions that are part of the other activities which is HITECH - Health Information Technology for Economic and Clinical Health.
So HIPAA is a set of government regulations that companies that store or process PHI data must follow. They were originally set up to protect against breaches of patient data. Anyone involved in handling data for the healthcare industry needs to make sure that all of their employees are familiar with the regulations and know how to protect patient data. However, this goes beyond data protection, as secure ways of processing and making decisions based on this data must also be found. As a result, you must also keep data storage and processing in mind, as PHI data is among the most sensitive anyone has. HIPAA defines the parties involved in the process, as well as their responsibilities, with regulations regarding the physical storage of data, such as paper, and electronic data, including online information systems. Therefore, anyone involved in data storage should consider implementing regular in-company training programs in order to stay up to date on the latest regulations. Since, of course, we are all human and prone to making mistakes, we need a solution for when this happens. Luckily, the act includes guidelines for what to do in the event of a security breach.
Who should care about HIPAA compliance?
The HIPAA Rules apply to covered entities and business associates. Covered entity, according to definitions at 45 CFR 160.103, is one of the following: health care provider (eg. doctors, clinics, pharmacies, etc.), health plan (eg. health insurance companies, company health plans, etc.) or health care clearinghouse (entities that processes nonstandard health information into a standard electronic or non-electronic format). A business associate is a company which is engaged by the covered entity to help carry out its health care activities.
Everyone that has contact with patient data that should be protected should care about HIPAA. Employees should be trained on a yearly basis. Training should focus on how to protect the data, how to behave in case of the security breach and a reminder about all HIPAA elements.
There should be a privacy officer in a company that takes care of regular training of employees, set up policies and procedures, managing agreements with external business associates. Privacy officers should also take care of risk assessment inside a company and create a monitoring and mitigation plan for potential risks.
Not only should employees be aware of HIPAA regulations, but also external companies that you work with. We’re calling those companies - business associates and privacy officer must take care of signing agreements with those associates. Agreements should consist of a couple of chapters such as terms and definitions, general obligations of a subcontractor, permitted uses and disclosures, indemnifications and others that privacy officer treats as an important. Certainly, any business associate that is signing an agreement with our company also should have a knowledge about HIPAA regulations and security considerations regarding processing patient data.
HIPAA compliant software. How to minimize the risk?
The big adoption of information technology in the healthcare industry creates a lot of opportunities but also poses a lot of risks. One of the main risks is exposing protected healthcare information to the public. Only certain uses and disclosures are permitted which is covered in details by the HIPAA Privacy Rule. On the other hand, we have abilities that information systems give to us in terms of quality and speed of processing huge amounts of data. That potential shouldn’t be blocked by any act because with access to that data, we can really move forward with better health care access and reception. This is why in The Privacy Rule we can find standardized methods of data de-identification. After de-identification of data, no individual shouldn’t be identifiable by this data. In the rule we can find **two different methods for data anonymization: “Expert Determination” and “Safe Harbor”. Expert Determination consists of the number of statistical methods and techniques that applied to data changes it in such a way that there is very small risk to identify an individual person. The Safe Harbor method is just the way of removing any of 18 types of identifiers that can lead to the individual person (eg. names, dates, telephone numbers etc.). Of course, the Safe Harbor method is easier to implement and safer in terms of leaking PHI data, but can’t be used in every situation. Removing all of the important individual data from the data set could lead to the situation when the data is useless for further processing. We have to choose the proper method according to a situation.
What HIPAA means for IT? Is Google Drive HIPAA compliant?
Nowadays most of the data processing that we’re doing is done online. So it becomes more and more important to use proper tools, especially when we’re talking about PHI data processing. The first thing we should consider is the use of safe and certified communication tools. It is not only about encrypted communication channels. You have to ensure that channels, APIs and storage used for your messages and files is HIPAA compliant and can be used for exchanging PHI data.
If you are building an app that will be used for creating, storing, processing and using PHI data, you have to be sure that all communication channels are encrypted and using up to date encryption algorithms. One of the most important parts regarding data security and HIPAA rules is proper authentication and auditing mechanisms. Every access to the database or any other storage servers should be logged. If you are working with SQL servers, you can consider using trigger functionality for such auditing. For NoSQL databases, you have to work on your own, custom solution.
Other important parts of apps are application messages logging layers. If your logging provider isn’t HIPAA compliant, you have to be really careful what you are tracking and what goes to the logs. You have to consider tailor-made logging solution if the details of processed data are important in your application logs.
Every application has to be hosted somewhere. You have to be sure that your hosting environment and your hosting provider offer HIPAA compliant services. These days, where cloud services are very popular choice, among other hosting options, it is good to know that the biggest players in cloud services - Amazon, Google, Microsoft are offering HIPAA compliant cloud services and storage.
But all of these applications and services have to be designed and developed somehow. We have to provide a secure environment for our own employees. PCs should have proper authentication systems in place, the disk drives of personal computers should be encrypted and people with access to PHI data should seat in a place that no one can accidentally watch their displays. You have to put password changing policies and lock-screen mechanisms in place also.
Good to know about HIPAA compliance or a little bit of summary
It’s not that hard to comply with HIPAA regulations if you stick to a couple of rules.
- Remember which data is the important one and is treated as a part of PHI data.
- Take proper care of each offline and online documents that include PHI data.
- For offline documents maintain proper locked storage and for online documents use the secure channels, applications, and de-identification methods.
- Use the de-identification methods for PHI data as much as you can.
- Use the quicker and easier ways to de-identify as they’re much less prone to errors.
- And remember - knowledge and awareness are your best friends.
At FM we have quite long experience in creating and working with HIPAA compliant digital products for the healthcare industry. If you want to learn more, just contact us!