HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. This US law has been designed to provide privacy standards to protect patient’s medical records. Health information that’s provided to health plans, hospitals, health care providers, and doctors should all be protected by HIPAA.
What is HIPAA Compliance?
HIPAA (the Health Insurance Portability and Accountability Act) compliance adheres to the physical, administrative and technical safeguards outlined in HIPAA.
How Do You Become HIPAA Compliant?
There are many things that need to be achieved to become HIPAA compliant. Since enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996, there have been four major amendments:
- The Security Rule Amendment (2003)
- The Privacy Rule Amandement (2003)
- The Breach Notification Rule (2009)
- The Final Omnibus Rule (2013)
HIPAA Compliance Checklist 2021: HIPAA Rules
- Network Encryption: Any ePHI should meet NIST cryptographic standards whenever it is transmitted over an external network.
- Control/log Access: Each user needs to be assigned a centrally-controlled unique username and PIN code. Detailed logging is required to track all ePHI access (and attempts).
- Automatic Logoff: Users must be logged out after a specific time-frame which is recommended between 30 seconds and 3 minutes.
- Control Access: Individuals who have physical access to data storage should be carefully tracked. Reasonable steps need to be taken to block unauthorized entry.
- Manage Workstations: A policy needs to be written to outline which workstations can have access to health data and which ones are limited. It should describe how a screen should be guarded against parties and appropriate workstation usage.
- Protect and Track: If a mobile device is in use by a user then passed to another user, a mobile device policy needs to be written that removes data before a device is given to another user.
- Risk Assessments: A comprehensive risk assessment should be completed for all health data.
- Train Staff: All employees should be trained on all ePHI access protocols and understand how to identify and recognize potential cybersecurity threats like phishing attacks. All training sessions should be recorded and kept.
- Build Contingencies: Ongoing business continuity needs to be achieved by preparing processes to keep data safe.
- Block Access: Check that subcontractors and other parties haven’t been given access and cannot view ePHI. Business agreements should be signed with all partners.
- Document Security Incidents: Any security incident needs to be recognized by staff, and staff need to report occurrences.
HIPAA Privacy Rule
- Respond to Requests: Patient access requests need to be responded to within 30 days.
- Inform Patients: An NPP is required to inform patients of data sharing policies.
- Train Staff: All staff should be trained in privacy and should understand what can and can’t be shared internally or externally.
- ePHI Integrity: Appropriate steps must be taken to maintain integrity of ePHI and the individual personal identifiers of patients.
- Permission to use ePHI: Permission must be granted by the patient to use redacted ePHI for research or marketing.
- Update Forms/Copy: Authorization forms should include reference to changes in the treatment of school immunizations, ePHI restriction with regard to dislosure of health plans, and patient’s rights to their electronic records.
HIPAA Breach Notification Rule
- Notify Patients: Patients and the HHS department need to be made aware of any breach of ePHI. If more than 500 people’s records have been breached, the media must be notified. If the breach is under 500, a small-scale hack form must be submitted through the OCR website. All notifications must be completed within 60 days after being discovered.
- 4 Elements: Breach notification messages must contain four elements which include: A description of the ePHI and personal identifiers involved in the breach, who gained unauthorized access, wherther details were viewed or aquired, and the degree to which risk mitigation has been successful.
HIPAA Omnibus Rule
- Refresh BAA: You must update your Business Associate Agreements (BAA) to reflect the changes of the Omnibus rule.
- Send New Copies: New copies of the BAA should be sent and signed to remain compliant.
- Modernize NPPS: The HIPAA journal advises “NPPs must be updated to cover the types of information that require an authorization, the right to opt-out of correspondence for fundraising purposes and must factor in the new breach notiﬁcation requirements”.
- Train Staff: All staff must be aware of the Omnibus rule conducted via thorough training.
Healthcare services in the United States have some of the most rigorous standard requirements globally. Electronic Patient Health Information (ePHI) is protected by legislation introduced in the 1996 Health Insurance Portability and Accountability Act. HIPAA and the subsequent Security Rule and Privacy Rule amendments enact strict control measures over ePHI.
Subsequently, HIPAA legislation demands that several physical, administrative and technical safeguards are put in place prior to hosting ePHI. These measures have resulted in many healthcare professionals outsourcing IT services to HIPAA compliant hosting providers, many with the aim to fast track digital transformation and enhance cloud VPS collaboration capabilities.
Healthcare and cloud VPS computing have a dynamic synergy and some truly groundbreaking potential. It is possible that strict legislation may have slowed the uptake of cloud VPS services in the past. Today, however, the integration of healthcare into the cloud is growing at a significant pace.
What should you look for when choosing your HIPAA hosting provider? Here are our observations on why healthcare organizations are transitioning to the cloud.
Security best practice is what HIPAA legislation is all about. All the regulations have the sole purpose of securing ePHI. It is the only reason HIPAA exists. Hosting partners have a duty of responsibility to provide compliant, secure and robust infrastructure.
