Whether you’re a medical practice, a dentist, or a mental health care provider, compliance with HIPAA (Health Insurance Portability and Accountability Act) data security guidelines is likely a requirement that you need to take seriously. Leaked PHI (Personal Health Information) through a security breach or mismanagement of records can cause serious sanctions and hefty fines. Health care providers have a responsibility to put appropriate safeguards in place to protect PHI. In order to help make the process easier we present some HIPAA compliance basics. We hope they help.
What is PHI?
The HIPAA Journal gives us this definition and specifics of what is considered PHI.
“PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data”
There is a lot that needs to be done to protect PHI. The HIPPA legislation gives extensive guidelines about how this data is to be safeguarded. The challenge is that those guidelines are sometimes difficult to interpret. We hope to shed a little light on practical technology solutions your organization can put in place to meet HIPAA guidelines. This is not meant to be used for an audit and is not an exhaustive list. Rather it would give you a good foundation to help protect your clients PHI.
To achieve certified compliance, you would need to get a certified provider to do a HIPAA audit, and remediate any gaps in your solution they indicated. This list is meant to help get you started with the technical portion of HIPAA. There are also physical safeguards and administrative safeguards which are requirements you would need to understand and comply with that will not be addressed here.
HIPAA Compliance Basics – Technical Safeguards
- Access Controls – Essentially, we want to put in place some method that protects who can access PHI data. In practical terms this means that there is a system that forces users to authenticate in some manner before they can access patient data. This is most commonly username and password. Multifactor authentication is recommended and becoming more and more common.
- Unique Identifier – Those usernames and passwords must be UNIQUE to each user. There should never be a password that is shared such as NURSE1!. Part of the reason unique identifiers are required is that if there is a breach, they want to be able to track it down to an individual. Shared usernames and passwords make this impossible.
- Session Termination – Another guideline for HIPAA is that an inactive session be terminated after so many minutes of inactivity. This is usually accomplished by enforcing screen locks by policy after a set amount of time inactive. This forces a user to authenticate again and ensures an unlocked computer with PHI doesn’t sit unattended where prying eyes might gain access.
- Encrypted Email and Backups – Any PHI that leaves the system must be encrypted at transit and at rest. That means that any email with patient info must be encrypted as well as offsite backups of PHI, or any outside consults with shared patient records. Email solutions with encryption are a must for healthcare providers, as well as backup solutions that encrypt data sent offsite.
- Security Updates – Part of protecting PHI is maintaining all security patches and updates on all machines across your organization. There are various software solutions that can help to automate this process. Having auto updates turned on is not sufficient for HIPAA and does not allow you to report on the status of patches at an organizational level.
- Password Policies – You should have organizational policies in places for password complexity and a system that allows you to enforce that policy. MFA is recommended.
- Remote Wipe – In the case that a laptop or device is stolen or misplaced you should have a system in place that allows you to remotely wipe any PHI off that machine.
- Antivirus – AV is a basic protection that every machine containing or accessing PHI should have in place.
- Firewalls – Strong firewalls should be put in place to assist in safeguarding and limiting unauthorized access to PHI. These devices also allow you to add security features like Intrusion Prevention to further protect PHI.
- EMR – Ensure that you choose a quality EMR software that is designed with HIPAA in mind. The EMR provider should also undergo a HIPAA audit and certify that they are compliant.
- BAA – Any vendor that you work with that will have access to your PHI should sign a business associate agreement with you before they begin work. This essentially acknowledges that they understand the rules of HIPAA and will ensure that they will maintain the integrity and security of patient data.
More to it
There are quite a few administrative and physical security guidelines that you should familiarize yourselves with. Hopefully, this quick primer will help you to implement some basic network security that steps you close to compliance. Training your staff on HIPAA is paramount as well. Humans can often be the weakest link in data security. If you get stuck or find yourselves needing help to implement the numerous technical solutions required for compliance, give us a call. i.t.NOW has a track record of helping healthcare providers stay secure and achieve their compliance goals. We would love to make it easier