Useful articles, how-to guides, reviews and other IT staff.
Written by Patrick Taylor
August 25, 2018
As more of the world becomes more digital, industries must follow suit. The healthcare industry is not exception. Unlike most other industries however, healthcare has comparatively stringent rules on it in place by the US Federal Government. Whether you’re a hospital, doctor’s office, or clearinghouse, if you handle electronic Personal Health Information, (ePHI) you need to conform to the guidelines laid out by HIPAA, the Health Insurance Portability and Accountability Act. These types of organizations are called “covered entities”, a term that will be used throughout this guide.
HIPAA breaks down into four rules, of varying difficulties to implement and follow:
HIPAA Privacy Ruler
HIPAA Security Rule
HIPAA Enforcement Rule
HIPAA Breach Notification Rule
The Privacy and Security Rules are the main two you’ll need to be concerned with. You’ll also need policy in place for the Breach Rule, if a breach occurs. The Privacy Rule is mainly about laying out what can be done with PHI, both digital and physical, and the Security Rule is mostly about implementing the Privacy rule for ePHI. Without further ado, let’s dive in.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. These rules apply to all PHI, not just ePHI.
The Privacy Rule requires Business Associates to do the following:
Do not allow any impermissible uses or disclosures of PHI.
Provide breach notification to the Covered Entity.
Provide either the individual or the Covered Entity access to PHI.
Disclose PHI to the Secretary of HHS, if compelled to do so.
Provide an accounting of disclosures.
Comply with the requirements of the HIPAA Security Rule.
Read more about it here. These rules act as a frame work which the Security Rule builds upon, giving more specific guidelines for ePHI.
The Security Rule is the most important Rule of the four for any service, product, or business handling ePHI. The rule has safeguards covering security standards from administrative, physical, and technical perspectives, with guidelines for each. The safeguards are technology neutral, which means that even as technology evolves, the rules still apply. Every safeguard can be one of two types, either required (R) or addressable (A). If it is required, it must be met to be HIPAA compliant, however addressable safeguards only require that you consider the safeguard and see if it makes sense for your organization, and if it is, implement it, but if not, provide reason why. Extensive documentation is required to HIPAA compliant, covering each safeguard. To read more about the overall structure of the Security Rule, read here.
The administrative safeguards are the most extensive section of the security rule, comprising over half of all the safeguards. The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” There are 9 standards that are under the administrative section.
Security Management Process
Assigned Security Responsibility
Information Access Management
Security Awareness and Training
Security Incident Procedures
Business Associate Contracts and Other Arrangements
Breaking these 9 down, there are 18 things to do:
For more notes on Administrative Safeguards look at this paper here.
These Safeguards are about controlling the physical access to the ePHI, controlling things like workstation use. The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” There are 4 standards in this section.
Facility Access Controls
Device and Media Controls
Looking into these, there are 10 necessary things to implement.
To read more on the physical safeguards necessary, look here.
The Technical Safeguards focus on digital protections put in place to keep ePHI safe. The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” There are five standards associated with the Technical Safeguards.
When you break down the 5 standards there are 9 things that you need to implement.
To read more on the Technical Safeguards, click here.
Note that the software you use should also be in line with HIPAA standards. AeroAdmin, a free remote access tool, employs industry standard encryption to keep data safe, so it can be used with ePHI.
HIPAA also provides resources to guide users through how to write policy, conduct a risk analysis, and implement your findings on a small scale. Those documents, as well as the other ones linked thus far, are availible here.
This rule just outlines the effects of failing to meet HIPAA standards. You don’t need to worry about it unless you break one of the rules outlined above, but here is a link to more about it if interested.
If you leak PHI, this rule outlines what you must do in reference to notifying people of the breach. It requires you to notify anyone whose data was breached, and notify the public is more than 500 people were affected. More on it can be found here.
That about covers it! It is a lot to think about, but ePHI is extremely valuable so it is important to have these safeguards in place. Now that you’ve read this overview, I recommend you dig deeper into those articles, especially those on the Security Rule, to make a plan of implementation. Following these rules, you can ensure both your safety from the punitive effects of the law, and the safety of clients storing ePHI with you.
Patrick Taylor, in addition to writing articles for AeroAdmin, acts as head of IT and Cybersecurity for a small business management firm. Learn more about him at ptaylor2018.github.io.
To make your life easier, I recommend installing a remote access tool, so you can do any PC straight from yours. I strongly recommend remote desktop software AeroAdmin, as it’s built for remote IT work and has full set of features for remote computer control. In addition AeroAdmin can be used as a free employee monitoring software, what gives added value to this application.