The Health Insurance Portability and Accountability Act (HIPAA) is US legislation that was signed into law by President Bill Clinton in 1996. This law, enacted through regulations overseen by the Department of Health and Human Services (HHS), sets rules for the protection of healthcare information (called protected health information, or PHI) and the ability to maintain coverage when your employment changes. One of the core elements of HIPAA is the protection of electronic protected health information (ePHI) through physical, technical, disciplinary and administrative defenses.
HIPAA applies to two types of organizations, covered entities and business associates. While covered entities are organizations involved in healthcare payment, operations, and treatment, business associates are institutions that process patient data in the course of performing services for covered entities and their business associates. Companies within both of these categories need HIPAA-compliant storage and to generally follow the parameters established by the HHS.
Look to the Security Rule for guidance
Your primary consideration when you are considering HIPAA storage is the Security Rule, which includes physical, administrative and technical protections that should be used to prevent unauthorized access. Following the Security Rule requires organizations to do the following:
- Verify that the electronic health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.
- Determine and set up defenses against threats to the data that are reasonably anticipated.
- Set up protections to prevent use or disclosure that is not allowed and is reasonably foreseen.
- Be certain that your employees are following compliance guidelines.
The Security Rule is written in flexible language, with parameters that need to be met but no specific steps forward. That looseness of language, per the agency, is intended to allow individual organizations to come up with their own solutions based on the scope and nature of their institution.
Essential HIPAA-compliant storage safeguards
Here are the specific ePHI safeguards you need, whether internally or through an organization you contract, across the three Security Rule categories:
Transmission security – A HIPAA-compliant organization needs to deploy technical security mechanisms that keep nefarious parties from being able to unlawfully access health records that are being sent through the network.
Access controls – Companies must enact technical policy and procedure documents that outline rules for access to electronic health records.
Integrity control – To maintain HIPAA compliance, an organization must develop policies and procedures intended to prevent the manipulation or destruction of health data. Plus, there should be tools implemented to verify that information alteration or elimination is not occurring.
Audit controls – For any systems that hold or utilize electronic health data, institutions have to set up software, equipment, and process elements to log and analyze access and the related activities by users.
Workstation and device protections – Access to and use of electronic media and workstations should be governed by policies and procedures developed by the organization. A HIPAA-compliant company should have official policies and procedures related to how electronic media is moved, reused, decommissioned, and discarded.
Facility access – Institutions should verify that physical access to their data center is limited to authorized parties.
Assessment – A HIPAA-compliant company has to routinely evaluate the extent to which its policies and procedures are aligned with the Security Rule.
Security point-person – There should be a designated security officer who creates and launches policy and procedure documents.
Staff management and training – There should be proper authorization and oversight of any staff members who handle patient data. All members of your workforce should have security training, and there must be consequences when anyone disregards the official guidelines.
Data access management – Follow the Privacy Rule’s principle of “minimum necessary” related to the use and disclosure of health data. The Security Rule mandates that the policies and procedures used by a HIPAA-compliant organization should only allow an individual to access data when their role gives them that permission (called role-based access).
Security management – To achieve HIPAA compliance, a company must identify risks and take steps to mitigate them. Risk analysis is critical because it will impact all the above efforts, so it is discussed in its own section below.
Risk analysis and management
All HIPAA compliant storage should be assessed for any risks on a regular basis. Here is how you move forward:
- Assess risks to the data, potential results of related attacks, and how likely they are to occur.
- Set up security protections against the risks discovered.
- Record the security steps that are taken and why they were taken (as relevant).
- Set up and support ongoing, appropriate, and reasonable safeguards.
Cloud providers and importance of the BAA
Many organizations work with outside parties to protect their ePHI. The Healthcare Industry Cybersecurity Task Force (HCIC) released a 2017 report of healthcare cybersecurity recommendations that addressed cloud relationships. One key point was to embrace cloud service providers, especially if your organization is smaller, since “smaller healthcare organizations often do not have the resources to fully staff a credible cybersecurity group.”
While cloud may make sense, the business associate agreement is critical to relationships with third parties. While you still must carefully vet these organizations, the BAA establishes responsibility for all aspects of the handling of the information that might otherwise be unclear.
Cloud security may now be stronger than at the typical traditional data center, but the risk still must be addressed. The essential nature of the BAA is underscored in the HHS’s “Guidance on HIPAA & Cloud Computing.”