What is HIPAA Compliance?
Also referred to as the Health Insurance Portability and Accountability Act, this was originally introduced in 2016 as US legislation that is aimed with addressing security provisions and data privacy for the safeguarding of medical data.
The HIPAA Compliance Standards ensure that companies who have dealings with PHI (Protected Health Information) need to have network, physical, and process security metrics in place to uphold and meet the HIPAA Compliance standards that they must abide by.
Who Needs to Meet HIPAA Compliance Req’s?
HIPAA Compliance standards apply to a large number of people and organizations. There are two specific categories of people who need to be HIPAA Compliant, ‘Covered Entities’ and ‘Business Associates.’
EXAMPLES OF COVERED ENTITIES FOR HIPAA
This includes anyone who delivers treatment, operations, or payments in healthcare. A covered entity can be U.S Health Plans, Health Care Provider or a Health Care Clearinghouse.
Health Plans include Corporate Health Plans, Medicare, HMOs, Medicaid, Health Maintenance Organizations, Schools and Employers who have to deal with Protected Health Information (PHI) when enrolling students and employees in their respective health plans. Health Care Providers include Dentists, Clinics, Surgeons, Hospitals, Lab Technicians, Physicians, Nursing Homes, Podiatrists, Pharmacies, and Optometrists.
Health Care Clearinghouses include organizations which collect data from a health care entity, they then process this information and deliver it on to another organization. Two examples of healthcare clearinghouses are community health management data systems and billing services.
EXAMPLES OF BUSINESS ASSOCIATES FOR HIPAA
A business associate is a broad term given to any individual or organization who performs as a subcontractor or vendor that has access to PHI. It also applies to business associates, such as those who can access patient data or who provides support in operations, payment, or treatment.
- Data processing companies
- Medical Transcription specialists
- Data Transmission companies
- Medical Equipment suppliers
- Document Shredding companies
- Data Storage Firms
- Audit Consultants
- Accountants
- External Auditors
- Electronic Health Data Exchanges
As you can see from the examples above, there are a significant number of individuals, entities, and organizations that need to comply with the requirements of HIPAA. The next logical area you need to find more information about is HIPAA PHI. Essentially, this is any information that is contained within a medical record that enables identification and which was created and utilized within a healthcare provision such as treatment and diagnosis. This data is categorized as protected health information.
HIPAA PHI Explained
EXAMPLES OF PHI
PHI is not limited to the outlined protected health information defined above. It also relates to:
- Billing Information
- Conversations that patients have with their nurse or physician about their treatment
- Medical data within the patient’s health insurance company’s database
On a final note; if you still use paper records, (and yes, some medical and dental practices still do!), then your paper records will most likely be transformed into electronic records when they are sent to your billing company. As such, HIPAA PHI compliance regulations will still apply.
What is a HIPAA Compliant Data Centre?
If you store any PHI, health records or otherwise sensitive patient data; then you must ensure that the data center you use meets with HIPAA compliance regulations. Using HIPAA compliant technology is an essential consideration. Because a data center is an entity that will usually transmit, store, and process electronic PHI, compliance with Health Information Technology for Economic and Clinical Health (HITECH) standards is essential in order for the data center to meet with HIPAA Information Technology requirements.
With HIPAA compliance breaches carrying significant financial penalties, ensuring that any data center used by organizations is fully compliant with HIPAA standards is essential. There are stringent physical, administration, and technical standards that have been clearly defined by the HITECH act in order for a data center to be HIPAA Compliant. Specifically, the management of the security process is inclusive of requirements that account for Risk Management and HIPAA Risk Analysis, both of which form the foundation upon which the required security actions are formulated.
Health Report on Compliance (HROC)
The HROC delivers the foundations for the management and risk analysis plan while also serving as a vital comparison point throughout the numerous HIPAA standards.
HIPAA Risk Assessment Certification
Typically, if a data center has invested in obtaining a HIPAA Risk Assessment, the supporting documentation, in the form of a HIPAA Compliance Report will confirm this. Because it would be yourself who becomes the liable party and not the data center, it is crucial that you ask HIPAA Compliance questions and always obtain written confirmations that you should keep for your own internal records as verification you have gone through this process.
