HIPAA is the central piece of legislation in the United States which was enacted to protect private patient health information. HIPAA (it stands for Health Insurance Portability and Accountability Act) sets national standards which are overseen at the federal level by the Department of Health and Human Services (HHS). Severe criminal and civil penalties are in force, including jail time and multi-million dollar fines.
So, how do you comply with HIPAA?
HIPAA requires anyone covered by the law (known as Covered Entities or CEs) and their business partners (known as Business Associates or BAs) to take a series of physical, IT network and business process precautions to combat reasonably foreseeable risks to private patient information. While the law is exacting in terms of what steps you must take, it leaves a great deal open to interpretation to allow for specific security solutions to be applied to specific use cases in the healthcare industry.
The business reality is that for most healthcare providers, they cannot comply with HIPAA using their own in-house resources, and instead must rely on external specialist partners. The growth of IT firms specializing in HIPAA compliance has been fueled by this demand for small to mid-level healthcare providers who do not have the time, resources, money or expertise in this area.
Irrespective of whether you select an external partner or tackle HIPAA compliance internally, there are several broad issues you must address to ensure compliance.
There are two general HIPAA rules, the Privacy Rule, which covers how patient data can be saved, stored, transmitted and maintained as well as who can have access to the information. The Security Rule is much more specific about the steps required to achieve the goal of the Privacy Rule. The Security Rule establishes a national standard for the security of private patient data, no matter how it is created, stored, transmitted, and maintained.
Establishing a HIPAA compliant data center requires the following to be carried out as a minimum:
Establish Physical Security and Safeguards –
In practice this requires controlling who has access to the physical location of the data center, including imposing access controls, establishing who is authorized to have access, and what level of access may be allowed. This also includes individual access to workstations, electronic media, servers where data resides and also handles the physical transportation of electronic media as well as their disposal and re-use.
Establish Technical Safeguards –
This establishes control over who has access to protected data and what level of access they are allowed. Typical technical safeguards instituted include unique user ids, password and encryption protections, emergency access protocols, auto-logging off of unattended or inactive workstations and audit trails and logs.
Establish Network Security Safeguards –
This includes not only the internal network, but security protocols for how patient health information is transmitted across networks. This focuses on establishing protections against unauthorized access to information, and not only by external threats such as a hacker or virus, but also unauthorized use by employees internal to the organization.
Jane Connolly writes on healthcare issues and the implications of HIPAA on healthcare providers. She is currently writing a Whitepaper on HIPAA compliance for Swift Systems.