Feb 19 2019
Patient-Centered Care

4 Important Items On Your HIPAA Compliance Checklist

Understanding how to approach messaging, cloud storage, risk assessments and patient access all factor into a modern HIPAA compliance strategy.
Juliet Van Wagenen
by

Juliet is the senior web editor for BizTech and HealthTech magazines. In her six years as a journalist she has covered everything from aerospace to indie music reviews — but she is unfailingly partial to covering technology.

For healthcare organization IT teams tasked with keeping personal health information secure, there’s perhaps nothing more pressing than remaining compliant with security and privacy regulations. Chief among these are, of course, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the accompanying Health Information Technology for Economic and Clinical Health Act.

As healthcare organizations become targets for hackers and breaches become more common, putting patients’ PHI at risk of exposure, it’s paramount that organizations adhere to guidance that aims to protect health data — not to mention that lack of compliance can result in significant fines for providers.

Still, as digital health technology grows and medical devices become more connected, PHI and access to it may be scattered among devices and more vulnerable than ever.

So, what should IT teams be on the lookout for as they approach HIPAA compliance in the modern age? We break down the rules and nuances around keeping PHI secure and compliant.

1. Find HIPAA-Compliant Email and Messaging Solutions

Communication among care providers is key to improving clinical outcomes, but finding HIPAA-compliant messaging solutions can prove tricky, and many fear the process of communicating PHI between care teams securely will be onerous. A difficult process could leave clinicians feeling tempted to use their personal devices or accounts to transmit PHI, which is why solutions must be both easy and secure.

One organization that’s tapped a simple email solution is George Washington University Hospital, which uses Microsoft 365 in conjunction with Proofpoint encryption software to secure emails.

$28.7 million

The total amount of financial penalties paid by organizations for HIPAA violations in 2018

Source: hipaajournal.com, "Summary of 2018 HIPAA Fines and Settlements," Jan. 3, 2018

“There’s no training required. It’s very simple,” Marvin Onyemaechi, the hospital’s director of IT operations, tells HealthTech. Typing the word “private” in the subject line automatically triggers encryption. “That’s all you need to do,” he says.

These days, while email is important, it’s also likely a single part of a strategy that spans several devices — even pagers are still active in the healthcare scene. For this reason, it’s important for IT teams to consider a multipronged approach to HIPAA-compliant communications.

As Susan Snedaker, Tucson Medical Center's director of IT Infrastructure and operations, writes in an article for HealthTech: “Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions — such as encrypted email to communicate with patients and secure messaging systems to facilitate time-sensitive internal communications — might be the better bet.”

MORE FROM HEALTHTECH: Check out how Parkland Health improved care with a  secure mobility strategy.

2. Understand HIPAA-Compliant Cloud Storage

Healthcare organizations have begun to adopt the cloud in earnest. But that move has also triggered concerns about privacy and security for data stored in the cloud. The good news is that an understanding of the basics of HIPAA compliance can assuage these fears and free providers to adopt cloud technology appropriately.

What are these basics? According to healthcare attorney and consultant David Harlow, any cloud storage provider should be approached by the payor or health provider as a business associate. “This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule,” he writes in HealthTech.

Once the cloud provider has been established as a business associate of the covered entity, the rest follows suit. Harlow writes: “The CE and the BA must have a business associate agreement (BAA) in place; the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis; both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls; and so on.”

MORE FROM HEALTHTECH: Learn more about how to ensure your healthcare cloud storage stays HIPAA compliant.

3. Conduct Regular HIPAA Risk Assessments

As part of HIPAA’s Security Rule, entities covered under HIPAA must conduct risk assessments in order to stay compliant.

Susan Snedaker, Director, IT Infrastructure and operations at Tucson Medical Center
Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions might be the better bet."

Susan Snedaker Director, IT Infrastructure and operations at Tucson Medical Center

Moreover, regular risk assessments are key to helping providers understand weak spots or potential vulnerabilities and how to fix them. There is no specific way to undertake a risk assessment, although the Health and Human Services Department does lay out what a typical risk assessment should aim for.

The basic goals of a HIPAA risk assessment are to help the healthcare organization:

  • Design appropriate personnel screening processes
  • Identify what data to back up, and how
  • Decide whether and how to use encryption
  • Address what data must be authenticated in particular situations to protect data integrity
  • Determine the appropriate manner of protecting health information transmissions

MORE FROM HEALTHTECH: Check out what it takes to conduct a HIPAA risk assessment.

4. Weigh Patient Security Against HIPAA Compliance

There’s no doubt that in 2019, patients have begun to expect greater access to their healthcare information. Where portals were once seen as a great improvement in patient access to health data, now tools like Apple Health Records, which offers patients access to their own electronic health records directly on their smartphones, have made “bring your own data” a reality.

But not all transfer of PHI to patients is as cut and dried as Apple’s EHR. As smartphones make their way into examination rooms and radiology suites, patients seeking to photograph images of their own tests have encountered much reluctance on the part of  providers who are uncertain if that is HIPAA compliant.

Snedaker breaks down Health and Human Services Department guidance on the topic of medical release laws for HealthTech, noting that patients have the right to:

  1. See and get a copy of their medical records
  2. Have errors and omissions in their medical records corrected (or their disagreements documented)
  3. Get a paper or electronic copy of their medical records
  4. Request the provider send their medical records to another party with permission

“If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider,” Snedaker notes.

MORE FROM HEALTHTECH: See more about the next steps for security as data finds its way into patients’ hands.

HIPAA Privacy and Security Rules

The first step to compliance is understanding the rules within HIPAA that govern how PHI should be handled and secured. HIPAA compliance is notably complex, and the best guide is actually the rule itself. We encourage all IT teams to thoroughly read and revisit HIPAA as they work continuously to safeguard PHI. Two particularly important aspects of the rule for IT teams that want to better understand the use and storage of patient data are security and privacy:

HIPAA Security Rule: This rule guides how data should be kept secure, both in transit and at rest, and applies to any person or system that has access to this data, according to the HIPAA Journal. There are three parts of the rule: physical safeguards, administrative safeguards and technical safeguards. IT teams should be conscious of other aspects of the rule, but should focus their efforts on ensuring technical safeguards, which apply to the actual technology used to secure PHI within a system and during transit, as well as the tech that provides access to PHI.

A notable aspect of the rule is that PHI outside of a system’s firewalled servers must be encrypted to National Institute of Standards and Technology standards, rendering it unreadable if it is breached. As part of the rule, IT teams are required to implement a means of access control as well as introduce audit logs and audit controls. IT teams must also address a means of encryption and decryption, introduce mechanisms for PHI authentication and facilitate automatic logoff.

HIPAA Privacy Rule: Originally put in place in 2003, the Privacy Rule governs the way that PHI can be used and disclosed and seeks to ensure the privacy of patient data, according to the HIPAA Journal. The rule pertains to all healthcare organizations as well as health plan providers, healthcare clearinghouses and business associates of these entities.

In particular, the rule lays out the ways that patient data can be used and disclosed without patient authorization, ensures patients or their representatives have rights over their health information, and requires entities subject to the rule to respond to patients’ requests to access their records within 30 days.

SolStock/Getty Images

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now