The benefits of working with a business associate who uses a data center that can provide a HIPAA Compliance certification or report means that any Covered Entities are saved from spending additional money with respect to their required evaluation of HIPAA compliance standards. This should always be done in advance of entering into any partnerships.
If any Covered Entity chooses to outsource their data center hosting to a business associate that is unable to provide an independent HIPAA compliance report, then it will be the responsibility of the Covered Entity to conduct the evaluation in order to prove their due diligence.
HIPAA Security Req’s
Other key administration safeguards which need to be put in place in any data center which handles ePHI are listed below.
- Workforce Security
This dictates that any data center vendor needs to make sure that all employees or members of the data center workforce only have access to an appropriate level of data.
- Evaluations
This dictates a requirement for the execution and scheduling of regular reviews of non-technical and technical measures pertaining to security.
- Data Access Management
This dictates that colocation or hosting providers need to formulate the required procedures and policies for employee access control management.
- Contingency Planning
This is inclusive of emergency business continuity planning in such a case of physical security compromises or a natural disaster.
- Security Incident Procedures
This dictates a requirement to document the necessary procedures and policies following a security compromise occurrence.
- Assigned Security Responsibilities
This dictates that a single employee at a hosting vendor will be held accountable for the security procedures and policies that are implemented.
- Security Training and Awareness
This dictates a need for robust best practice awareness and training programs for the management of the data center along with all other staff.
- Business Associate Contracts
Including contracts to assign access to typical business associates. Aside from these administration safeguards, there are organizational responsibilities, technical safeguards, and physical safeguards that all need to be considered when creating a data center that is HIPAA Compliant.
Physical Safeguards
The standards that are set-out include Facility Access Controls. The specifications of the implementation detail that a facility security plan, contingency operations, access control, and validation processes, and maintenance records are all required. Workstation use and security are also required.
Media and Device Controls are a further requirement, the specifications of which include the disposal, accountability, media re-use data storage, and data backup. One of the best ways to ascertain the level of security in a HIPAA data center is to visit the site in person. If you feel a sense of strict security protocols are in place on your visit, this is a good indication of the policies and practices that are in place, protecting your PHI data.
Visitors Log Logbook entries should directly correlate with video footage. A good question to ask would be to inquire as to when an external auditor last confirmed video and visitor logging. If the company can answer this easily, it shows the level of auditing and high-standards they apply to their physical security safeguarding. Video Surveillance Ask about their video logging and how long it is kept for. It should be a minimum period of at least 90 days.
Documentation of Procedures Procedural documentation that relates granted visits without prior permission via the phone, email, or in person will outline how they deal with such matters. If you ask multiple parties, not just the compliance officer, this should give you a firm understanding of how well the policies are known, understood, and undertaken by all staff. The more consistent, the better.
Dual-Factor Authentication Are you personally escorted around the data center? Wherever you go, you should see a requirement for a minimum of two identity checks, such as an access card along with an access code, a fingerprint scanner or similar. If you are not asked to wear a badge or to sign-in, these are tell-tale signs that their security protocols do not meet with HIPAA security requirements.
Acting as an extension of a CE, the business associate should portray expertise, robust policies, and a desire to answer questions that help provide crystal-clear clarity about any HIPAA regulations and policies. Ultimately, you want to leave feeling reassured, confident in their ability to safeguard your data and reputation, and of course, seeing a copy of their HIPAA Risk Assessment Certification.
Technical Safeguards
The HIPAA Security Regulations does not request the use of specific HIPAA IT solutions. However, it does clearly define the implantation specifications and standards that are required. The intent and purpose of this rule are to enable CEs the freedom to choose which particular measures for security are best for their business, usually depending on their individual needs and the size of their business. The HIPAA technical standards include access controls with a specification that there are features such as automated logouts, emergency access protocols, decryption and encryption, and unique user access identification methods.
Audit controls, entity authentication, integrity, and transmission security also form part of these demands. Audit Controls This relates to the implementation of a system which both monitors and logs any actions taking on ePHI information systems. Transmission Security Where integrity controls are concerned, the foremost method of protecting ePHI is by utilizing various network comms protocols. Other effective ways of doing this include messaging or data auth codes. Another consideration here would be encryption once transmission frequency, methods, and full risk analysis have been undertaken.
