The Health Insurance Portability and Accountability Act (HIPAA) ensures that an employee's personal health information and medical records are kept confidential. This federal law prevents companies and medical professionals from revealing patient details, from test results to diagnoses. HIPAA safeguards protected health information (PHI) – whether paper, electronic, or oral communications – and these facts cannot be released without the patient's permission.
HIPAA Standards for Protecting Patient Data
To comply with HIPAA, companies that provide employees with healthcare coverage are required to have certain safeguards in place – and make sure that they are followed by all employees, contractors, and other entitites – to protect PHI from unregulated access.
These security measures include:
• Physical safeguards: Limiting access to and control of PHI means authorized access (e.g., keycard or password) is necessary for anyone to be able to gain entry to electronic media, workstations, or files. These physical safeguards also protect the transferal, removal, disposal, and reuse of electronic protected health information (ePHI). To be HIPAA compliant, companies must have policies about who is privy to ePHI and which authorized users are permitted to access, transmit, or otherwise handle the information.
• Technical and network security: The risk of unauthorized public access to ePHI (or loss of data) is minimized when the proper transmission security is in place. If ePHI is sent electronically via email, private cloud, internet, or otherwise, HIPAA regulations state that these technical safeguards must be present. Not all technical safeguards are appropriate for every company – stretched resources, risk tolerance, and compliance obligations will all factor into what network security measures are right for you company. However, technologies that pinpoint the cause or source of any security violations are incredibly valuable and can include:
- File integrity monitoring: This layer of data security monitors any changes that are made to files.
- Tracking logs: Keep records of any activity on ePHI hardware and software, including dates and times information was accessed.
- Unique user IDs: Unique IDs limit the ability of any unauthorized users from gaining access to sensitive ePHI. Keeps track of which users are entering the system.
- Automatic log-off: No chance of the wrong person sitting down at a workstation and inadvertently being exposed to ePHI.
- Web application firewall: Network firewalls are not enough security as they still leave the gate open to application attacks. A web application firewall protects servers and databases while still allowing users online access to your websites.
- Two-factor authentication: Users must prevent at least two pieces of evidence to confirm their identity before being permitted access to ePHI.
- Antivirus software: Install an antivirus program on every computer to prevent corruption or destruction of ePHI.
- Patch management: Software upgrades and changes are common, but it's necessary to ensure that these shifts are handled efficiently and safely to prevent unauthorized entry into ePHI.
- Backup: Regular backup of medical data in-office and at an offsite location ensures that data is not lost in case of facility fire to flood, malicious hackers to corruption.
- Emergency access procedure: Emergency situations like system failure, natural disaster, and terrorism warrant the need for quick procedures to make it possible to obtain accurate and intact ePHI in an emergency.
- Vulnerability scans: Networks, open ports, and firewalls are all checked by vulnerability scans to detect unsecure encryption, code, or misconfiguration.
- Encryption and decryption: ePHI data is encrypted from plaintext data to scrambled data and cannot be read by an unauthorized user without a cryptographic conversion key.
- SSL certificate: A website that earns an SSL certification signifies to users that it is safe to transmit sensitive data online because of a secure encryption network.
• Process safeguards: Any medical office or entity that collects, process, or stores patient health data must comply with HIPAA security standards, a requirement that can be regularly examined through audits and reports. In fact, a complete risk assessment of your ePHI security measures are necessary to confirm HIPAA compliance. Well-trained employees are an integral part of protecting ePHI and their performance can be boosted with strong staff training and business associate training as well as policies that reflect data breach protocol.
Is Your Company in Compliance with HIPAA?
Covered entities that provide healthcare treatment and operations, as well as business associates who have access to patient information and provide support for health treatment, operations, and payment, must be in compliance with HIPAA. Subcontractors and business associates must also be in compliance.
HIPAA compliance can be overwhelming to maintain. Anyone who handles electronic medical data is liable for lack of compliance to the HIPAA security standards, which could lead to fines, criminal charges, civil action lawsuits, and in extreme cases, loss of medical license. There are also regulations to follow when it comes to reporting any breaches of ePHI to patients or to the Office for Civil Rights of the Department of Health and Human Services (OCR). Any breach of confidential medical data will automatically result in a fine for non-compliance, no matter the circumstances.
Contact The Benefits Group about outsourcing HIPAA compliance responsibilities. Connecting with a preferred vendor means HIPAA compliance will be in place and your risks of fines and charges will be minimized dramatically.