Share this
Understanding HIPAA Compliance
by Bridget.Giacinto on May 12, 2015 11:32:10 AM
Prior to the establishment of HIPAA (Health Insurance Portability and Accountability Act) there was no generally accepted standard for protecting health information. The establishment of HIPAA and the privacy and security rules that accompany it, were developed in an effort to improve the access, portability and protection of patient health records for the healthcare industry.
As technological advancements have made it possible to go digital with health records, Congress has recognized the need to create national standards by which to protect this information. This movement away from paper processes in favor of electronic data transactions has brought about this need for establishing security and privacy standards. Thus, a critical component of these HIPAA Rules were designed to implement safeguards for data protection, and the appropriate access and use of that information.
Covered Entities
Guidelines were put in place to ensure that all entities that handle medical data take the necessary measures to ensure the security of patient data. As there are hefty fines for non-compliance, it’s important to fully understand which entities are required to adhere to these HIPAA Rules. There are three covered entities: healthcare providers, health plans, and heath care clearinghouses.
- Healthcare Providers – Any provider that engages in electronic transactions of health information (e.g., Doctors, Dentists, Chiropractors, Psychologists, Clinics, Nursing Homes, Pharmacies)
- Health Plans – Any plan (individual or group) that provides or pays the cost of health care (e.g., Health Insurance Companies, Company Health Plans, HMOs, Government Health Programs like Medicare or Medicaid)
- Healthcare Clearinghouses – An entity (public or private) that processes non-standard health information for another entities into a standard format (i.e., standard electronic format or data content), or vice versa.
HIPAA Compliance
There are two compliance rules that covered entities should be aware of: The Privacy Rule and the Security Rule. The Security Rule applies only to Electronic Protected Health Information (EPHI), whereas the Privacy Rule applies to Protected Health Information (PHI), which could include electronic, oral or paper form.
- The Privacy Rule – Set of standards for who has access to Protected Health Information.
- The Security Rule – Set of standards for ensuring that only those who should have access to Electronic Protected Health Information actually have access.
Requirements
These covered entities are required to protect the privacy and security of protected health information by following HIPAA compliance standards. The Privacy Rule protects all “Individually Identifiable Health Information,” which includes all health information for past, present, or future health care (physical or mental health) of an individual (including payment-related provisions for health care) that contain information that can be used to identify the individual.
The Security Rule protects a subset of the Privacy Rule, which includes all individually identifiable health information that an entity creates, saves, maintains, accesses or shares in electronic form. This information is referred to in the Security Rule as “Electronic Protected Health Information.”
The HIPAA Security Rule lays out three types of safeguards required for compliance: Administrative, Physical and Technical. These safeguards are put in place to maintain the “confidentiality” of electronic protected health information (e-PHI).
Risk Assessment
One of the first steps that medical practices (and all covered entities) should perform is a risk assessment. This is considered part of the Administrative Safeguards provision in the security Rule and allows covered entities to determine which security measures are reasonable and appropriate, and which areas in need to change.
A risk analysis involves looking at the current policies, systems, security safeguards, and backup and recovery processes to highlight areas of potential risk in light of the HIPAA standards and guidelines. An important part of this process involves assigning a designated security official who is officially responsible for documenting, developing, implementing and continually maintaining appropriate security policies and procedures to address these risks, and providing appropriate and reasonable security protections going forward.
Contingency Plan
HIPAA requires that covered entities develop a contingency plan (also a part of the Administrative Safeguards) for both data backup and disaster recovery. This contingency plan must document how the organization will continue operations in the event of a data loss. Your plan should outline how data can be retrieved and accessed in an emergency, outage, or data loss scenario as well as how you intend to restore your data in the event of a disaster. Since a backup is only as good as your ability to restore from it, testing your backups should be included in your testing procedures.
Data backup software is a critical part of every organizations data protection and disaster recovery plan, but for covered entities it is vital to maintaining HIPAA compliance. NovaBACKUP Corporation is one such company offering highly scalable and flexible backup software that is 100% HIPAA compliant for organizations who are required to protect data under the HIPAA act. For more information on creating a contingency plan, check out this how-to contingency plan that meets HIPAA security standards.
Establishing Safeguards
HIPAA security standards require covered entities to ensure the confidentiality, integrity, and availability of all electronic health information. HIPAA specifically requires healthcare entities to develop safeguards be implemented that prevents the unauthorized access of information, the monitoring of critical data access, the use and storage of media, and the encryption of transmitted data. These safeguards fall under both the Physical and Technical Safeguards.