Automated Logoff This is something that is considered necessary for each workstation following an inactive period. Unique User ID This ensures that each employee is given a unique ID enabling users to track all activity on a granular level while they are logged into the system. Emergency Access Protocols This entails a documented procedure that clearly outlines a protocol for accessing HIPAA PHI in case of an emergency. This should outline specific procedures that deal with who needs access and the alternative ways in which they can gain access.
Authentication The purpose is to protect the integrity of the HIPAA PHI; the system should have processes in place that validate the integrity of the data, for instance by using digital signatures. With respect to the authentication of an entity or individual, the should have such items as a smart card, fingerprint or another biometric scanner, password or pin code. Decryption and Encryption Although this is not a HIPAA security requirement, it is recommended where deemed appropriate for software programs or ePHI systems.
Additional Reading:
- Data Storage Issues
- XSRF
- Securing Work Social Media Accounts
- Tips to Secure Business SM Accounts
- API Scanner
ORGANIZATIONAL REQUIREMENTS
The HIPAA Security Guidelines also dictate a number of specific organizational requirements that relate to agreements and contracts which are made with and between any Business Associates.
It also applies to any procedures, policies, and all guidelines for documentation for group health care plans. Group Health Plans The implementation specifications are outlined in order to make sure that HIPAA Safeguards are implemented to protect any ePHI that they receive or maintain.
Any policy or procedural documentation that is required in order to support HIPAA Compliance must also be obtained for a minimum period of six years. It must also be accessible via the intranet, via printing; moreover, it also needs to be updated to reflect any changes either operationally or environmentally that could impact upon ePHI security measures.
BA Agreements or Contracts The specifications for implementation are identical to those outlined in the group health plan section above. Additionally, any subcontractors that the Business Associate might work with will also need to comply with these safeguards. A HIPAA compliant agreement also demands that all BAs will need to report all security incidents and follow the contract termination guidelines should any such violation of an agreement or contract occur. More information on Business Associate Agreements in outlined in the next section.
Business Associate Agreements – BAAs
There have been many concerns voiced over the controllability of Business Associates, their sub contracts, and other entities that could potentially form part of the HIPAA chain and become part of the wider circle of trust that surrounds ePHI requirements. An effective BAA needs to be in place between any CEs and their respective BA; any vendors or contractors of the Business Associate need to also sign BA agreements where there is any chance that they will have access to PHI data. A BAA is an ideal opportunity to clarify and confirm individual role responsibilities between BAs and CEs. Additionally, there is a requirement from the OCR for specific documentation in case of a PHI compromise.
OCR REQUIRED DOCUMENTATION
Documentation is required for any corrective action that takes place or any action plans that the CE will undertake in order to try to prevent a recurrence of such a breach or compromise occurring again in the future. This should include documents that outline the below points:
- Working member training or retraining.
- Individual sanctions for the specific member or members who breached any HIPAA PHI Security or Privacy rules.
- Mitigation of the alleged potential damage as needed by the HIPAA Privacy Rule.
Documentation is required of any internal company investigations that might be or have been carried out by the CE in a direct response to any allegations or concerns. This must also include, where necessary, a copy of the report of the incident that was prepared in response to either a server, laptop, or theft of any other related device.
Documentation is required of the CEs statement that relates to their denial or admission, stating that the CE has not got sufficient enough evidence in order to ascertain an outcome regarding the allegations that were made.
Physical Safeguards
Any policies, procedures or Business Associate Agreements must be implemented to make sure that BAs have put into place the necessary safeguards, where applicable. There must also be evidence of physical safeguards that have been introduced in order to restrict access to PHI on organizational computing devices.
HIPAA Procedures and Policies
A copy of the procedures and policies that have been put into place in order to make sure that the CEs facility is safeguarded along with their equipment. A further requirement is that there must be a replica copy of HIPAA Compliance procedures and policies which pertain to the safeguarding and disclosure of ePHI.
Breach Notification
A replica of any documentation that is supplied to the media to notify them of a breach. Such documentation needs to be inclusive of a list of any media sources that where given the notification along with any such reports or media articles that resulted from this notification. A replica of any documentation that is supplied to any individuals who were affected by the breach.
Risk Assessment
There needs to be evidencable data of a mechanism for workstation encryption of PHI. There must also be demonstrable security awareness training records for any members of the workforce who are intended to be involved in PHI, this includes workstation security as a minimum. There should also be a copy of the latest risk assessment that was conducted by (or for) the CE, as is dictated in the security rule requirements. As you can appreciate, this documentation is a particular aspect of HIPAA Compliance that takes a significant amount of planning before implementation can occur. Signing a BAA should therefore only take place once considerable time and attention has gone into the planning process.
HIPAA Compliance – Outsourced Centres Vs. In-House Hosting
Within almost every sector, there is a need to reduce costs and operational expenditure; none more so than within Healthcare. However, with the severe penalties that exist when HIPAA compliance breaches occur, many organizations are questioning whether it is better to outsource their data center or keep in in-house. There are various advantages to using an outsourced data center, such as;
Benefit from the latest technologies with a high-performance managed cloud environment. Many HIPAA compliant data centres will use ultra-modern virtualization technologies. This also allows them to scale up and down on a very flexible basis in order to respond to the needs of users when required.
Cost Saving is a major benefit of outsourcing the data centre function in a HIPAA regulated data centre environment. If you find a HIPAA Compliant hosting provider who has already undergone verification by an independent HIPAA auditor, this further reduces the cost as there is no longer a need to pay for an isolated audit in order to meet with HIPAA compliance standards. It is typically a far lower cost of management when compared with the price of paying for equipment, the power for that equipment, and the people to support that equipment in-house.
High availability solutions providing a comprehensive infrastructure in a fully redundant data center, often gives clients the ability to maximise the availability of their PHI and optimize server uptime. When you outsource to a HIPAA compliant hosting provider, you also eliminate the chance of a single point of failure and leverage the benefits of a wider infrastructure capability.
Enhanced security delivered by certified professionals is a bare minimum when you outsource your HIPAA data centre. A compliant hosting provider will typically use modern technologies that is audited in order to ascertain the exacting HIPAA compliance standards. You get an expert security team that handles the maintenance and monitoring of the servers.
Elimination of the need to perform in-house HIPAA auditing due to the fact the HIPAA compliant hosting provider will already have this completed and reviewed on a regular basis. You should always verify audits have taken place as set out in the HIPAA compliance guidelines.
Become HIPAA Compliant quickly. This point is fairly self-explanatory; for those who want or need to become HIPAA compliant quickly, you are able to do so far more easily and speedily when you outsource.
Reduction in time spent managing the IT internally leaving staff free to focus on business-centric support and initiatives.
Outsourcing HIPAA compliant hosting to a third-party does raise an element of risk that needs to be considered. In HIPAA terms, a third-party is classified as a Business Associate, a term we have used frequently throughout this post. As such, there is a potential threat in doing this which leaves you liable if they were to have a PHI breach.
As we have discussed in an earlier section, there are certain things you can do and elements of their operations you can check in order to ease any concerns to this third-party whom you are inviting into ‘your circle of trust.’ The HIPAA fines for breaches range from anything between $100-$1.5 million. The values of the fines are dependent upon levels of classification, and whether offenses are first-time or repeated occurrences.
HIPAA Penalties
Type of Violation | Minimum Fine | Maximum Fine |
Individual was unaware of HIPAA Violation | First Occurrence: $100 Repeat Offences: $25,000 | Per Violation: $50,000 Maximum Annual: $1.5M |
Reasonable cause not derived from wilful neglect | First Occurrence: $1,000 Repeat Offences: $100,000 | Per Violation: $50,000 Maximum Annual: $1.5M |
Wilful neglect that was corrected with time | First Occurrence: $10,000 Repeat Offences: $250,000 | Per Violation: $50,000 Maximum Annual: $1.5M |
Wilful neglect that goes uncorrected | First Occurrence: $50,000 Repeat Offences: $1.5M | Per Violation: $50,000 Maximum Annual: $1.5M |
With so much at stake, it is always best to take your time and pay meticulous attention when looking for the best HIPAA compliant data center. Always take such decisions in line with professional guidance and recommendations.