INTRODUCTION

As more of the world becomes more digital, industries must follow suit. The healthcare industry is not exception. Unlike most other industries however, healthcare has comparatively stringent rules on it in place by the US Federal Government. Whether you’re a hospital, doctor’s office, or clearinghouse, if you handle electronic Personal Health Information, (ePHI) you need to conform to the guidelines laid out by HIPAA, the Health Insurance Portability and Accountability Act. These types of organizations are called “covered entities”, a term that will be used throughout this guide.

HIPAA breaks down into four rules, of varying difficulties to implement and follow:

HIPAA Privacy Ruler
HIPAA Security Rule
HIPAA Enforcement Rule
HIPAA Breach Notification Rule

The Privacy and Security Rules are the main two you’ll need to be concerned with. You’ll also need policy in place for the Breach Rule, if a breach occurs. The Privacy Rule is mainly about laying out what can be done with PHI, both digital and physical, and the Security Rule is mostly about implementing the Privacy rule for ePHI. Without further ado, let’s dive in.

HIPAA PRIVACY RULE

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. These rules apply to all PHI, not just ePHI.

The Privacy Rule requires Business Associates to do the following:

Do not allow any impermissible uses or disclosures of PHI.
Provide breach notification to the Covered Entity.
Provide either the individual or the Covered Entity access to PHI.
Disclose PHI to the Secretary of HHS, if compelled to do so.
Provide an accounting of disclosures.
Comply with the requirements of the HIPAA Security Rule.

Read more about it here. These rules act as a frame work which the Security Rule builds upon, giving more specific guidelines for ePHI.

HIPAA SECURITY RULE

The Security Rule is the most important Rule of the four for any service, product, or business handling ePHI. The rule has safeguards covering security standards from administrative, physical, and technical perspectives, with guidelines for each. The safeguards are technology neutral, which means that even as technology evolves, the rules still apply. Every safeguard can be one of two types, either required (R) or addressable (A). If it is required, it must be met to be HIPAA compliant, however addressable safeguards only require that you consider the safeguard and see if it makes sense for your organization, and if it is, implement it, but if not, provide reason why. Extensive documentation is required to HIPAA compliant, covering each safeguard. To read more about the overall structure of the Security Rule, read here.

Administrative Safeguards

The administrative safeguards are the most extensive section of the security rule, comprising over half of all the safeguards. The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” There are 9 standards that are under the administrative section.

Security Management Process
Assigned Security Responsibility
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Workforce Security
Business Associate Contracts and Other Arrangements

Breaking these 9 down, there are 18 things to do:

1. Security Management Process - Risk Analysis (required): Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
2. Security Management Process - Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
3. Security Management Process - Sanction Policy (required): Implement sanction policies for employees who fail to comply.
4. Security Management Process - Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.
5. Assigned Security Responsibility - Officers (required): Designate HIPAA Security and Privacy Officers.
6. Workforce Security - Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
7. Information Access Management - Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
8. Information Access Management - ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.
9. Security Awareness and Training - Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
10. Security Awareness and Training - Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.
11. Security Awareness and Training - Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.
12. Security Awareness and Training - Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.
13. Security Incident Procedures - Response and Reporting (required): Identify, document, and respond to security incidents.
14. Contingency Plan - Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.
15. Contingency Plan - Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
16. Contingency Plan - Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
17. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
18. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.

For more notes on Administrative Safeguards look at this paper here.

Physical Safeguards

These Safeguards are about controlling the physical access to the ePHI, controlling things like workstation use. The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” There are 4 standards in this section.

Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls

Looking into these, there are 10 necessary things to implement.

1. Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
2. Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
3. Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
4. Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
5. Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
6. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
7. Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
8. Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
9. Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
10. Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

To read more on the physical safeguards necessary, look here.

Technical Safeguards

The Technical Safeguards focus on digital protections put in place to keep ePHI safe. The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” There are five standards associated with the Technical Safeguards.

Access Control
Aduit Controls
Integrity
Authentication
Transmission Security

When you break down the 5 standards there are 9 things that you need to implement.

1. Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
2. Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
4. Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
5. Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
8. Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
9. Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

To read more on the Technical Safeguards, click here.

Note that the software you use should also be in line with HIPAA standards. AeroAdmin, a free remote access tool, employs industry standard encryption to keep data safe, so it can be used with ePHI.

Documentation, Risk Analysis, and Steps for Small Businesses

HIPAA also provides resources to guide users through how to write policy, conduct a risk analysis, and implement your findings on a small scale. Those documents, as well as the other ones linked thus far, are availible here.

HIPAA ENFORCEMENT RULE

This rule just outlines the effects of failing to meet HIPAA standards. You don’t need to worry about it unless you break one of the rules outlined above, but here is a link to more about it if interested.

HIPAA BREACH NOTIFICATION RULE

If you leak PHI, this rule outlines what you must do in reference to notifying people of the breach. It requires you to notify anyone whose data was breached, and notify the public is more than 500 people were affected. More on it can be found here.

CONCLUSION

That about covers it! It is a lot to think about, but ePHI is extremely valuable so it is important to have these safeguards in place. Now that you’ve read this overview, I recommend you dig deeper into those articles, especially those on the Security Rule, to make a plan of implementation. Following these rules, you can ensure both your safety from the punitive effects of the law, and the safety of clients storing ePHI with you.

Patrick Taylor, in addition to writing articles for AeroAdmin, acts as head of IT and Cybersecurity for a small business management firm. Learn more about him at ptaylor2018.github.io.

To make your life easier, I recommend installing a remote access tool, so you can do any PC straight from yours. I strongly recommend remote desktop software AeroAdmin, as it’s built for remote IT work and has full set of features for remote computer control. In addition AeroAdmin can be used as a free employee monitoring software, what gives added value to this application.