HIPAA Data Regulation
The HIPAA Security Rule lays out all the requirements a covered entity (CE) must fulfil to fully comply with HIPAA legislation. It stipulates the various safeguards that must be in place to protect a patient’s Protected Health Information (PHI).
There are three main categories of safeguards:
Administrative Safeguards include continuous risk assessments and audits to identify the main risks that threaten PHI.
Physical Safeguards include protecting the PHI from unauthorised access (e.g. ensuring screens cannot be seen from unrestricted areas) and preventing the loss of PHI should an accident occur.
Technical Safeguards prevent HIPAA violations when PHI is transferred over digital networks.
Administrative safeguards ensure that data is managed in a safe and secure manner. They apply to both CEs and their business associates. The accessibility (who, when, where and how) must all be carefully controlled and assessed through regular risk assessments. If such assessments are overlooked, the likelihood of a data breach is dramatically increased.
With the increased in the use of Bring Your Own Device (BYOD) policies, administrative safeguards have become even more important. Policies that maintain the integrity of PHI regardless of whether it is on a personal device or otherwise represent best practice.
Physical safeguards primarily relate to the hardware upon which the PHI is stored. They also concern the location of these devices, such as access to the rooms or floors of a building where the data is stored.
According to a Manhattan Research/Physician Channel Adoption Study, nearly 90% of doctors use a personal advice during their daily work routine. It would not be a leap to speculate that the figures are similar for other healthcare professionals. HIPAA requires that such devices, or any device that can be used to access PHI, must automatically log-off after a certain period of inactivity. This is to prevent unauthorised access if a workstation is unattended.
It is also recommended that CEs and their associates have a plan for the loss of mobile storage devices such as USB drives or external hard-drives.
Under HIPAA, there are three levels of “control”: access controls, audit controls and integrity controls. The first two regard authentication of personnel accessing the PHI whilst the latter instructs CEs on how to properly store PHI. This is to ensure that the data is not inappropriately altered or deleted.
When PHI is being transferred between employees, it must also be protected. CEs and their associates must ensure that during and after the transfer the integrity of the data is maintained and no unauthorised third party can access it.
With this in mind, all text messages and emails sent by healthcare employees must be secure. They must also be accountable – meaning the full digital footprint of a patient’s data must be traceable. This can be complicated, as some messages may remain on service providers’ servers.
Unfortunately, ensuring that every email and text message sent by an employee is appropriately encrypted is a mammoth task. Instead, many CEs will choose to use a secure messaging service. These services fully comply with HIPAA security stipulations.
Secure messaging apps can be downloaded onto laptops, desktops, smartphones and tablets, irrespective of operating system. All communications sent through the service are encrypted and recorded, contained within the organisation’s private network.
The secure services often have additional safeguards built in. For example, messages sent over this service may have set “lifespans” after which they will be securely removed from a device. Most will also have authentication systems and forced log-offs to prevent unauthorised third-party access.
By increasing accountability and ensuring PHI integrity, these apps afford medical professionals more time to deal with patients. They also allow test results – such as X-Rays or CT scans – to be quickly and securely sent between doctors and shared with patients. This can increase collaboration and speed up patient discharge.