The hosting provider and in-scope third parties must enter into a Business Associate Agreement (BAA). This makes all parties responsible for understanding what systems and what geographic location ePHI data is hosted, transferred and stored. ePHI data must be secured in transit and at rest at all times.
Employee access is controlled, audited and constantly maintained using the principle of least privilege. Physical building controls are required to audit access to and from data centers hosting ePHI. Some cloud VPS hosting providers take security to the next level by encrypting all HIPAA data, even though this is only a recommendation of the legislation.
Cloud VPS provider administrators are responsible for security updates, firmware updates, and vulnerability scanning and remediation activities. Updated, enterprise-grade antivirus is a necessity, as well as an Intrusion Prevention System (IPS) that logs, audits and automates responses 24/7 to a team of security experts.
Healthcare professionals can consume HIPAA security-as-a-service and plug straight into the hosting providers security platform. This is a huge benefit for the healthcare organization and one of the major reasons why outsourcing to a HIPAA provider is so popular.
2. Business Continuity and Disaster Recovery
The HIPAA Security rule added a number of detailed requirements for Business Continuity and Disaster Recovery planning. The rule demands the development of a process to follow in the event of a crisis or disaster scenario.
A data recovery plan should also be implemented. This is a program to backup and protect systems containing ePHI. This is achieved via a predefined backup schedule and replication capabilities previously agreed to in the BAA. Data is normally replicated to at least one other data center location.
A Disaster Recovery Plan (DRP) is drawn up which covers the technical and administrative responsibilities of the hosting provider. This includes the capability to fail over core business services to an alternative location in the event of a catastrophic failure, and the ability to recover and access ePHI data from backup.
All continuity planning must be tested and reviewed at least once a year. If no plan exists prior to teaming up with a HIPAA hosting partner, a Business Impact Analysis is required that identifies and prioritizes critical IT components that are in scope of the plan.
Business Continuity and Disaster Recovery planning is essential for HIPAA compliance, however the technical complexities of creating a redundant, failsafe platform is difficult to achieve in-house. This is another significant reason why outsourcing is so popular. HIPAA hosting partners already have the infrastructure in place, and the healthcare organizations simply plug in to the service.
HIPAA regulated applications are designed to share ePHI between authorized users and authorized systems. Sharing data opens up huge potential for collaboration. This capability dramatically speeds up diagnosis and provides medical professionals with a collaborative, agile working environment.
Data interoperability and secure cloud computing empowers healthcare organizations to stay relevant in the modern workplace. It opens the door to new opportunities to provide better patient care. Multiple teams can work on the same projects concurrently, communications are improved through messaging services, 5G data communications, and collaborative tool sets.
API platforms enable applications to exchange data and share information securely. Teams in different geographical locations can collaborate remotely. Medical applications can share ePHI to speed up the diagnosis process.
Clinical support teams benefit greatly from sharing medical information. Shared medical imagery, historical test results, or family history information greatly improves the quality of care. Medical equipment can hook directly into cloud services and instantly share medical results, X-ray photographs, or patient pulse readings.
On top of all these capabilities, the Internet of Things combined with data collaboration can be used to create enormous data sets. This data can be crunched by Artificial Intelligence and Machine learning platforms that look for trends and are capable of analyzing huge volumes of data in no time. This frees up physicians’ time to treat patients instead of sifting through piles of paperwork.
Another major benefit provided by HIPAA hosting is the scalability of cloud services. Hospitals, clinics and health practices ingest huge quantities of data. The data is stored digitally on a secured platform that can scale up and protect the integrity of the data.
Medical groups are growing in size and the hosting provider needs to grow with you. Compute and Network plans can be upgraded with minimal impact, and resources can be added to servers at the click of a button.
One example is database hosting. Cloud-native databases eliminate the complexity of database management and can be quickly and affordably scaled up, often on demand.
The hosting provider manages the entire cloud service, relinquishing the need for an on site IT department to manage and maintain system or database upgrades. The provider is responsible for software provisioning, security patching and any issues encountered whilst also achieving a 100% service level agreement.
A hosting provider with extensive experience in providing HIPAA compliant cloud services can be the difference between a smooth and successful cloud migration, or a difficult experience with a steep learning curve which isn’t ideal when considering HIPAA compliance for startups. It is highly desirable to choose a hosting partner that is HIPAA compliant, an organization that is regularly audited and publishes its audited results in the public sector.
Experience brings a number of key services to fruition. Compliance is a hugely important factor. Look for other accreditations such as SOC 2 TYPE II and SOC 3 TYPE II certifications, and HITECH compliance. This helps to guarantee that the HIPAA hosting provider has been audited by a qualified independent third party, and can demonstrate commitment to providing the best IT security and compliant hosting.
With an experienced provider, you are more likely to achieve industry leading Service Level Agreements (SLA), Recovery Time and Recovery Point objectives. This is hugely advantageous in disaster scenarios. Technical support from the provider is also likely to be significantly improved if they have been providing HIPAA services for an extensive time.