As you likely know, if your company or organization has access to electronic Protected Health Information (ePHI), then you are required to comply with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, as it’s better known. HIPAA compliance ensures the security and privacy of confidential patient data. Failure to comply could result in substantial fines, criminal charges and even civil action lawsuits… not pretty! So what does HIPAA Compliance look like, and how can you make sure your company is meeting these requirements?
What is HIPAA Compliance?
As more and more health care providers and companies handling ePHI move to electronic operations and data center storage, HIPAA compliance is more important than ever. While these efforts increase efficiency and mobility, they also increase security risks. But when it comes to the management of ePHI as it relates to the technology industry, who has to maintain HIPAA compliance?
- Covered Entities: health care providers, health plans, and health care clearing houses who create, maintain or transmit PHI and ePHI.
- Business Associates: a person or business that provides a service to a covered entity that involves access to PHI and ePHI. This includes IT contractors and cloud storage services, as well as lawyers, accountants, billing companies, etc.
So what does it mean for these two groups to maintain HIPAA compliance? Being in compliance means fulfilling the requirements of HIPAA, any subsequent amendments, and any related legislation such as the Health Information Technology for Economics and Clinical Health (HITECH) Act of 2009. Since data centers typically store and manage ePHI, they must comply with HITECH standards in order to meet HIPAA compliance. Here’s a checklist of the requirements as they pertain to the technology field:
These requirements govern how ePHI can be used and disclosed:
- Limits and conditions must be set on the uses and disclosures that can be made of PHI without patient authorization.
- Covered entities must respond to patient access requests within 30 days.
- Notice of Privacy Practices (NPPs) must be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
These requirements must be applied to protect ePHI when it’s at rest and in transit:
- Technical safeguards: these require that the technology used to protect ePHI must be encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers.
- Physical safeguards: these requirements focus on securing physical access to ePHI, regardless of where it is stored (a remote data center, in the cloud, or on servers).
- Administrative safeguards: these require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI. This means that ongoing audits and assessments will be conducted to ensure your company’s continued compliance.
This rule was introduced in January 2013 to clarify that the HIPAA compliance checklist includes Business Associates and their subcontractors. In other words, as a Business Associate, data centers will be held as responsible as covered entities, and they must commit to the same ongoing due diligence as would a health provider.
- Brought HITECH requirements and HIPAA requirements together under one Act.
- Changes to the harm threshold included on the Breach Notification for Unsecured Protected Health Information (under the HITECH Act).
- Modified HIPAA to include provisions made by the Genetic Information Nondiscrimination Act (GINA), to prohibit the disclosure of genetic information for underwriting purposes.
- Prohibited the use of ePHI for marketing purposes.
If your business requires you to maintain HIPAA compliance, our team at DSA Technologies is well-versed in all of the nuances as they pertain to managing ePHI at data centers, ensuring safeguards for your cloud solutions, networks and beyond. We are committed to ensuring your company’s ongoing HIPAA compliance; contact us today to find out how we can help.