Healthcare Security: Understanding HIPAA Compliance and its Role in Patient Data Protection
After the "year of the healthcare breach," many healthcare organizations are taking steps to improve their data protection strategies to meet regulatory requirements and secure health information against costly data breaches. Here's an overview of the data protection requirements for compliance and beyond.
Data security has become especially critical to the healthcare industry as patient privacy hinges on HIPAA compliance and secure adoption of electronic health records (EHR). The Health Information Technology for Economic and Clinical Health (HITECH) Act was a component of the American Recovery and Reinvestment Act (ARRA) of 2009, and demonstrated the willingness of the federal government to support the widespread adoption of EHR. Likewise, President Obama supported the push for 100% digital records as part of ARRA, which directs additional funds and incentives to healthcare professionals who adopt electronic medical systems and follow the meaningful use policies. By 2015, healthcare organizations that did not upgrade facilities to store medical records electronically faced penalties. Patient privacy is a must, and the last thing those in the healthcare industry want is a data breach, a compromise of patient information, or a penalty for failing to meet compliance.
HIPAA Privacy and Security Rules
The Health Insurance Portability and Accountability Act (HIPAA) sets the baseline for sensitive patient data protection with its Privacy and Security Rules. According to these rules, any company that deals with protected health information (PHI) must have in place physical, network, and process security measures and follow them in order to ensure HIPAA compliance. The United States Department of Health and Human Services (HHS) establishes national standards for protecting certain health information with the HIPAA Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information.
Similarly, the Security Rule is aimed at protecting specific health information that is held or transferred in electronic form. As such, the Security Rule operationalizes the Privacy Rule’s protections by mapping out the technical and nontechnical safeguards that must be put in place by covered entities to protect individuals’ personal health information. According to the HHS’ HIPAA website, the Security Rule requires that HIPAA-covered entities implement the following protections for ePHI:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The Office for Civil Rights (OCR), within the HHS, enforces the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
HIPAA Safeguards and Data Protection Strategies
Furthermore, the HHS requires that organizations have in place physical and technical safeguards when hosting sensitive patient data, including limited facility access with access controls in place as well as policies governing use and access to workstations, electronic media, and any attempts at transferring, removing, disposing, and re-using electronic media or e-PHI. Technical safeguards for access control ensure that only authorized personnel have access to e-PHI and often require using unique user IDs, emergency access procedures, automatic log off, encryption, and audit reports or tracking logs of all activity on hardware and software.
Data protection strategies also need to be in place to secure PHI/e-PHI beyond the baseline requirements for HIPAA compliance. These data protection strategies must enable healthcare organizations to ensure the security and availability of PHI to maintain the trust of healthcare professionals and patients; meet HIPAA and HITECH regulations for access, audit, and integrity controls including data transmission and device security; and maintain greater visibility and control of sensitive data throughout the organization.
Healthcare organizations and providers must have access to patient data in order to deliver quality care, but complying with regulations and requirements for protecting patient health information requires a combination of robust security strategies as well as the appropriate security solutions and sufficient IT resources to implement them. Security solutions commonly used in the healthcare industry include access control, data loss prevention, encryption, secure file sharing tools, and network security solutions such as firewalls and antivirus software. Because of their ability to discover, classify, and protect sensitive information, data loss prevention tools are widely deployed in healthcare organizations to monitor, classify, and protect ePHI.
With the proper data protection strategies and solutions in place, healthcare organizations and providers can share data securely, both inside and outside the organization, manage privileged users, and comply with monitoring and reporting regulations.
To learn more about how data protection can help achieve HIPAA compliance, check out our eBook, Meeting Stringent HIPAA Regulations: Your Guide To Safeguarding Patient Data.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business