Quick refresh for those following along. We’re talking about HIPAA—the Health Insurance Portability and Accountability Act—which was created to facilitate sharing of PHI—protected health information—while limiting its unauthorized uses and disclosures. You may recall that HIPAA applies only to “covered entities” such as healthcare providers, health insurance plans, and the companies that help them carry out their operations, called business associates.
Covered Entities. Business Associates. PHI. HIPAA. Got it.
Now, if you find yourself in a situation where you need to be HIPAA compliant, there are a few things you should be aware of. And by a few, we mean a lot. Like, a lot a lot.
We’ll start with the basics.
HIPAA requires certain safeguards in place to prevent the unauthorized use and disclosure of PHI. These safeguards described in a set of regulations referred to as the Security Rule. The Security Rule applies to electronic PHI (ePHI) and describes the safeguards in great detail. Covered Entities and Business Associates must be compliant with the Security Rule and should be aware of its requirements.
Now, for the big man on the block. The Security Rule predominately covers the administrative, physical, and technical safeguards needed for HIPAA compliance.
More than half of the Security Rule discusses administrative safeguards—so they must be serious. Administrative safeguards are the policies and procedures required to protect ePHI.
Specifically, Covered Entities (and their Business Associates) must appoint a Security Officer—Chuck Norris should do the trick—responsible for creating security management systems that address access, employee training, and incident response. The Security Officer should conduct annual risk assessments and be constantly improving policies and procedures to protect ePHI against threats and vulnerabilities.
Physical safeguards are required for physically protecting buildings, equipment, and information systems. These requirements can be as simple as locking the doors of buildings that contain ePHI.
Sounds easy enough, right? Not a chance.
The physical-safeguard provisions of the Security Rule require that Covered Entities be aware of and document all devices containing their ePHI, keep maintenance records for the devices, and identify all individuals with access to any device holding ePHI. The Security Rule also requires elimination of hardware no longer in use that may contain ePHI.
For growing businesses, a proliferation of devices with storage capacity can make compliance with these provisions a heavy lift, so it’s best to get started documenting devices and access as early as possible. All Covered Entities—and by extension their Business Associates—should have systems in place to ensure that this information is captured and logged.
In addition to administrative and physical safeguards, the Security Rule requires technical safeguards that apply to the technology used to process ePHI and dictate the methods individuals may use to access this technology.
The technical safeguards require various security measures including audit controls, user verification, and automatic log-offs, so that ePHI may not be accessed when devices are left unattended—(loud speaker voice) “unattended devices will be confiscated.”
The Department of Health and Human Services has made it very clear that encryption is a major aspect of the technical safeguards. Adequate encryptions can dramatically reduce unauthorized use and disclosure of ePHI. It’s important to consult with an IT expert to help technical security measures.
Risk Assessment Tool
The Security Rule does not apply a “one size fits all” approach. There are various factors that determine what security measures should be in place. Luckily, the government has published a risk assessment tool that can help you determine your risks and vulnerabilities and how to improve them. The tool can be found here.
Next week, we will be discussing the Security Rule’s sibling: the Privacy Rule. Among other things, the Privacy Rule outlines the relationship between a Covered Entity and its Business Associate and the legal document—commonly called a BAA or Business Associate Agreement—needed for this relationship to operate.