HIPAA, the US Health Insurance Portability and Accountability Act 1996, establishes the standard for protecting sensitive patient data. Any organisation that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
This includes covered entities, anyone who provides treatment, payment and operations in healthcare, and business associates, anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must demonstrate HIPAA compliance. Although HIPAA is set down under US laws, HIPAA compliance can impact upon European and UK based companies who are contracted to companies complying with HIPAA.
HIPAA compliance recognizes that advances in electronic technology could erode the privacy of health information. HIPAA therefore mandates the adoption of federal privacy protections concerning individually-identifiable health information.
The HIPAA compliance regime is overseen by the US Department for Health and Human Resources
HIPAA compliance and hosting
If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place. The physical and technical safeguards listed below are most relevant to services provided by your HIPAA compliant host, with detail on what constitutes a HIPAA compliant data centre.
- Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
- Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
- Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
- Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
- Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA compliance requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.
HIPAA compliance and ISO 27001
To comply with the HIPAA Security Standard you may wish to consider adopting the ISO 27001 Information Security Management System Requirements Standard.
With the use of new technologies such as phones and tablets the following security threats are ever present:
- Phones, tablets, and wearables are all easily stolen and lost, meaning ePHI could be compromised.
- Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
- Push notifications and other user communications can violate HIPAA laws if they contain ePHI.
- Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
- Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
- Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.
HIPAA's administrative simplification provisions address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in the U.S. healthcare system.
The HIPAA Security Rule establishes national standards to protect an individual's electronic personal health information that a relevant entity creates, receives, uses, or maintains. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The HIPAA Security Standards require physicians to protect the security of patients' electronic medical information. They must use procedures and mechanisms that protect the confidentiality, integrity, and availability of this information. From 2005, physicians must have in place administrative, physical, and technical safeguards that will protect electronic health information that the physician collects, maintains, uses, and transmits.
Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996
US Department for Health and Human Resources (HIPAA website)