What is HIPAA compliance?

During the 1990s, the medical world was undergoing a transition. For decades, hospitals and medical offices had kept physical copies of patient records in file folders. With the growth of the internet, these facilities saw the benefits of sending digital patient records between institutions. Electronic records made patient care faster, but they exposed sensitive patient data to security breaches.

The Health Insurance Portability and Accountability Act of 1996 sought to create measures to protect patient information while keeping it available to medical professionals. Since that year, every institution that handles protected health information (PHI) must comply with the guidelines.

HIPAA Compliance Overview

The medical world’s dependence on online data transmission has expanded, and the legislation has grown with it. The U.S. Department of Health and Human Services is responsible for developing HIPAA standards. They began early on with the HIPAA Privacy Rule that spelled out general expectations for handling PHI. In 2003, the HIPAA Security Rule offered more guidelines around the safety of electronic patient records.

The 2009 HITECH Act acknowledged that business associates such as SaaS providers might handle ePHI. These organizations also must comply with HIPAA guidelines.

Also in 2009, HHS passed the Breach Notification Rule as part of HIPAA. This rule was more specific about an organization’s responsibility in response to data breaches. The latest rule added to HIPAA is the 2013 Final Omnibus Rule that outlines the standards for Business Associate Agreements.

HIPAA Compliance Data Security

The HIPAA legislation recognizes that not all healthcare organizations are the same. A complex medical center poses a larger security risk than a rural office with a single physician. The procedures and policies necessary to maintain HIPAA data security compliance will depend on factors such as the size, complexity and overall risk of the covered entity. The HIPAA rules also acknowledge that cost can be a factor for smaller organizations.

Administrative Safeguards

Keeping electronic patient data safe begins with examining risks and developing appropriate policies. Because electronic patient health information has become an essential part of medical care, there are many potential places for HIPAA violations. Organizations must strive to adopt a culture of data safety.

1. Risk Assessment: Every covered entity and business associate must examine their organization to look for potential problems. They need to understand the type of PHI they collect and store. Administrative leaders must also assess the risk of cyberattacks and weak spots in an organization’s defenses. This is an ongoing process.

2. Employee Training: Human error is the most common source of HIPAA violations. When employees are careless with devices or ignore security protocols, it can lead to a serious breach. Regular training on basic cybersecurity practices is a preventative tool.

3. Reporting Policy: Covered entities must have a plan in place to respond to data breaches. Although a breach can damage an organization’s reputation, ignoring the attack will slow down data recovery efforts.

4. Security Management: Every health organization should have a central office or figure devoted to HIPAA compliance. A centralized security model does a better job of analyzing risks in a complex organization.

5. “Minimum Necessary” Access Policy: “Minimum necessary” data access means that employees should only have access to the PHI they need to provide patient care. However, an institution should also have a policy in place that allows for the release of patient data in an emergency.

Physical Safeguards

The simplest point of entry for a security breach is through the physical devices at a facility. Organizations must adopt practices that limit the risk.

1. Facility Security: Medical facilities need clear boundaries between public and private zones. Mandatory visitor passes and employee badges will keep visitors from unauthorized areas.

2. Workstation Security: To maintain treatment plans and keep records up to date, doctors and nurses need easy access to workstations. However, computer placement should prevent people walking nearby from viewing information on screens.

3. Device Security: Mobile devices make data entry and patient communication simple. However, stealing an unlocked device is an easy way for criminals to access sensitive data. Clear mobile device protocols will prevent a HIPAA violation.

Technical Safeguards

IT professionals are responsible for the safety and security of an organization's network. They are the team that will configure and maintain the system for data protection.

1. Access Controls: At a basic level, every employee must have a username and password. The frequency of password updates may depend on the size of the organization. Complex medical centers may need to implement role-based authorization to maintain the “Minimum Access” standard.

2. Encryption: Patient data must be stored and shared safely. PHI transmission should happen over a secure network with strong encryption protocols in place.

3. Auditing: Any access to PHI should create a digital trail that experts can follow. In the case of a data breach, IT personnel will determine what went wrong and how much data was affected.

4. Log-off Protocols: IT employees should have a clear picture of who is logged into the system at any moment. To prevent unauthorized access, the system should automatically log off accounts after a predetermined time of inactivity.

What is HIPAA compliance going to look like in the next few years?

Medical practices during the COVID-19 pandemic have created new challenges for HIPAA compliance. The increased numbers of emergency patients caused some facilities to relax standards. To maintain social distancing rules, more patient interactions happened over video conferencing platforms. As the pandemic lifts, covered entities must stay alert for HIPAA updates and reassess their compliance safeguards.

Looking for information on PCI security?

Check out our PCI DSS Compliance checklist for 2021.