In recent years, The Department of Health and Human Services Office of Civil Rights Management (OCR), has aggressively increased efforts to make sure that healthcare providers are properly implementing the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). Although the total number of penalties has plateaued from its 2016 peak, in the last two years the OCR has increased the size of HIPAA violation fines, which includes the headline-making penalty for Anthem Inc. of $16 million, the largest HIPAA fine ever.
With a renewed vigor for enforcing HIPAA compliance, and with data breaches on the rise in the healthcare industry, it’s essential that providers have a clear idea of what’s required of them, especially as new technologies continue to shape the healthcare landscape in 2019.
The Five Technical Requirements of HIPAA Compliance
There are five main dimensions in which the HIPAA standard protects digital information; these are referred to as the “technical safeguards.”
- Access Controls – These limit access to electronic personal health information (ePHI) to authorized personnel.
- Audit Controls – Organizations must use the right mix of hardware, software, and procedures so that all systems storing ePHI are monitored and data access is properly logged.
- Integrity control – This set of controls ensures that data is not being altered or destroyed by unauthorized personnel
- Transmission security – This set of controls is used to ensure that electronic personal health information (ePHI) is protected when in transit across a network.
- Authentication – Verifies the identity of individuals accessing sensitive information.
Although HIPAA has been around for over twenty years, many healthcare organizations still struggle to maintain strict control over their data. Why is that?
Part of the problem is the sheer volume of data that the healthcare industry produces. Not only is there EHR data to manage, but there may also be external data collection efforts to supervise, as well as supply chain or vendor data that must be processed securely. In other situations, there just isn’t the IT manpower to ensure that data is being protected throughout the entire network.
There are several areas that could be potential sources of trouble for healthcare organizations in 2019; let’s look at a few.
Securing Mobile Devices for HIPAA Compliance
Studies have shown that over four-out-of-five physicians, and three-out-of-four nurses, use their personal smartphone at work. To make sure that you receive all the benefits that mobile devices can provide, without putting ePHI at risk, healthcare providers must take vigorous steps to ensure that their HIPAA controls are securing mobile data as effectively as possible.
First, this means ensuring that best practices are being uniformly enforced. Don’t allow your employees to “jailbreak” devices and ensure that applications and operating systems are getting regular updates. Also, make sure that any mobile device connecting to your EHR is doing so through a virtual private network (VPN) or using multi-factor authentication. These first-line measures are mandatory and should be considered a foundation for further steps.
Next, make sure that your email and messaging applications are secure. While HIPAA doesn’t lay out explicit requirements for data encryption, it does say that encryption should be implemented if it will help ePHI. Because the decision to not encrypt data must be accompanied by a documented alternative, this effectively means that encryption is required for all data in transit over mobile networks.
When looking for solutions, remember there’s a big difference between those that are HIPAA capable and those are built HIPAA compliant. In order to make sure that data is encrypted while in transit, and stays encrypted while at rest, you will likely need to combine several solutions to ensure that all your emails and instant messages are sent securely. Developing this type of comprehensive solution is often best handled by an outside expert who has experience building and deploying HIPAA-compliant mobile solutions.
Finding Greater Confidence in the Cloud
Another focal point for HIPAA compliance experts in recent years has been cloud computing. While cloud adoption rates in the healthcare industry continue to soar, providers still face great ambiguity when making a commitment to cloud technology, or expanding their existing cloud services. This includes concerns like, how do I properly vet my cloud service providers (CSPs)? How do I ensure that cloud data is HIPAA compliant throughout its entire lifecycle?
Any CSP that stores ePHI for your patients is subject to the same HIPAA controls that you are. To determine the HIPAA compliance of a potential CSP, you should begin by analyzing the quality of their solutions and if they provide the required levels of security and uptime. In the event of downtime, do they have procedures in place to allow you to access data? You should consider all these elements of their compliance services before signing on with them. The next step in verifying a CSP involves a thorough risk analysis of their administrative and technical controls to ensure that the CIA triad of confidentiality, integrity, and availability will properly apply to all the data they’ll be storing or processing for you.
Here, as with mobile devices, encryption will play a significant role. The industry standard for at-rest data is AES 256-bit encryption. This should be employed on both local and cloud file systems. However, at-rest data is just one piece of the puzzle. To ensure that data is secured while in transit, healthcare providers need to implement secure sockets layer (SSL) encryption, so that data moving between web browsers and cloud services, or mobile devices and cloud services, is adequately protected.
The Benefit of Having NYC’s HIPAA Expert at Your Side
There’s nothing like having an expert at your side to help you deal with the many complexities involved in achieving strong HIPAA compliance. Manhattan Tech Support has been helping organizations in the healthcare industry build and maintain HIPAA compliance strategies for decades and can guide you through every step of the process. Have a question for our experts? Call us anytime at 212-299-7673.
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC