One of the most influential pieces of legislation the healthcare industry has to follow is the Health Insurance Portability and Accountability Act (HIPAA). Healthcare IT employees often have their work cut out for them when trying to comply with this complex law. To follow HIPAA regulations - including rules for privacy and security - healthcare organizations need to implement proper security policies and employ the right technology to ensure the security of the patient's protected health information (PHI) in the electronic health record (EHR). By following HIPAA healthcare IT standards, healthcare organizations can mitigate the risk of security breaches and maintain the reputation of their practices.
Here are some main healthcare IT standards under HIPAA explained:
List of covered entities under HIPAA
The covered entities under HIPAA's privacy rule include health plans, healthcare providers and healthcare clearing houses. In addition to the organizations themselves, HIPAA requires that healthcare companies to make sure their workforce and business associates comply with the privacy and security rules associated with HIPAA at all times or they may be subject to fines and penalties issued by the U.S. Health and Human Services Department (HHS). (Has your IT provider signed a BAA? At Netgain, we sign Business Associate Agreements with our clients. The agreement proves that we share in the risk and responsibility of HIPAA.)
Safeguard protected health information
There are privacy and security rules under HIPAA that healthcare IT staff need to comply with to effectively secure files, technology and media containing PHI. Under the HIPAA privacy rule, healthcare companies should protect all individually identifiable health information, including its electronic, paper and oral forms. EHRs usually include personal information like patient names, dates of birth and Social Security numbers, or contain medical or financial data.
Perform risk analysis to determine threats
Since HIPAA security and privacy regulations are strict, healthcare IT staff must have a strong foundation for comprehensive cybersecurity. IT security experts are required by HIPAA to perform a risk analysis to determine threats to the integrity of PHI. These may include cyberattackers that want access to valuable patient information for identity theft. Even employees can be considered to be a threat because they can cause data breaches due to human error. By determining the risks that could compromise sensitive data, IT security experts can decide the security measures and resources they need to use to stop security threats, including encryption and password protection, the number of IT staff to have on hand and their software and hardware infrastructure.
Encrypt and secure devices containing PHI
Endpoint encryption is an effective security measure required by HIPAA, and healthcare IT departments should ensure all electronic devices containing PHI are encrypted to prevent unauthorized persons from accessing the information in case a security breach occurs or employees try to inappropriately view PHI.
Form a contract with business associates covered under HIPAA
Since business associates - including hosting, transcription and like companies - are also covered under HIPAA, healthcare organizations must make sure their third party partners follow the same rules for protecting information from threats.
Delete or destroy confidential information before disposal
Once healthcare organizations decide to dispose of electronic devices and media holding PHI, healthcare IT teams need to completely delete or destroy the information held on this technology, which includes computers, copiers and printers. To protect patient privacy, the information must be considered unreadable and indecipherable or cannot be reconstructed after it's destruction.
Notify affected patients of security breaches
In the event that a covered entity or business associate discover a data breach, they are required to alert patients of the breach under HIPAA's breach notification rule. In the data breach notification letter to affected patients, healthcare organizations often state the cause of the breach as well as the steps they are taking, to ensure security incidents do not happen in the future.
Image via James Cridland