Understanding HIPAA Compliance

Before the Health Insurance Portability and Accountability Act (HIPAA) was created, there was no widely accepted standard for protecting health information. HIPAA, along with its Privacy and Security Rules, was introduced to improve how the healthcare industry accesses, shares, and protects patient health records, while ensuring their portability and security.

As technology made it possible to digitize health records, Congress recognized the need for national standards to protect this information. Moving away from paper and toward electronic data created a clear need for consistent security and privacy requirements. As a result, a key part of the HIPAA Rules focuses on implementing safeguards that protect data and ensure that only authorized individuals can access and use that information appropriately.

Covered Entities

To address this, HIPAA established clear guidelines to ensure that any organization handling medical information implements appropriate safeguards to protect patient data. Because violations can result in substantial penalties, it’s essential to understand exactly which organizations must comply with these HIPAA Rules. In general, three types of covered entities fall under HIPAA: healthcare providers, health plans, and healthcare clearinghouses.

1. Healthcare Providers – Any provider that engages in electronic transactions of health information (e.g., Doctors, Dentists, Chiropractors, Psychologists, Clinics, Nursing Homes, Pharmacies)
   
   
2. Health Plans – Any plan (individual or group) that provides or pays the cost of health care (e.g., Health Insurance Companies, Company Health Plans, HMOs, Government Health Programs like Medicare or Medicaid)
   
   
3. Healthcare Clearinghouses – An entity (public or private) that processes non-standard health information for other entities into a standard format (i.e., standard electronic format or data content), or vice versa.

HIPAA Compliance

Covered entities should be aware of two key HIPAA rules: the Privacy Rule and the Security Rule. The Security Rule applies only to Electronic Protected Health Information (ePHI), while the Privacy Rule applies to all forms of Protected Health Information (PHI), whether electronic, oral, or paper.

1. The Privacy Rule – A Set of standards for who has access to Protected Health Information.
   
   
2. The Security Rule – A Set of standards for ensuring that only those who should have access to Electronic Protected Health Information actually have access.

Requirements

These covered entities are required to protect the privacy and security of protected health information by following HIPAA compliance standards. The Privacy Rule protects all “Individually Identifiable Health Information,” which includes all health information for past, present, or future healthcare (physical or mental health) of an individual (including payment-related provisions for health care) that contains information that can be used to identify the individual.

The Security Rule protects a subset of the Privacy Rule, which includes all individually identifiable health information that an entity creates, saves, maintains, accesses, or shares in electronic form. This information is referred to in the Security Rule as “Electronic Protected Health Information.”

The HIPAA Security Rule lays out three types of safeguards required for compliance: Administrative, Physical, and Technical. These safeguards are put in place to maintain the “confidentiality” of electronic protected health information (e-PHI).

Risk Assessment

One of the first steps that medical practices (and all covered entities) should take is to perform a formal risk assessment. As part of the Administrative Safeguards under the Security Rule, this process helps covered entities determine which security measures are reasonable and appropriate, and which areas require remediation or improvement.

A risk analysis involves reviewing current policies, systems, security safeguards, and backup and recovery processes to identify potential vulnerabilities in light of HIPAA standards and guidance. A critical component of this effort is designating a security official who is responsible for documenting, developing, implementing, and continually maintaining appropriate security policies and procedures to address identified risks, and for ensuring that reasonable and appropriate protections are in place going forward.

Contingency Plan

HIPAA requires that covered entities develop a contingency plan (also a part of the Administrative Safeguards) for both data backup and disaster recovery. This contingency plan must document how the organization will continue operations in the event of a data loss. Your plan should outline how data can be retrieved and accessed in an emergency, outage, or data loss scenario, as well as how you intend to restore your data in the event of a disaster. Since a backup is only as good as your ability to restore from it, testing your backups should be included in your testing procedures.

Data backup software is a critical part of every organization's data protection and disaster recovery plan, but for covered entities, it is vital to maintain HIPAA compliance. NovaBACKUP Corporation is one such company offering highly scalable and flexible backup software that is 100% HIPAA compliant for organizations that are required to protect data under the HIPAA Act. For more information on creating a contingency plan, check out these educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI).

Establishing Safeguards

HIPAA security standards require covered entities to ensure the confidentiality, integrity, and availability of all electronic health information. HIPAA specifically requires healthcare entities to develop safeguards that prevent the unauthorized access of information, the monitoring of critical data access, the use and storage of media, and the encryption of transmitted data. These safeguards fall under both the Physical and Technical Safeguards.

Physical Safeguards

Physical Safeguards were designed to establish “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Physical Safeguards Include:

1. Facility Access Controls
2. Workstation Use
3. Workstation Security
4. Device and Media Controls

Today, we’ll focus on the final Physical Safeguard: Device and Media Controls. This safeguard requires policies and procedures that govern the use, storage, movement, and disposal of any hardware or electronic media that contain electronic protected health information (ePHI).

To remain compliant, you must document policies that define the safeguards for all devices and media that may store ePHI—such as hard drives, tape drives, disks, optical media, digital memory cards, and thumb drives—as well as backups and backup storage media.

These policies should clearly outline who is authorized to handle this hardware, how it is tracked, stored, rotated, re-used, and securely destroyed, and your process for creating a retrievable, exact copy (image backup) of ePHI before any equipment is relocated or decommissioned.

For a complete list of physical safeguards, view this HIPAA Security Series on Physical Safeguards.

Technical Safeguards

Technical Safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Technical Safeguards include:

1. Access Control
2. Audit Control
3. Integrity
4. Person or Entity Authentication
5. Transmission Security

While there is no single technology solution mandated to meet the Technical Safeguards, covered entities must select and implement appropriate technologies that align with their specific environments while supporting these safeguards.

For example, when evaluating backup software, you should confirm that the solution provides reasonable and appropriate security controls. This includes user verification and role-based authentication to enforce granular access controls, remote visibility into backup job status and outcomes, and alerting for ongoing backup and recovery verification. It should also provide off-site backup options and end-to-end encryption for both image- and file-level backups. If you are seeking a HIPAA-compliant backup software solution that meets these criteria, NovaBACKUP is designed to support your compliance and data protection requirements.

For more information, check out these documents:

• How does NovaBACKUP help you comply with HIPAA data-backup and storage requirements?
• What specific HIPAA safeguards do NovaBACKUP products support?

For a complete list of technical safeguards, view this HIPAA Security Series on Technical Safeguards.

HIPAA Encryption Requirements

HIPAA requires you to take appropriate steps to safeguard patient health information. One of the most effective ways to do this is to protect data against unauthorized access by encrypting it both at rest and in transit.

NovaBACKUP supports this by combining user verification, authentication, and strong data encryption to help ensure your critical data remains protected and unaltered. By generating custom, user-specific encryption keys, access to data is tightly controlled.

In both local and cloud environments, NovaBACKUP uses end-to-end 256-bit AES encryption for file-level and image-level backups.

Understanding HIPAA compliance can be difficult, as there is a lot to know and learn. Luckily, the U.S. Department of Health & Human Services (HHS) offers a wealth of information to help get you up to speed. View HIPAA-related articles here.