The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.
The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.
As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.
The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.
This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.
This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.
Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).
While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.
HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.
2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.
3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.
Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.
The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.
A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.
More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.