Feb 19 2019
Patient-Centered Care

4 Important Items On Your HIPAA Compliance Checklist

Understanding how to approach messaging, cloud storage, risk assessments and patient access all factor into a modern HIPAA compliance strategy.

For healthcare organization IT teams tasked with keeping personal health information secure, there’s perhaps nothing more pressing than remaining compliant with security and privacy regulations. Chief among these are, of course, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the accompanying Health Information Technology for Economic and Clinical Health Act.

As healthcare organizations become targets for hackers and breaches become more common, putting patients’ PHI at risk of exposure, it’s paramount that organizations adhere to guidance that aims to protect health data — not to mention that lack of compliance can result in significant fines for providers.

Still, as digital health technology grows and medical devices become more connected, PHI and access to it may be scattered among devices and more vulnerable than ever.

So, what should IT teams be on the lookout for as they approach HIPAA compliance in the modern age? We break down the rules and nuances around keeping PHI secure and compliant.

1. Find HIPAA-Compliant Email and Messaging Solutions

Communication among care providers is key to improving clinical outcomes, but finding HIPAA-compliant messaging solutions can prove tricky, and many fear the process of communicating PHI between care teams securely will be onerous. A difficult process could leave clinicians feeling tempted to use their personal devices or accounts to transmit PHI, which is why solutions must be both easy and secure.

One organization that’s tapped a simple email solution is George Washington University Hospital, which uses Microsoft 365 in conjunction with Proofpoint encryption software to secure emails.

$28.7 million

The total amount of financial penalties paid by organizations for HIPAA violations in 2018

Source: hipaajournal.com, "Summary of 2018 HIPAA Fines and Settlements," Jan. 3, 2018

“There’s no training required. It’s very simple,” Marvin Onyemaechi, the hospital’s director of IT operations, tells HealthTech. Typing the word “private” in the subject line automatically triggers encryption. “That’s all you need to do,” he says.

These days, while email is important, it’s also likely a single part of a strategy that spans several devices — even pagers are still active in the healthcare scene. For this reason, it’s important for IT teams to consider a multipronged approach to HIPAA-compliant communications.

As Susan Snedaker, Tucson Medical Center's director of IT Infrastructure and operations, writes in an article for HealthTech: “Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions — such as encrypted email to communicate with patients and secure messaging systems to facilitate time-sensitive internal communications — might be the better bet.”

MORE FROM HEALTHTECH: Check out how Parkland Health improved care with a  secure mobility strategy.

2. Understand HIPAA-Compliant Cloud Storage

Healthcare organizations have begun to adopt the cloud in earnest. But that move has also triggered concerns about privacy and security for data stored in the cloud. The good news is that an understanding of the basics of HIPAA compliance can assuage these fears and free providers to adopt cloud technology appropriately.

What are these basics? According to healthcare attorney and consultant David Harlow, any cloud storage provider should be approached by the payor or health provider as a business associate. “This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule,” he writes in HealthTech.

Once the cloud provider has been established as a business associate of the covered entity, the rest follows suit. Harlow writes: “The CE and the BA must have a business associate agreement (BAA) in place; the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis; both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls; and so on.”

MORE FROM HEALTHTECH: Learn more about how to ensure your healthcare cloud storage stays HIPAA compliant.

3. Conduct Regular HIPAA Risk Assessments

As part of HIPAA’s Security Rule, entities covered under HIPAA must conduct risk assessments in order to stay compliant.

Susan Snedaker, Director, IT Infrastructure and operations at Tucson Medical Center
Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions might be the better bet."

Susan Snedaker Director, IT Infrastructure and operations at Tucson Medical Center

Moreover, regular risk assessments are key to helping providers understand weak spots or potential vulnerabilities and how to fix them. There is no specific way to undertake a risk assessment, although the Health and Human Services Department does lay out what a typical risk assessment should aim for.

The basic goals of a HIPAA risk assessment are to help the healthcare organization:

  • Design appropriate personnel screening processes
  • Identify what data to back up, and how
  • Decide whether and how to use encryption
  • Address what data must be authenticated in particular situations to protect data integrity
  • Determine the appropriate manner of protecting health information transmissions

MORE FROM HEALTHTECH: Check out what it takes to conduct a HIPAA risk assessment.

4. Weigh Patient Security Against HIPAA Compliance

There’s no doubt that in 2019, patients have begun to expect greater access to their healthcare information. Where portals were once seen as a great improvement in patient access to health data, now tools like Apple Health Records, which offers patients access to their own electronic health records directly on their smartphones, have made “bring your own data” a reality.

But not all transfer of PHI to patients is as cut and dried as Apple’s EHR. As smartphones make their way into examination rooms and radiology suites, patients seeking to photograph images of their own tests have encountered much reluctance on the part of  providers who are uncertain if that is HIPAA compliant.

Snedaker breaks down Health and Human Services Department guidance on the topic of medical release laws for HealthTech, noting that patients have the right to:

  1. See and get a copy of their medical records
  2. Have errors and omissions in their medical records corrected (or their disagreements documented)
  3. Get a paper or electronic copy of their medical records
  4. Request the provider send their medical records to another party with permission

“If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider,” Snedaker notes.

MORE FROM HEALTHTECH: See more about the next steps for security as data finds its way into patients’ hands.

SolStock/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.