Employing electronic methods and processes to maximize efficiency and mobility in the healthcare industry is not without its risks. While new technologies adopted by healthcare providers undoubtedly improve the efficiency and quality of patient care, the rise of security risks facing sensitive patient data cannot be ignored either. This is where the Health Insurance Portability and Accountability Act (HIPAA) comes in, which serves as a safeguard for the privacy of patients’ health information. Published by the U.S. Department of Health and Human Services (HHS), HIPAA establishes the national standards that need to be observed by any healthcare provider falling under the scope of the act.
This article is an overview of the privacy and security measures that need to be observed by entities dealing with sensitive patient data, the healthcare organizations covered by HIPAA, who enforces the HIPAA, and how you can find HIPAA compliant web hosting.
What is HIPAA?
The HIPAA – made up of the Standards for Privacy of Individually Identifiable Health Information (commonly known as the Privacy Rule) and the Security Standards for the Protection of Electronic Protected Health Information (commonly known as the Security Rule) – is a set of standards that detail the usage and disclosure conditions of certain personal health information, as well as the physical, network, and process security measures that must be adopted by any healthcare provider that deals with electronically stored, transmitted or electronically accessible confidential patient data to ensure the privacy and security of such data.
The Privacy Rule covers the standards related to the saving, accessing and sharing of the medical information of any individual, while the Security Rules detail the national security standards for electronic protected health information (ePHI), that is, any protected health information that is created, received, stored or transmitted electronically.
What does it mean to be HIPAA compliant?
To receive full HIPAA compliance, an organization needs to implement certain physical, technical, and administrative and policy safeguards. Here is a brief rundown of what each of these safeguards entails:
Physical safeguards outlined in the HIPAA focus on preventing physical access of unauthorized personnel to ePHI, irrespective of where the ePHI is stored (e.g. on the premises of the entity that falls under the scope of the HIPAA, in a remote data center, in the cloud, etc.). Therefore, facility access control measures and measures to prevent theft, tampering and unauthorized access are essential to achieve compliance. Moreover, workstation use policies, mobile device access to ePHI, and other electronic media related usage and re-usage policies and inventory measures must be devised and implemented.
The safety measures with respect to the technology used to protect and access ePHI are dealt with in the technical safeguards of the Security Rules. These safeguards require access control measures, ePHI authentication measures (to confirm whether ePHI was destroyed or even altered in an unauthorized manner), encryption and decryption tools, introduction of activity audit controls (to record any access to and activity with ePHI), and other measures that prevent unauthorized access (e.g. automatic log-off should a device be left unattended).
Administrative safeguard procedures and policies bring the Privacy Rule and the Security Rule together, and establish the need to assign a Security Officer and Privacy Officer that will oversee the implementation the necessary measures to protect ePHI. The administrative safeguards include: running regular risk assessments and drawing up a risk assessment policy, training employees with respect to ePHI security (training must be documented), creating a contingency plan (detailing the measures employed to ensure the continuance of business processes and the security of ePHI even in an emergency), periodical testing of the contingency plan, preventing unauthorized third-party access (e.g. unauthorized subcontractors or business associates), reporting security incidents that didn’t develop into a breach, etc.
Some of the safeguards listed above are required (e.g. risk management policy), meaning that an organization that fails to implement them, will not be in compliance with the HIPAA. Other safeguards are only addressable (e.g. security trainings for employees), meaning that, where unreasonable, organizations can choose to implement alternatives, or not implement a safeguard at all.
Who needs to be HIPAA compliant?
The organizations that must be compliant with HIPAA are knows are Covered Entities (CE) and include individual medical practitioners, clinics, regional health services, hospitals and other healthcare providers that carry out transactions in electronic form, health plans, healthcare clearinghouses, and anyone providing treatment, payment, operations in healthcare, including their subcontractors, business associates, and business associates of business associates.
Compliance is enforced by the Office for Civil Rights of the Department of Health and Human Services (OCR). Consequences of non-compliance include substantial fines, criminal charges and civil action lawsuits being filed. The penalties for non-compliance with HIPAA are covered in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Should a breach occur, there are rules for notifying both the OCR and patients affected by the breach. When issuing a fine, the OCR does not make a distinction between an inadvertent violation of the HIPAA or willful neglect, therefore, covered entities must be up-to-date with the requirements of being HIPAA complaint.
How to find the best HIPAA compliant web hosting?
In the wake of the growing proliferation of electronic patient data, the need for data security is more crucial than ever. As a covered entity, if you run a website or application that falls under the scope of HIPAA, you need HIPAA compliant hosting. Apart from the technical and physical safeguards discussed above that must be met by your hosting provider, here are some other aspects to consider when searching for HIPAA compliant web hosting:
- Willingness to sign a Business Associate Agreement (BAA) – since the hosting company qualifies as a business partner in the sense of the HIPAA, they need to sign a Business Associate Agreement.
- Active compliance – HIPAA compliance is an on-going process, therefore it’s important that your host conforms at all times to the compliance requirements.
- HIPAA compliant managed services – a good HIPAA compliant hosting also provides managed serves that meet the requirements of the HIPAA. LiquidWeb is a cloud-based hosting provider that specializes in offering HIPAA compliant hosting. Their hosting plans also come with several managed services like intrusion detection system, logging, vulnerability testing, onsite/offsite backup, two-factor authentication, web application firewall, managed firewall rules, etc. to facilitate your efforts of becoming HIPAA compliant.
- Independently audited host – a hosting provider that has submitted to an independent HIPAA audit and verification should also be on the top of your list when searching for a reliable hosting provider.
If you’re a healthcare organization that handles PHI, you are held accountable by HIPAA standards. Achieving compliance is not without its obstacles, but choosing business partners that are knowledgeable in the security standards that need to be achieved and measures that need to be implemented is a first line of defense in avoiding breaches and maintaining compliance.