What it Means to be HIPAA Secure
Healthcare organizations, and the vendors that service them, are required to be HIPAA compliant. A large component of HIPAA compliance is dependent on the handling of protected health information (PHI). PHI must be secured in the form of administrative, technical, and physical safeguards. However, many organizations working in healthcare have difficulty determining how to be HIPAA secure.
Securing HIPAA Protected Health Information
To secure PHI, organizations working in healthcare are required to have safeguards protecting the sensitive information.
- Administrative: are policies and procedures dictating appropriate use and disclosure of PHI by staff members.
- Assigned security responsibility: covered entities are required to appoint a security official that is responsible for creating and implementing organization’s policies and procedures.
- Security management process: involves reviewing policies and procedures to ensure that they are protecting the confidentiality, integrity, and availability of PHI. Covered entities must adjust policies and procedures to address any gaps that may have been discovered during the review process.
- Access management: HIPAA requires healthcare entities to limit PHI exposure to the “minimum necessary” to complete a job function. As such, organizations must implement different levels of access to data to employees based on their job role. For instance a billing clerk does not need access to patient health records as nurses don’t need access to patient billing information.
- Employee training: all employees must be trained on an organization’s policies and procedures as well as HIPAA requirements. Additionally, employees should receive cybersecurity training to teach them best practices for password protection and how to recognize phishing emails.
- Incident management: policies and procedures must be in place for how to handle an incident such as a security breach. All employees must be aware of how to recognize a breach, who to report a breach to, and how to report a breach anonymously. In addition, in the case of emergency there must be protocols in place to ensure that the integrity of PHI is maintained.
- Business associate management: organizations must have signed business associate agreements (BAAs) with all of their vendors before they are permitted to share PHI. A BAA mandates that both parties are HIPAA compliant and each party is responsible for their own compliance.
- Technical: relates to an organization’s cybersecurity practices. This may include firewalls, encryption, and data backup.
- Audit and access control: access controls in this regard refers to implementing controls within an organization’s information systems to ensure that access to PHI is only given to those that need access. Each employee must have unique login credentials, allowing individual user activity to be tracked. Audit controls refers to the monitoring of user activity within a system. To be HIPAA secure, it is imperative that healthcare organizations are able to monitor activity down to the individual user. This way if a breach occurs from within an organization, it can be easily traced to the employee responsible.
- Integrity and authentication: data at rest, which is data stored in a server, must be secured to preserve its integrity. There are several tools that can be used for authentication of data including magnetic disk storage, error-correcting memory, check sum technology, and digital signatures. An organization must also be able to authenticate users to ensure that they are authorized to view PHI.
- Securing data: while not explicitly mandated by the HIPAA Security Rule, it is recommended that healthcare organizations encrypt PHI in motion. PHI in motion refers to data that is sent between systems or to an external entity. Encryption is the most effective method for HIPAA secure data as it makes information unreadable without a decryption key.
- Physical: relates to the security of an organization’s physical site. This may include locks or alarm systems.
- PHI disposal: paper patient records are increasingly being phased out with the introduction of Electronic Medical Record (EMR) systems. As such, paper records must be properly disposed of to ensure the privacy of patient PHI. Paper records should be disposed of using one of the following methods to ensure that PHI is unreadable, burning, pulping, shredding, or pulverizing.
- Access controls: access controls in this regard refers to limiting access to an organization’s physical site. Organizations that have paper records should keep the area that they are stored in locked to ensure that they are not accessed by an unauthorized individual. It may be valuable to implement key pad locks that have unique access codes for each employee. This way if an insider breach should occur, it can be traced to the employee responsible.
- Facility security: healthcare organizations, especially those with expensive medical equipment, should implement locks and alarm systems to secure their physical site.
To be considered HIPAA secure, organizations must implement an effective HIPAA compliance program that implements administrative, technical, and physical safeguards. HIPAA compliance is an ongoing effort that healthcare organizations are obligated to adhere to. To be HIPAA secure it is best that healthcare organizations consult an expert to help them navigate the complexities of the HIPAA regulation.