In February 2018, Fresenius Medical Care paid a $3.5 million settlement resulting from improper handling of Protected Health Information (PHI). Their mistakes included impermissible disclosures, a lack of policies and data encryption, and insufficient safeguards. These failures constituted a major HIPAA violation.
It’s clear from the above settlement just how important HIPAA is to health organizations.
A major component of HIPAA compliance is the Security Rule, which came into effect in 2005. This rule focuses specifically on electronic Protected Health Information (ePHI). With the ever-increasing digitization of the healthcare industry and patient data, the HIPAA Security Rule needs to be at the forefront of any compliance conversation.
A violation of this rule could cost a health organization millions of dollars. In this piece, we’ll discuss the implications of the Security Rule and provide a checklist to help your organization stay compliant.
The three safeguard categories
The HIPAA Security Rule lays out safeguards in three general categories: physical, technical, and administrative. Organizations must rigorously follow guidelines in each category to maintain HIPAA compliance.
Under the Security Rule, physical safeguards relate to the hardware used in the storage and transmission of PHI as well as the people who have access to it. Data centers, devices, and the workers who come in contact with them all fall under the physical safeguard umbrella.
To comply with physical safeguards, organizations should
- Establish controls for facility access. Set guidelines and restrictions to limit physical access to storage hardware facilities. Guidelines should include both employees and contractors and prevent unauthorized access.
- Maintain records and hardware inventory. Healthcare practices should keep comprehensive inventory for all hardware units. If a unit is moved, a record of that movement should be made, and a copy of the ePHI should be made beforehand.
- Implement policies governing workstations. A set of clear security policies should protect any workstation with access to ePHI. These policies need to address the proper function, protection, and restrictions for each workstation.
- Implement policies governing mobile devices. There must be a clear protocol regarding the mobile devices of employees who leave the organization. If a user accessed ePHI from their device, that access must be disabled and any ePHI removed.
Technical safeguards apply to the technology involved in the storage, access, and transmission of ePHI. It’s important to have firewalls in place to protect servers from intrusions and breaches.
In addition, data encryption is critical. Electronic data must be encrypted whenever it leaves your organization’s internal servers. This means that if patient data is transmitted or stored anywhere outside of your servers, that data must be indecipherable to a third party in case of a breach.
- Data encryption must meet NIST standards. Encryption is a crucial piece of technical HIPAA compliance. Your organization’s encryption must meet the standards of the National Institute of Standards and Technology.
- Assign all users a unique username and password. Every individual with access to PHI needs to have their own login credentials. There should also be a protocol for releasing PHI during an emergency.
- Computers and devices should have an automatic logoff. All end user devices should log off the user after a predefined period of inactivity. This prevents unauthorized access via unattended or stolen devices.
- Implement a system to authenticate ePHI. There should be a program in place to authenticate all ePHI data. The goal of this system is to detect any data that has been erroneously altered or deleted.
- Maintain activity logs and audit controls. All attempts to access ePHI should be recorded and logged in a way that can be easily reviewed. There should also be a record of what’s done with the data when it’s accessed.
Administrative safeguards address the overarching structures that ensure compliance within an organization. A healthcare practice must assign one security and one privacy officer to oversee the protection of ePHI. Their duties include
- Performing risk assessments. Failing to conduct adequate risk assessments is a common form of HIPAA noncompliance. These assessments are a core duty of the security officer and should identify any risks for a potential breach.
- Developing a policy for risk management. There should be an ongoing schedule of risk assessments and a plan to handle employees who fail to meet compliance rules.
- Restricting access from third parties. An organization’s practices must prevent unauthorized access to ePHI. This includes access by contractors, subcontractors, and parent companies. All entities with access to ePHI must sign a business associate agreement.
- Establishing a contingency plan. There should be a clear plan in place for emergencies. This plan should address the protection of ePHI while the organization operates during an emergency.
- Providing security training to employees. All employees should be educated on the policies and procedures that support HIPAA compliance. They should be taught how to identify potential threats, such as malware, malicious attacks, and phishing.
HIPAA compliance: An ongoing endeavor
This checklist is designed to help your organization meet the rigorous safeguards under the HIPAA Security Rule. Enacting these measures will help ensure you’re compliant across each of the three categories. However, compliance is not a one-and-done operation.
You need to build constant vigilance and regular reviews into your processes. In addition, HIPAA rules have changed and expanded over time. To remain compliant, you need to stay informed on updates to HIPAA regulations to ensure your organization isn’t at risk for potential fines or legal battles.