Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) mandates protecting the privacy and security of patients’ confidential health information, including when and with whom that information can be shared.
A supplemental HIPAA Privacy Rule regulates the use and disclosure of patient data—whether verbal, written, or electronic (both via email and file transfer)—for health care providers, health plans, and health care clearing houses, all known as covered entities. The HIPAA Security Rule specifically defines security standards for the management of personal health information in electronic form (ePHI) by covered entities.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (2010) and the HIPAA Omnibus Rule (2013) strengthen HIPAA’s privacy and security rules and toughens the penalties for breaches in patient privacy and health information security.
Covered entities must be in compliance with HIPAA’s privacy and security standards even if they contract with vendors to perform some of their essential functions. In other words, your responsibilities and liabilities under HIPAA extend to all of your business associates. These include labs, billing offices, clinical services, and the like, as well as the providers of your cloud-based IT services.
You need to protect ePHI and prove compliance
Under HIPAA, you need to have total security and control for the storage of your email, health records, and other systems that handle ePHI in order to prove compliance.
You must have systems and procedures in place to record and analyze all activity in your systems that store or use ePHI. In fact, you have to be able to track and verify access to ePHI at every attempt. This includes tracking and reporting all emails sent inside and outside of your network. And you must also be able to document the access and security controls you have in place to protect patient privacy in your voice communications as well.
Such audit and reporting capabilities are not just your responsibility. They are also your best protection. They enable you to maintain your systems’ performance and compliance at peak levels and spot vulnerabilities before they escalate into problems. And they give you the data you need to demonstrate your compliance with federal regulations. That’s essential, because in addition to complying with HIPAA’s broad set of requirements, you also have to prove your compliance by satisfying regular audits, inquiries or claims.
Deploy business systems that provide the proper safeguards
Email. HIPAA compliance requires that the technical safeguards for your email system and practices fall into three main categories:
- Making sure only authorized personnel have access to ePHI via email.
- Protecting ePHI from being improperly altered or destroyed. This includes having technical security measures in place like encrypting emails, which prevents others from tampering with ePHI when it’s transmitted to those who are outside of your network.
- Recording and monitoring all logins to your health care information systems (including date, time, and IP address) and tracking all sent and received emails.
Files. Multiple parties, both inside and outside of your organization, need access to your patients’ electronic health information and that imposes a complex set of requirements on your IT systems, including:
- Controlling access to patient information, including monitoring and auditing any person, both inside and outside of your organization, who has access to or use of such records.
- Securing ePHI from improper change or destruction by backing up all versions of the file.
- Securing ePHI on mobile devices – both mobile devices issued by you and personal mobile devices.
Remember, the same requirements apply to covered entities with whom you communicate and share protected information with, including cloud IT providers that you outsource your essential business services to.