HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data – Protected Health Information (PHI). PHI is defined as any indefinable information that can be linked to a specific individual (such as name, birthdate, social security number, picture, etc.).
Any company that deals with PHI must ensure that all the required physical, network, and process security measures are in place and followed.
This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Additionally, Subcontractors (business associates of business associates) must also be in compliance.
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI). The Security Rule outlines appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Administrative safeguards incorporates the implementation of security measures that reduce the risks and vulnerabilities to PHI. A covered entity must also provide workforce training and management for all members with access to PHI as well as applying appropriate sanctions against those members who violate its policies and procedures.
Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption/decryption. Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed.
Network, or transmission, security is the last technical safeguard required to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules.
The Final HIPAA Omnibus Rule was passed in 2013 which strengthened privacy & security protections for PHI by adding more accountability for vendors & business associates who access ePHI. Additionally, this supports the government’s ability to enforce the law.