The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
The Health Insurance Portability and Accountability Act (HIPAA) is US legislation that was signed into law by President Bill Clinton in 1996. This law, enacted through regulations overseen by the Department of Health and Human Services (HHS), sets rules for the protection of healthcare information (called protected health information, or PHI) and the ability to maintain coverage when your employment changes. One of the core elements of HIPAA is the protection of electronic protected health information (ePHI) through physical, technical, disciplinary and administrative defenses.
HIPAA applies to two types of organizations, covered entities and business associates. While covered entities are organizations involved in healthcare payment, operations, and treatment, business associates are institutions that process patient data in the course of performing services for covered entities and their business associates. Companies within both of these categories need HIPAA-compliant storage and to generally follow the parameters established by the HHS.
Look to the Security Rule for guidance
Your primary consideration when you are considering HIPAA storage is the Security Rule, which includes physical, administrative and technical protections that should be used to prevent unauthorized access. Following the Security Rule requires organizations to do the following:
Verify that the electronic health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.
Determine and set up defenses against threats to the data that are reasonably anticipated.
Set up protections to prevent use or disclosure that is not allowed and is reasonably foreseen.
Be certain that your employees are following compliance guidelines.
The Security Rule is written in flexible language, with parameters that need to be met but no specific steps forward. That looseness of language, per the agency, is intended to allow individual organizations to come up with their own solutions based on the scope and nature of their institution.
Essential HIPAA-compliant storage safeguards
Here are the specific ePHI safeguards you need, whether internally or through an organization you contract, across the three Security Rule categories:
Transmission security – A HIPAA-compliant organization needs to deploy technical security mechanisms that keep nefarious parties from being able to unlawfully access health records that are being sent through the network.
Access controls – Companies must enact technical policy and procedure documents that outline rules for access to electronic health records.
Integrity control – To maintain HIPAA compliance, an organization must develop policies and procedures intended to prevent the manipulation or destruction of health data. Plus, there should be tools implemented to verify that information alteration or elimination is not occurring.
Audit controls – For any systems that hold or utilize electronic health data, institutions have to set up software, equipment, and process elements to log and analyze access and the related activities by users.
Workstation and device protections – Access to and use of electronic media and workstations should be governed by policies and procedures developed by the organization. A HIPAA-compliant company should have official policies and procedures related to how electronic media is moved, reused, decommissioned, and discarded.
Facility access – Institutions should verify that physical access to their data center is limited to authorized parties.
Assessment – A HIPAA-compliant company has to routinely evaluate the extent to which its policies and procedures are aligned with the Security Rule.
Security point-person – There should be a designated security officer who creates and launches policy and procedure documents.
Staff management and training – There should be proper authorization and oversight of any staff members who handle patient data. All members of your workforce should have security training, and there must be consequences when anyone disregards the official guidelines.
Data access management – Follow the Privacy Rule’s principle of “minimum necessary” related to the use and disclosure of health data. The Security Rule mandates that the policies and procedures used by a HIPAA-compliant organization should only allow an individual to access data when their role gives them that permission (called role-based access).
Security management – To achieve HIPAA compliance, a company must identify risks and take steps to mitigate them. Risk analysis is critical because it will impact all the above efforts, so it is discussed in its own section below.
Risk analysis and management
All HIPAA compliant storage should be assessed for any risks on a regular basis. Here is how you move forward:
Assess risks to the data, potential results of related attacks, and how likely they are to occur.
Set up security protections against the risks discovered.
Record the security steps that are taken and why they were taken (as relevant).
Set up and support ongoing, appropriate, and reasonable safeguards.
Cloud providers and importance of the BAA
Many organizations work with outside parties to protect their ePHI. The Healthcare Industry Cybersecurity Task Force (HCIC) released a 2017 report of healthcare cybersecurity recommendations that addressed cloud relationships. One key point was to embrace cloud service providers, especially if your organization is smaller, since “smaller healthcare organizations often do not have the resources to fully staff a credible cybersecurity group.”
While cloud may make sense, the business associate agreement is critical to relationships with third parties. While you still must carefully vet these organizations, the BAA establishes responsibility for all aspects of the handling of the information that might otherwise be unclear.
More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA?
First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant
An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career.
Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Sending text messages has become a common method of communication among teenagers, adults, and more recently, medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.”
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule allows healthcare providers to communicate electronically with patients, but it also outlines standards to protect individuals’ e-PHI with appropriate safeguards to protect confidentiality, integrity and security of e-PHI. The following identifies security issues raised by texting of PHI between healthcare providers or provider and patient and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of PHI by healthcare providers is strongly discouraged. Texting, or traditional short message service (SMS) messaging, is non-secure and non-compliant with HIPAA because data stored on personal mobile devices is not encrypted and is usually stored within the computer memory or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and stay forever on the sender and receiver’s phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS limits the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is “not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages.” Physicians are urged not to use text messaging even with established patients “except with extreme caution and with patient consent.”