HIPAA & Technology

Everyone has been to the doctor at some point, but is your patient information safe? Today we will look at some of the technological safeguards that are required to protect your personal information as well as the potential fines your health care provider might face if they were to expose your data.
In 1996 the Healthcare Insurance Portability and Accountability Act was signed into law. This act was developed by congress in order to protect a patient’s confidentiality in regard to their medical information. HIPAA’s main goal is to set parameters around the use, release and transmission of health records and requires businesses who handle this information follow strict guidelines in order to protect health information.
As and IT service provider, we implement and manage solutions that help organizations meet the mandates laid out by the HIPAA Security Rule, the side of compliance that a healthcare provider’s technology must align with. The security rule deals with electronic Protected Health Information and is a subset of the overarching HIPAA privacy guidelines.

Protecting patient data is of the utmost importance, and non-compliant providers could face hefty fines and the bad press that comes with having to notify the public of data breeches. The first piece of compliance required is Transmission Security which refers to protecting information whether in motion (e.g. email), or at rest (e.g. stored on a PC/server). The most typical form of transmission security, and something that is relatively easy to implement, is encryption. Many email providers offer encryption as part of their service, and depending on a couple factors (like the software solutions used) the ability to encrypt at the desktop and server level may be easy to implement.
Determining who has access to the data, what is being changed and who is modifying the information is another mandatory safeguard. Access control is defined by having a centrally managed set of unique user names for each person with access to ePHI. HIPAA takes this a step further and requires audit controls to be in place to document attempted access to ePHI and record the user’s activities while accessing that data.
There are other requirements to follow in order to be compliant such as user authentication when accessing ePHI, and Integrity which implies that an organization must protect ePHI from being improperly destroyed or altered. HIPAA does not advise on how these requirements are handled, only that they are being handled and that it is documented. The covered entity is responsible for working with a partner to make sure these safeguards are in place and their patients data is protected.
Looking at examples of violations and the fines that were levied can be a good catalyst for a provider to make sure that they are following the compliance rules and performing internal audits. Some notable examples:

- Unencrypted USB Drive Stolen: 500 patients affected. $1.7 million fine.
- Publicly Accessible calendar with appointment data: $100,000
- 57 Unsecured Stolen Hard Drives: 1 million patients affected. $1.5 million fine.

Patient data is a very serious business, and it is important that healthcare providers are compliant, seek out deficiencies and put a corrective action plan in place.