The protection of patient information is crucial to health care, and
the Health Insurance Portability and Accountability Act (HIPAA) is the
guiding force in that protection. Signed into law in 1996, HIPAA
established a national set of standards that provided a consistent,
secure way of handling sensitive health data, along with a full set of
patient privacy rights and restrictions for the use and disclosure of
that information. HIPAA requires specific security protocols for
managing electronic health information, as the amount of patient
information managed digitally increases with each year.
Therefore, as essential for compliance, treating the HIPAA standards
seriously is highly beneficial to the ongoing credibility of the
healthcare software. While the formal enforcement of the HIPAA
standards relates to compliance with regulators, the threat of
lawsuits, and hefty fines, healthcare software’s credibility to
patients may also be threatened if they find out that their records
have been accessed without authorization, depending on the nature of
the data breach.
We will begin by describing the relevant regulations, then explore the
main elements of compliant systems, and ultimately discuss the major
challenges that healthcare organizations tend to have. Finally, we’ll
conclude by reviewing some best practices for staying compliant and
provide a deep dive into real-world solutions that can help
organizations operate their businesses under HIPAA regulations.
Initially published in 2003, the HIPAA Privacy Rule establishes national standards to protect individually identifiable health information. HIPAA covers what we call ‘covered entities,’ which are healthcare providers, health plans, and healthcare clearinghouses. These ‘covered entities’ must abide by requirements for how they may use or disclose PHI within their operations and to whom they can disclose PHI to ensure patient privacy. ‘Covered entities’ also have to abide by restrictions on the uses and disclosures made about their patients. The HIPAA Privacy Rule also covers business associates.
Regulations under HIPAA define a breach as an impermissible use or disclosure ‘under’ the act that compromises the security or privacy of protected health information. The breach is triggered whenever PHI is ‘accessed, used, or disclosed’ in a way that’s not authorized by international, federal, or state law and that poses a significant risk of financial, reputational, or other harm to an affected individual.
Encryption is a core component of HIPAA compliance because it can prevent the interception of information and thwart access by unauthorized persons at the network access point. Even if an unauthorized party should gain access to information transmitted online, the data is rendered useless unless the recipient system has access to the encryption key as well. This is essential to ensuring HIPAA compliance regarding the security criteria.
Access controls are necessary to prevent unauthorized access to electronic health information. Users need to be authenticated (verified) based on usernames and passwords and potentially biometric scanning or MFA. Authorization means that a given user can access only the information that he or she is supposed to have access to, according to his or her role.
In a role-based access control (RBAC) system, the level of permissions granted to a user is dependent on their role in that organization. By defining the access level according to the job function, an RBAC system is a form of least privilege, making sure that a user can see information only they have a need to know. This means there is less risk of inadvertently or deliberately exposing data.
Periodical backups of saved data should be made regularly and systematically organized to maintain the integrity and availability of the data in the system when some incidents occur. The backups must save the most important things with a schedule created in advance in case the server and system crash or data gets corrupted. When all previous procedures are in place, an important additional step is to relay the backups on a regular basis to as many places as possible when some incidents do occur.
A good disaster recovery plan contains descriptions of all activities and actions required to restore data and operations in case of a data center loss or a major outage. The activity information for data restoration, system recovery, and communications with internal and external stakeholders must be included and tested periodically. The disaster recovery plan should be periodically amended in response to changes in the production system and facility.
An important technical issue in getting your system into a HIPAA-compliant form is interoperability and how encryption and similar aspects of modern HIPAA-compliant systems are integrated into older legacy systems that you might already have in place. A company might have older systems that do not natively support modern security protocols or encryption standards or a system that was designed with other security requirements in mind, and a retrofit to make it HIPAA compliant would be much more complicated.
Another challenge is interoperability to ensure multiple platforms can talk to each other. Healthcare settings might involve multiple systems, applications, and third-party solutions, which need to be integrated after years of highly technical planning and testing to ensure the data is secure and accessible to those authorized to use it.
