Compliance With Rules: Understanding HIPAA Security Standards
HIPAA compliance is more than establishing a general sense of security with patient information. You’re required to do more than what you believe is a “good job.”
The HIPAA Security Rule demands strict compliance. And being out of compliance is more costly than establishing it.
How do you know your practice meets the HIPAA security standards? Read on to learn what it really takes to be HIPAA-compliant.
HIPAA Security Standards
HIPAA established its security rule to keep PHI (protected health information) private and safe. PHI is any sensitive patient information.
This includes everything from name and address to a patient’s past, current, or even future health conditions. If the information is unique or identifying, it is protected.
Patient information maintained in a digital format is referred to as “ePHI.”
And the establishment of the rule makes sense. Individuals have a reasonable right to privacy and discretion with their healthcare.
Compliance is multi-faceted. The HIPAA Security Rule outlines four sections of safeguards. Medical practices and other businesses need to address each:
- Physical
- Administrative
- Technical
- Policies, Procedures, and Documentation
Establishing Compliance
As defined by the HHS, all organizations or “covered entities” handling PHI and ePHI, to account for these four sections, must:
First, guarantee the confidentiality and integrity of any PHI, no matter how it is handled.
Second, recognize and take clear measures against any anticipated threats to the security of all PHI.
Third, ensure that PHI information is not improperly used or disclosed.
And lastly, guarantee staff compliance with these rules and measures.
We can break this into three areas in which to measure and set up safeguards. These areas all account for policies, procedures, and documentation.
Administrative Safeguards
Administrative safeguards account for the ways your business handles and transmits PHI. This starts with a risk assessment to identify the right security measures to take.
Many use a risk assessment tool to comprehensively engage with this process.
Start by evaluating all risks to PHI that exist in your business today. What is the likelihood someone or something will compromise PHI? What is the impact of PHI is compromised?
Next, you need to implement new security measures that will address all of the risks you found in your assessment. Document these procedures along with a rationale for their adoption.
In case of a breach, the rationale helps prove that the measures taken are appropriate and reasonable.
Administrators must maintain these protections over time with periodic risk audits and analyses. If you decide to change any procedures, be sure to document those changes, too.
Physical Safeguards
Physical safeguards address the security of your office spaces and any place where you store PHI. This includes both access to any facilities and how access is controlled.
You must first limit access to any space where you store and handle PHI. You need to further ensure that only trained and authorized staff has access.
Aside from the physical space, you need to set policies for workstations and devices as well. This is more than password-protecting devices (a technical safeguard). It is also ensuring that only approved personnel can access these devices.
Set up procedures for how to use any computers or electronic media, including how it is moved and or thrown away.
For instance, flash drives used to move PHI cannot leave your office and staff cannot use them on personal devices. While this example addresses ePHI, the data is on physical media.
Some physical HIPAA security measures may include installing alarm systems and door locks. You may want to install security cameras, too.
Technical Safeguards
Technical safeguards refer to the data itself. It’s not enough to limit physical access. You need to secure the information, too.
Start by setting up policies that only allow trained and authorized staff to access PHI and ePHI. This means password-protecting your devices.
You can set up systems to “audit” these devices as well. Install software to keep logs of who uses which devices when. Keep a record of who handles what information.
You should also ensure safe PHI transmission. Staff cannot send patient data through common email servers, for instance. Make sure your fax machine is HIPAA-compliant, too!
Finally, you want to establish integrity across your technical measures. This means training your staff to properly handle PHI so it is never accidentally changed or deleted.
Consider enrolling your staff in HIPAA certification courses.
Technical security measures may include setting up in-office firewalls and HIPAA-compliant data servers. You may want to encrypt and backup your devices, too.
Regarding Digital Data
HIPAA’s Security Rule is “technology-neutral.” They do not require any specific technology as long as you meet the outlined standards.
While this does give you options, it’ll be your due diligence to check compliance. Just because an email server is “encrypted,” that does not mean it is HIPAA-compliant.
Check privacy and data management policies first or find solutions that display compliance publicly.
Remember that cyberattacks on company data increase every year. It is easier to achieve compliance now than it is to report and remediate breaches in the future.
Are You Compliant?
Are you confident that you meet every standard? If so, you should double-check against a HIPAA Security Rule checklist.
The truth is that whether or not you meet the HIPAA security standards today, you want to ensure that you will well into the future. It is not easy to regularly audit your policies and procedures, especially as technology changes.
Be sure your business is compliant with all HIPAA policies. Reach out today and we’ll make sure your needs are met.