Understanding HIPAA Compliance
by Bridget.Giacinto, on May 12, 2015 11:32:10 AM
Prior to the establishment of HIPAA (Health Insurance Portability and Accountability Act) there was no generally accepted standard for protecting health information. The establishment of HIPAA and the privacy and security rules that accompany it, were developed in an effort to improve the access, portability and protection of patient health records for the healthcare industry.
As technological advancements have made it possible to go digital with health records, Congress has recognized the need to create national standards by which to protect this information. This movement away from paper processes in favor of electronic data transactions has brought about this need for establishing security and privacy standards. Thus, a critical component of these HIPAA Rules were designed to implement safeguards for data protection, and the appropriate access and use of that information.
Guidelines were put in place to ensure that all entities that handle medical data take the necessary measures to ensure the security of patient data. As there are hefty fines for non-compliance, it’s important to fully understand which entities are required to adhere to these HIPAA Rules. There are three covered entities: healthcare providers, health plans, and heath care clearinghouses.
- Healthcare Providers – Any provider that engages in electronic transactions of health information (e.g., Doctors, Dentists, Chiropractors, Psychologists, Clinics, Nursing Homes, Pharmacies)
- Health Plans – Any plan (individual or group) that provides or pays the cost of health care (e.g., Health Insurance Companies, Company Health Plans, HMOs, Government Health Programs like Medicare or Medicaid)
- Healthcare Clearinghouses – An entity (public or private) that processes non-standard health information for another entities into a standard format (i.e., standard electronic format or data content), or vice versa.
There are two compliance rules that covered entities should be aware of: The Privacy Rule and the Security Rule. The Security Rule applies only to Electronic Protected Health Information (EPHI), whereas the Privacy Rule applies to Protected Health Information (PHI), which could include electronic, oral or paper form.
- The Privacy Rule – Set of standards for who has access to Protected Health Information.
- The Security Rule – Set of standards for ensuring that only those who should have access to Electronic Protected Health Information actually have access.
These covered entities are required to protect the privacy and security of protected health information by following HIPAA compliance standards. The Privacy Rule protects all “Individually Identifiable Health Information,” which includes all health information for past, present, or future health care (physical or mental health) of an individual (including payment-related provisions for health care) that contain information that can be used to identify the individual.
The Security Rule protects a subset of the Privacy Rule, which includes all individually identifiable health information that an entity creates, saves, maintains, accesses or shares in electronic form. This information is referred to in the Security Rule as “Electronic Protected Health Information.”
The HIPAA Security Rule lays out three types of safeguards required for compliance: Administrative, Physical and Technical. These safeguards are put in place to maintain the “confidentiality” of electronic protected health information (e-PHI).
One of the first steps that medical practices (and all covered entities) should perform is a risk assessment. This is considered part of the Administrative Safeguards provision in the security Rule and allows covered entities to determine which security measures are reasonable and appropriate, and which areas in need to change.
A risk analysis involves looking at the current policies, systems, security safeguards, and backup and recovery processes to highlight areas of potential risk in light of the HIPAA standards and guidelines. An important part of this process involves assigning a designated security official who is officially responsible for documenting, developing, implementing and continually maintaining appropriate security policies and procedures to address these risks, and providing appropriate and reasonable security protections going forward.
HIPAA requires that covered entities develop a contingency plan (also a part of the Administrative Safeguards) for both data backup and disaster recovery. This contingency plan must document how the organization will continue operations in the event of a data loss. Your plan should outline how data can be retrieved and accessed in an emergency, outage, or data loss scenario as well as how you intend to restore your data in the event of a disaster. Since a backup is only as good as your ability to restore from it, testing your backups should be included in your testing procedures.
Data backup software is a critical part of every organizations data protection and disaster recovery plan, but for covered entities it is vital to maintaining HIPAA compliance. NovaBACKUP Corporation is one such company offering highly scalable and flexible backup software that is 100% HIPAA compliant for organizations who are required to protect data under the HIPAA act. For more information on creating a contingency plan, check out this how-to contingency plan that meets HIPAA security standards.
HIPAA security standards require covered entities to ensure the confidentiality, integrity, and availability of all electronic health information. HIPAA specifically requires healthcare entities to develop safeguards be implemented that prevents the unauthorized access of information, the monitoring of critical data access, the use and storage of media, and the encryption of transmitted data. These safeguards fall under both the Physical and Technical Safeguards.
Physical Safeguards were designed establish “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Physical Safeguards Include:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
We are going to take a look at just the last Physical Safeguard today. Device and Media Controls establishes policies and procedures that address the use, storage, and removal of hardware and electronic media that contains electronic protected health information.
To be compliant, policies need to be in place to documents the established safeguards for everything from who handles hardware (hard drives, tape drives, disks, optical disks, digital memory cards, thumb drives), backups and backup storage media, to how it is tracked, stored, rotated, re-used and disposed of, to your process for creating a retrievable exact copy (image backup) of electronic protected health information before equipment is moved. For a complete list of physical safeguards, view this HIPAA Security Series on Physical Safeguards.
Technical Safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Technical Safeguards include:
- Access Control
- Audit Control
- Person or Entity Authentication
- Transmission Security
While there is no single technology solution required to meeting the security measures called for under the Technical Safeguards, covered entities must find appropriate solutions to meet their organizations needs while allowing for appropriate safeguards.
For example, if you were to choose a backup software solution, you would want to verify that the solution you choose offers reasonable and appropriate security measure. For instance, they should offer user verification and role-based authentication to allow different access controls for different users. They should offer remote visibility into the progress and success of backup jobs, as well as offering backup alerts for on-going status verification. They should offer off-site backup options and end-to-end encryption for both image and file-level backups. If you are looking for a HIPAA compliant backup software solution, you may want to consider NovaBACKUP.
For more information, check out these documents:
- How does NovaBACKUP help you comply with HIPAA data-backup and storage requirements?
- What specific HIPAA safeguards do NovaBACKUP products support?
For a complete list of technical safeguards, view this HIPAA Security Series on Technical Safeguards.
HIPAA Encryption Requirements
HIPAA requires that you take the necessary steps to safeguard patient health information. The most obvious way to accomplish that task, is to protect data against unauthorized access by implementing encryption for data at rest and in transit. Through the use of user verification, authentication and data encryption, NovaBACKUP ensures that your critical data remains protected and unaltered. By generating custom encryption keys specific to the user, data access is restricted. In both local and cloud scenarios, NovaBACKUP utilizes end-to-end 256-bit AES encryption for file and image backups.
Understanding HIPAA compliance can be difficult, as there is a lot to know and learn. Luckily the U.S. Department of Health & Human Services (HHS) offers a wealth of information to help get you up to speed. View HIPAA related articles here.