Physical Safeguards
Physical Safeguards were designed establish “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Physical Safeguards Include:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
We are going to take a look at just the last Physical Safeguard today. Device and Media Controls establishes policies and procedures that address the use, storage, and removal of hardware and electronic media that contains electronic protected health information.
To be compliant, policies need to be in place to documents the established safeguards for everything from who handles hardware (hard drives, tape drives, disks, optical disks, digital memory cards, thumb drives), backups and backup storage media, to how it is tracked, stored, rotated, re-used and disposed of, to your process for creating a retrievable exact copy (image backup) of electronic protected health information before equipment is moved. For a complete list of physical safeguards, view this HIPAA Security Series on Physical Safeguards.
Technical Safeguards
Technical Safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Technical Safeguards include:
- Access Control
- Audit Control
- Integrity
- Person or Entity Authentication
- Transmission Security
While there is no single technology solution required to meeting the security measures called for under the Technical Safeguards, covered entities must find appropriate solutions to meet their organizations needs while allowing for appropriate safeguards.
For example, if you were to choose a backup software solution, you would want to verify that the solution you choose offers reasonable and appropriate security measure. For instance, they should offer user verification and role-based authentication to allow different access controls for different users. They should offer remote visibility into the progress and success of backup jobs, as well as offering backup alerts for on-going status verification. They should offer off-site backup options and end-to-end encryption for both image and file-level backups. If you are looking for a HIPAA compliant backup software solution, you may want to consider NovaBACKUP.
For more information, check out these documents:
- How does NovaBACKUP help you comply with HIPAA data-backup and storage requirements?
- What specific HIPAA safeguards do NovaBACKUP products support?
For a complete list of technical safeguards, view this HIPAA Security Series on Technical Safeguards.
HIPAA Encryption Requirements
HIPAA requires that you take the necessary steps to safeguard patient health information. The most obvious way to accomplish that task, is to protect data against unauthorized access by implementing encryption for data at rest and in transit. Through the use of user verification, authentication and data encryption, NovaBACKUP ensures that your critical data remains protected and unaltered. By generating custom encryption keys specific to the user, data access is restricted. In both local and cloud scenarios, NovaBACKUP utilizes end-to-end 256-bit AES encryption for file and image backups.
Understanding HIPAA compliance can be difficult, as there is a lot to know and learn. Luckily the U.S. Department of Health & Human Services (HHS) offers a wealth of information to help get you up to speed. View HIPAA related articles here.
Share this
- Pre-Sales Questions (111)
- Tips and Tricks (95)
- Industry News (59)
- Reseller / MSP (37)
- Best Practices (30)
- Security Threats / Ransomware (30)
- Applications (26)
- Disaster Recovery (26)
- Cloud Backup (25)
- Compliance / HIPAA (24)
- Backup Videos (23)
- Storage Technology (23)
- Virtual Environments (17)
- Technology Updates / Releases (9)
- Infographics (8)
- Backup preparation (5)
- Products (US) (2)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (2)
- May 2024 (1)
- April 2024 (1)
- March 2024 (2)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (2)
- January 2023 (3)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (2)
- August 2022 (2)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- November 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (2)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (2)
- September 2020 (4)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (3)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (1)
- December 2018 (1)
- November 2018 (2)
- August 2018 (3)
- July 2018 (4)
- June 2018 (2)
- April 2018 (2)
- March 2018 (2)
- February 2018 (2)
- January 2018 (3)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (5)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (2)
- September 2016 (1)
- August 2016 (3)
- July 2016 (2)
- June 2016 (3)
- May 2016 (7)
- April 2016 (8)
- March 2016 (1)
- February 2016 (3)
- January 2016 (12)
- December 2015 (7)
- November 2015 (5)
- October 2015 (6)
- September 2015 (2)
- August 2015 (3)
- July 2015 (2)
- June 2015 (2)
- May 2015 (1)
- April 2015 (5)
- March 2015 (3)
- February 2015 (4)
- January 2015 (2)
- October 2014 (5)
- September 2014 (8)
- August 2014 (5)
- July 2014 (7)
- June 2014 (4)
- May 2014 (3)
- April 2014 (9)
- March 2014 (7)
- February 2014 (7)
- January 2014 (5)
- December 2013 (4)
- October 2013 (7)
- September 2013 (2)