Every business that handles ePHI (electronic protected health information) is required to adhere to HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations. It’s not an easy document to maneuver or understand.
Part of the HIPAA document addresses the security regulations of businesses and their employees. This section discusses the “confidentiality of all ePHI the covered entity (i.e. businesses) creates, receives, maintains or transmits”. This section, in particular, is all about how businesses are expected to protect ePHI, and in turn, protect their patients. It even expects businesses to be prepared for any number of potential risks. HIPAA compliance is not simple or matter-of-fact. There are dozens of nuances that must be addressed properly if a healthcare company wants to stay in business.
Companies that don’t adhere to these regulations are liable to fines, legal recourse, and even an immediate shut down of their business. In this article, we will discuss the section on Technical Safeguards (one of many, many sections in the HIPAA document).
- Unique username identification: “Assign a unique name and/or number for identifying and tracking user identity.” Every single employee in your business should have their own unique username and password. This ensures that any ePHI handled by an employee will be able to be tracked. If something gets mishandled, the user who’s at fault can be identified.
- Emergency access procedure: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” In case of an emergency where ePHI data is lost (a bad storm, fire, vandalism, system failure, etc), a procedure should be put in place. This procedure should include offsite (or cloud) backup of ePHI, a business continuity plan, and other emergency responses to these types of disasters.
- Automatic logoff: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” This refers to when your computer locks itself or goes into sleep mode after some level of inactivity. We suggest locking computers (Windows+L) any time you walk away from your desk. However, your computer should lock after a certain amount of time when not in use. Know your environment - while 10 minutes may be fine for some offices, 2 minutes may be better for others.
- Encryption and decryption: “Implement a mechanism to encrypt and decrypt electronic protected health information.” When sharing or transmitting ePHI, especially over email, it’s important to ensure that the ePHI is encrypted so that it cannot be read by an unauthorized person. Encryption makes it impossible to read an email unless you have a keycode or password to access it.
“Implement hardware, software, and or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” This safeguard is for tracking user activity inside of applications that handle ePHI. This way, businesses know the when/where/what/who of changes made in the application.
“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” Ensure that the ePHI is not altered or destroyed. The ePHI your business collects should be as accurate as possible. This includes guaranteeing the validity of the sources your business use to collect ePHI.
Person or Entity Authentication
“Implement procedures to verify that a person seeking access to electronic protected health information is the one claimed.” This refers to the authentication of your employees or other users accessing ePHI. The best way to authenticate your users is through two-factor authentication. Typically, 2FA is a physical keycard to access a computer, a cell phone code, or even a device that attaches to your keyring which requires a button pushed when accessing a computer. This all occurs after the user puts in the correct username and password - thus the ‘two’ part of two-factor authentication.
- Integrity controls: “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.” This is similar to the integrity rule listed above but refers specifically to ePHI that has been transmitted electronically.
- Encryption: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” This is also similar to the encryption and decryption rule above, but, again, refers specifically to ePHI that has been transmitted electronically.
Navigating and understanding the HIPAA regulations don’t have to be hard. In fact, we deal with the technical safeguards for HIPAA every day for our clients. We can help prepare you to get the best start on HIPAA compliance. Want a cybersecurity assessment with an emphasis on HIPAA compliance? Just let us know - we’d be happy to help.