Are you meeting HIPAA compliance? For US healthcare providers and associated services, it's an important question to ask yourselves and your security team - or risk paying the consequences.
CentricMinds takes HIPAA compliance seriously, implementing secured data systems so that your operation can check those boxes when it comes to patient information security.
What you need to know about HIPAA
The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that governs the protection and privacy of electronic healthcare records to ensure that individuals cannot be identified; guarding against theft, fraud, and other malicious acts.
Compliance with the Act is compulsory for many healthcare industry organizations, including doctors, hospitals, insurers, and other providers.
HIPAA is just one of the laws enacted and is designed to keep personal information safe online. Healthcare information is a particularly sensitive set of personal data that can be widely open to abuse if it falls into the wrong hands.
What’s at stake for noncompliance?
There can be serious consequences for failing to comply with the HIPAA Privacy and Security Rules.
Just last year, Anthem, one of the US’s largest health benefits organizations, was required to pay $16 million in penalties due to noncompliance. Why? A sustained cyberattack meant that almost 79 million people had their data exposed, including names, social security numbers, medical ID numbers, and more. The breach, initiated by spear-phishing emails, was deemed in violation of HIPAA, with the company failing to “implement appropriate measures for detecting hackers.”
If you take a look at McAffee’s HIPAA and HITECH Cloud Compliance Requirements Cheat Sheet, you will see that fines can reach as high as $1.5 million (per calendar year) for each HIPAA violation, with the risk of imprisonment of up to 10 years, depending on the type of violation.
Which data is sensitive? An introduction to Protected Health Information (PHI)
HIPAA includes a definition of Protected Health Information (PHI), that is, the personally identifying information that must be kept safely guarded.
“Protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.” - HIPAA Journal
This includes diagnoses, test results, treatments, prescriptions and other relevant health information, as well as identifiers such as name, social security number, DOB, ethnicity, contact details, and next of kin. PHI is considered as such when its contents can be used to personally identify someone. For example, a floating diagnosis without any identifiers may not be considered PHI. For more info, see the above link.
How must the data be kept secret?
There are various rules which organizations must follow to be compliant with HIPAA. These include:
1. Security Rules
Access Control - Unique identifiers for e-records, encryption and decryption of data, auto-logout of sessions.
Integrity - Checks for the validity of PHI, guarding against accessing the wrong records, checks to ensure encrypted data is not tampered with.
Surrounding facility access control, workstation use, workstation security, and device and media controls.
Including a security management process driven by risk analysis, workforce security, training, security incident procedures, contingency plans, periodic re-evaluation of HIPAA, and partner signature agreements.
2. Privacy Rules
Protect against use and disclosure of PHI, notifying relevant entities in the case of a breach, allowing individuals access to their PHI, and documenting all disclosures of PHI.
3. Breach Notifications
Breach notification for patients, the HHS, and (if over 500 patients) the public.
How does CentricMinds help meet HIPAA compliance?
As a technology provider to healthcare organizations, we take our role in HIPAA compliance seriously. It’s as much our responsibility as it is yours that PHI is kept safe.
We tackle the technology side of the equation. For healthcare organizations and associates wanting an Intranet, document management system, enterprise social networking, or other digital experience platforms, we first look at whether the data across the system will contain PHI, or may do so in the future.
Data storage, transit, and compute
We use and trust AWS HIPAA Eligible Services for data storage, transit, and compute. The specific cloud stack we prefer to use is comprised of Elastic Load Balancing, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS), and Amazon Relational Database Service (Amazon RDS) (MySQL).
Utilizing this stack ensures that PHI is encrypted while at-rest or in-transit. As the world’s biggest cloud provider, there is assurance that AWS uses the most stringent of security practices to guarantee compliance.
Systems can be protected using multi-factor authentication. This can be designed to meet strict standards as outlined in your security protocols.
We can implement session timeouts for system users to meet the access control stipulation regarding timeouts.
Infrastructure Service Level Agreements (SLA's)
Our infrastructure SLA's include items like regular, documented security audits, scheduled penetration testing, and antivirus installation, monitoring, and use. As a healthcare associate provider, we need to remain HIPAA compliant, too!
The bottom line
It’s up to you to ensure you're HIPAA compliant - with a little help on the technical side from us. By choosing to partner with a technology provider that understands the in's and out's of HIPAA from all angles, you can be assured that your PHI is safe - and that you stay compliant from a technology perspective.
Ultimately, it’s up to both of us to work together for you to maintain HIPAA compliance. We can help you fulfill your obligations from a technical perspective, plus provide guidance for other security protocols where we can. While HIPAA compliance might seem like a complex puzzle, when you work with the right people then everything becomes clear.