In a previous article we discussed the high-level requirement of the healthcare insurance portability and accountability act (HIPAA), including its basic administrative, technical, and physical safeguards.
But compliance is a complex and evolving challenge. With the mobile and telehealth trends making technology’s role in the healthcare industry more prominent than ever, it’s important that organizations are prepared to manage the details of compliance in a clear and systematic way.
We’ve designed this checklist to provide an overview of the technical controls that all healthcare providers will need to implement to avoid the reputational damage and expense of non-compliance.
As an IT services provider, most questions we get about HIPAA and HITECH compliance are centered around what’s known as the technical safeguards. These are the policies and procedures that healthcare providers use to protect electronic personal health information(ePHI) as it travels across a network.
There are several major category of technical control:
1. Access and Authentication Control
Restricting access to protected health information (PHI) is a critically important balancing act. On one hand, doctors and nurses must be able to access healthcare records immediately to provide quality healthcare outcomes. On the other hand, access controls are a critical aspect of data security and must be applied vigorously throughout your organization.
Here are the steps you should take to meet HIPAA’s access and authentication requirements:
While authentication is often confused for access control, in reality it’s a unique category that’s focused on what steps users and entities need to take before they can access ePHI. For many organization, authentication can be addressed in one single step.
2. Audit Controls
This category is another major feature of HIPAA’s technical requirements. Both covered entities and business associates must be able to appropriately review and audit security trails. The audit controls you implement should provide procedural mechanisms to record and examine activity in any hardware or software system that processes or contains ePHI. This ensures that any unauthorized access can be traced back to a single user account.
To achieve comprehensive audit control, you’ll need to cover each of these three areas:
3. Integrity Controls
Integrity is a core feature of the CIA triad of cybersecurity. Integrity, along with confidentiality and availability, are considered important guidelines for developing a strong overall security posture.
Data integrity is an important feature of HIPAA and HITECH as well, meaning that all healthcare organizations must take steps to ensure that ePHI is not, “altered or destroyed in an unauthorized manner,” which could lead to health consequences for patients.
While the HIPAA text is light on technical prescriptions, here are common steps organizations take to ensure the trustworthiness of data throughout its entire lifecycle:
Remember that although we’re talking mainly technical dimensions, you should also safeguard your data from real-world data integrity issues as well, such as staff members or business associates altering or destroying paper healthcare records.
4. Transmission Security
Data in motion must be protected in the same way that you protect data at rest. This includes applying strong encryption consistently for all ePHI as it travels between your servers, workstations, mobile devices, cloud services, as well as the technology systems of business associates.
Technical controls are just one piece of the HIPAA compliance puzzle. All controls must be augmented with effective administrative processes to avoid falling out of compliance.
This often starts with a rigorous audit of an organizations’ ePHI and then creating an inventory of where that data is received, stored, and maintained. HIPAA guidelines require providers to group data according to its level of sensitivity, which helps create a more consistent system for keeping it safe.
Under HIPAA, there are four layers of protected data:
This information is protected by state or federal regulation, such as intellectual property or research data. If improperly disclosed, an organization with improperly secured restricted data face criminal charges or large fines.
This is data could cause significant damage or personal distress if improperly disclosed. It includes social security numbers, cardholder data, and personal healthcare information.
Company memos or other internal communications should be restricted to staff members and appropriate parties
This type of data can be accessed redistributed by anyone by anyone, but it should still be protected from unauthorized alteration.
Once you have a clear sense where protected ePHI exists and how it flows through your network, you can customize the technical safeguards mentioned above to ensure resources are allocated to provide the necessary levels of security, without leading to budget overruns.
To learn about creating a good technology policy, read more here.
HIPAA is based on concepts of flexibility, scalability, and neutrality, which means there are no specific requirements that you need to implement to be compliant. It’s an open-ended concept, which leaves significant room for your organization to determine what’s most appropriate.
If your organization is struggling with HIPAA compliance and would like the support of a team of seasoned compliance experts, we’re here to help! Contact our HIPAA experts any time with your questions at [email protected] or 1 877 877 1840.
We look forward to speaking with you!
We know that the first step toward better IT support is to research your options. We’ve put this guide together to aid you in that process.
It’s designed to give you an overview of our organization, so that you have the key information you need to evaluate our service fit.
This guide covers:
Download it for free by filling out the form here.