The cost of obtaining—and, more importantly, staying—in compliance with HIPAA is high. It comes in the form of hardware and software expenditures to implement compliance technology, routine risk assessments, and training staff to stay compliant. These are usually expensive drains of valuable capital that smaller healthcare outfits may struggle to afford.
Beyond initial implementation, proper HIPAA compliance demands continued investment. You must keep up with new security threats (via software updates), regularly conduct audits, and ensure your staff stays current as new ways of working are adopted. For smaller practices, all these costs can mean decreased financial and human resources.
HIPAA regulations involve many rules and standards for privacy, security, and breach notification. Further, the law requires extensive knowledge and skill to navigate all the various provisions in the standards, as it has been incorporated into the organization's operations. However, this is no small task, especially when it is constantly changing as new legislation is passed or the government issues guidelines based on the issues that come up.
As such, by their very nature, HIPAA guidelines and the related laws that govern their implementation are subject to frequent change and revisions that will necessitate retooling of compliance processes. Organizations will need to follow regulatory announcements; some will require interpretation of new guidelines, and others may still demand a change in policy and systems. Acting independently, most of these HIPAA-related facets can be quite challenging, especially for small and medium-sized enterprises (SMEs) that lack dedicated compliance teams and resources.
Risk assessments should be performed at least once a year to flag vulnerabilities within the healthcare organization or related healthcare processes. These risk assessments involve evaluating the physical and cyber security and privacy policies and controls, identifying vulnerabilities, threats, and known risks, and rating each identified issue's likelihood and risk level. Risk assessments provide the healthcare organization with a complete overview of the status quo, where possible improvements can be made, and where compliance gaps can occur.
Following the identification of relevant vulnerabilities, sound remediation measures should be deployed to mitigate risk and help the organization achieve a higher degree of compliance. These measures may include updating security protocols, updating or improving encryption standards or access controls, or other such measures. Periodic follow-up assessments and monitoring can be conducted to ensure that the remediation activities are effective and that new risks are being properly handled.
High-quality employee training should ensure that all staff members understand and follow HIPAA requirements. HIPAA training should typically cover the key concepts surrounding compliance, including data privacy, security practices, and breach response procedures. It should be repeated on a regular basis and include important updates and refreshers for staff members to stay up to date with changes to regulations and best practices.
Creating a culture of compliance within your organisation requires that HIPAA compliance be seen as ‘everyone’s job’. To achieve this, you must effectively communicate compliance concerns, recognize and reward compliance efforts, and, more generally, ensure that all employees are aware of the importance of keeping their patients’ personal health information private. A culture of compliance needs leadership support and clear, consistent communication.
There’s a lot of pressure on healthcare organizations to work with third-party vendors that might have (PHI) in their possession. From a HIPAA perspective, HIPAA compliance may require an entity to use reasonable due diligence to ensure that a vendor it is doing business with maintains appropriate safeguards and has not had any breaches in the past.
In addition to training, formal agreements and contracts with your business associates are crucial in helping to delineate compliance responsibilities and expectations. Some contractual clauses that might be included are expectations that business associates will adopt the security measures that are required to protect ePHI from any anticipated threats and risks that can compromise them, to notify the covered entity of any breaches of ePHI, and to grant the covered entity its right to conduct both periodic and special audits.
To sum up, HIPAA forms a critical piece of the healthcare computing infrastructure. Given the possibility of tens to hundreds of millions of dollars at risk in a hack and the grievous risk a breach represents at the bedside, HIPAA compliance is a vital driver of data protection and a cornerstone of all that is right with US healthcare. It is also worth noting that while the specific methods for compliance vary, compliance itself is not solely high-tech. It’s also not an impossibly expensive proposition. Like best practices, compliance with HIPAA requires dealings with technical integration, financial constraints, and regulatory complexity. It means adhering to best practices such as completing risk assessments annually, training employees, and managing vendors. There is a likelihood that compliance with current HIPAA rules will bring a great deal of value to it in anticipation of future trends. A commitment to HIPAA compliance is certainly a commitment to meeting the letter of the law, but – more importantly – it is also a commitment to meeting the highest possible standards of data security and patient privacy in the rapidly evolving world of healthcare computing.