Avoiding the HIPAA Wall of Shame
Security Tips for Protecting Your HIPAA Compliant Data
The consequences of violating HIPAA can be extreme. Limitless monetary fines and a crippled reputation can destroy an organization. Even if you don’t lose everything after a HIPAA data breach, you can find yourself forever on the HIPAA Wall of Shame.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the subsequent security and privacy ruling amendments epitomize the security requirements for storing and processing electronic Patient Health Information (ePHI) in the digital age. The rules and regulations are very strict and often seen as complicated, however, we have compiled these security tips to help address the stringent conditions of HIPAA.
It is important to understand the definition of a security breach. According to the United States Department of Health and Human Services, a breach is an unauthorized acquisition, access, use, or disclosure of protected health information. Fines can range from $100 to $50,000 per breached record. There are many exclusions and caveats, but importantly there is no cap on the maximum fine.
Defining what classifies ePHI is critical for all covered entities. Members of the public and healthcare professionals may have different viewpoints on what exactly constitutes ePHI, but essentially, ePHI is any health information that is individually identifiable. Popular examples include treatment reports, test results, and prescription information. Any information that includes the name, phone numbers, address, social security number, medical records number or health insurance details is also in scope.
What should you do?
- Make security the number one agenda: Securing ePHI is the cornerstone of HIPAA, and one of the most important first steps to achieve compliance. This includes implementing physical security measures, technical security solutions, and administrative security policies required by law.
- Know what ePHI you have: You need to know where it is stored and how you process ePHI. If you do not know what ePHI you have, you must treat all data as ePHI. Knowing what you have creates a platform that helps define how you can handle and process ePHI. It also identifies which healthcare partners and 3rd parties must sign up for a business associate agreement.
- Get outside help: HIPAA compliance is not easy to achieve. There are several required safeguards and numerous recommended safeguards needed for compliance. HIPAA is complex, and healthcare professionals are experts at looking after patients. They may not necessarily be computer scientists. If that is the case, looking for a partner with vast experience in HIPAA technical solutions will make the digital transformation journey a lot easier.
- Encrypt ePHI: Personally identifiable information must be encrypted at-rest and in-transit with at least 256bit AES encryption. This is something an IT partner can help you achieve with ease. Technical solutions can encrypt data rapidly using encryption keys unique to you. As a result, it is impossible for anyone else to open the data as only you have the master key. Encrypting devices such as laptops, tablets, and mobile phones creates an additional layer of protection if the device is lost or stolen.
- Controlling Access: HIPAA requires protection controls at the physical layer, as well as a technical layer. Users have limited access to select computer systems. Healthcare professionals must only have access to the data that is relevant for their role. Access Control Lists are essential when it comes to managing user privileges and enforcing log off and lock screen timeouts. Restricting physical access and auditing everyone who enters and leaves restricted areas of a building is critical, particularly those that contain computer systems that manage ePHI – most commonly this will be a datacenter.
- Training: This required HIPAA element ensures that the training of health professionals and covered entities is compulsory. The training will embed an understanding of what constitutes ePHI, as well as providing knowledge sharing about the technical solutions put in place to manage ePHI. This is commonly instructions on how to use cloud computing services, IoT devices, and information on user and computer etiquette to protect against viruses, ransomware, and data breaches.
- Document everything: Maintaining HIPAA compliance requires that all business services are documented to formulate the roles and responsibilities of everyone involved. This typically involves employing a representative to ensure the legislation is followed and that processes are learned, and that they evolve and are developed over time. Any concerns should be reported and acted upon immediately.
- Have an incident response plan and test it: Business continuity is of paramount importance for HIPAA. It requires administrative and technical planning to host services and process ePHI in the event of a disaster. Technical measures must include a backup schedule to protect all ePHI, and a technical solution must be in place to fail over core business services in the event of a computer system outage. This is commonly done through a cloud hosting partner who leverages replica computer systems in an alternative location that can be enabled once disaster recovery is invoked.
- Expect data breaches: Medical institutions are one of the primary targets for hackers and cyber criminals. The professional damage inflicted by falling foul of a data breach is incredibly damaging. HIPAA demands any ePHI breach must be reported, and depending on the severity of the breach, limitless fines and a tarnished reputation is probable. Not to mention the suffering caused to patients involved in a hack.
What Not to Do
- No Peeking: The number one rule for healthcare professionals is that they must never view patient records that are not related to the case being worked on. The rules are strict and the penalties are real.
- All actions are logged: Patient records contain an abundance of personally identifiable information. Importantly, all access to ePHI is logged and audited. As a result, there is a digital footprint linked to any user who has accessed any ePHI.
- Sharing Credentials: Sharing computer login accounts and passwords with anyone is strictly forbidden by HIPAA legislation. Never disclose any protected password to a colleague or external contact. All personnel must use their own username and password provided by the IT department. This applies to every digital asset, even when using a shared computer or a shared medical instrument. Never write your username and password down anywhere.
- Printing ePHI: If ePHI is to be printed, the data must be securely destroyed in a shredding bin after use. Under no circumstances must ePHI be displayed where confidential information can be disclosed. This includes laptops, tablets, mobile phones or digital notice boards in public areas. Maintaining confidentiality is of the utmost importance. If a doctor’s medical bag was stolen, printed ePHI could easily be exposed, whereas ePHI stored on a laptop should be encrypted, password protected and therefore much harder to disclose.
For these reasons, and to avoid the HIPAA Wall of Shame, it is extraordinarily important to choose a technological partner that specializes in healthcare HIPAA Compliant Hosting.
Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.