At a time when information is increasingly maintained and transmitted online or in the cloud, HIPAA compliance is more crucial than ever. It is important for any organization to know what is necessary for them to do in order to comply with HIPAA law and regulations for protecting patient information. HIPAA law was established in order to ensure that protected healthcare information (PHI) remains confidential, it also provides rights to the patients and safeguards for healthcare providers. Any healthcare provider or ‘covered entity’ found to be non-compliant may be served penalties ranging up to $50,000 per violation, and up to $1.5 million per year across all HIPAA violation categories.
For any organization or Covered Entity with access to PHI, who want to understand the importance of keeping texting secure, below is a brief introduction to the HIPAA Security Rule and the HIPAA Privacy Rule, that can help make sure you’re safeguarded against security breaches and HIPAA fines when it comes to communicating PHI.
HIPAA Security Rule
The HIPAA Security Rule contains the standards that need to be applied to electronic protected health information (ePHI) at each step, whether at rest, in transit or in storage. The Security Rule applies to any person or entity that has access to confidential data and outlines the standards that must be met. They fall into three different core categories of physical, technical, and administrative safeguards, which are divided into further specifications, or further instruction for implementing the standard.
This refers to the actual physical protection of your organization’s facilities and servers, regardless of location. The physical safeguards also specify who has access to the workstations and mobile devices. With this in mind, one of the best physical safeguards you can have to protect your ePHI is monitoring and controlling who has access to it, based on job roles and functions.
- Facility access controls must be introduced to keep track of any individual who has physical access to any location or device where ePHI is stored.
- Policies related to workstation areas must be implemented to ensure that ePHI cannot isn’t compromised when being access at a workstation. Policies must also be applied to the accessing of ePHI from mobile devices.
- An inventory of all hardware must be recorded, along with a report of movements of each item.
These safeguards govern the electronic access and technology used to access ePHI. The core standard this safeguard stipulates is that all ePHI MUST be encrypted, this should include all data in motion and that stored in the cloud. Some key components to consider:
- There should be access control, and every user should require a unique ID and password.
- All electronic logins should require multi-factor identification in order to access the data.
- Administer a mechanism that can authenticate ePHI. This is crucial as it confirms whether ePHI has been altered or destroyed.
- As aforementioned, everything needs to be encrypted. This should ideally be end-to-end encryption.
- Each organization should have a backup and disaster recovery plan.
These safeguards are the procedures and policies that bring the privacy and security rule together and are some of the most important aspects of getting HIPAA compliance right. Some recommended administrative safeguards to include are:
- Risk assessments must be conducted at regular intervals and a risk management policy must be introduced.
- The organization must create a process for auditing data and controlling how it is preserved, altered or destroyed.
- A contingency plan must be developed and tested, with accessible backups of all ePHI in the event of an emergency.
- All employee must be trained to be secure, and training must be documented.
- Business Associate Agreements must be signed with all partners who have access to ePHI.
Organizations are increasingly implementing ‘Bring Your Own Device’ (BYOD) policies, and with the rise of the cloud, it is imperative that Security Rule is followed in order to ensure HIPAA compliance. The HHS offers a full breakdown of each the Technical, Physical, and Administrative safeguards and how to implement them.
HIPAA Privacy Rule
The Privacy Rule controls and sets the standards for who is allowed to have access to PHI. It applies to all healthcare organizations, health plan providers, healthcare clearing and - since the introduction of the Final Omnibus Rule in 2013- all business associates of covered entities. It’s designed to ensure PHI has proper protection, but also endeavours to be practical, authorizing parties to transmit and share PHI in a secure manner in order to improve patient care.
The Privacy Rule also gives patients more rights and control over their health information and enables them to hold covered entities accountable for how they handle PHI. Under the Privacy Rule, covered entities are advised to carry out a number of measures:
- Appoint a privacy personnel to develop sufficient privacy policies and ensure all workforce is trained in these policies and how to maintain the integrity of PHI.
- Obtain written permission from patients before their health information is used for purposes such as research or fundraising.
A full breakdown of the HIPAA Privacy Rule can be found on the Department of Health and Human Services website.
Lua, A Streamlined Solution
HIPAA compliance in no laughing matter, and working through the above is great start to reducing the risk of breach fines, and ensuring the integrity of patient data. Lua is a secure communication solution that employees love and IT can trust, helping to make HIPAA compliance more simple. Data transmitted within Lua is protected and fully encrypted at all stages, with only authorized users having access to information. You can learn more about how Lua offers full security, along with the many other benefits of implementing a HIPAA-compliant messaging solution.