Managed HIPAA Compliance
If your organization has connections to the healthcare industry, you’ve probably heard the phrase “HIPAA compliant.” You know that it relates to ensuring patient privacy and the security of their medical information, but do you know what it takes to be HIPAA compliant in all aspects of your business? We’ve outlined the basics of maintaining HIPAA compliance, including the specific standards of technology as set by the U.S. Department of Health and Human Services.
What is HIPAA-compliance?
The Health Insurance Portability and Accountability Act is meant to protect sensitive patient data and information. It means that if your business deals with protected health information (PHI) in one way or another, you are required to adhere to a certain set of physical, security, and process measures in order to protect that data.
I’m not a healthcare provider – does my business still need to be HIPAA-compliant?
If your business handles PHI in any capacity, then you are required to be HIPAA compliant. You can fall into two separate categories that require compliance: Coverage entities and business associates. Coverage entities are who you think of when you consider someone to be a “healthcare provider ” – these are doctors, nurses, dentists, psychologists, HMOs and more. Business associates are those companies that must deal with healthcare records, although they do not provide any treatment themselves. If your company produces an eHealth application, for example, you would need to be HIPAA compliant. Subcontractors of business associates must also be compliant.
What safeguards must be in place to maintain HIPAA compliance with electronic records?
According to the U.S. Department of Health and Human Services (HHS), who regulates HIPAA, in order to be HIPAA compliant an entity must accomplish four things:
- Ensure the confidentiality, integrity, and availability of all electronic PHI (e-PHI) that they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Rather than specifying certain specific security requirements of each business, the HHS requires a business to consider their own needs, capacities, size and complexity when evaluating their security needs. All healthcare providers and business associates are also required to adapt as the environment and technology changes, in order to continually maintain the confidentiality of patient data.
What different safeguards are there to consider when ensuring that my practice or business is compliant?
According to the HHS, all entities are responsible for ensuring administrative, physical, and technical safeguards for all e-PHI.
Administrative Safeguards
These are the actions, policies and procedures put in place to ensure the development of appropriate security measures, as well as their continued maintenance.
Physical Safeguards
These are the standards of the actual facility and workstations where data can be accessed. In order to be compliant, any entity must ensure that proper measures are taken to eliminate unauthorized access to the media and controls where e-PHI is housed.
Technical Safeguards
This is one of the most difficult areas of HIPAA compliance, as it demands a constant proactive approach to the changing IT security landscape. No specific rules are identified, only the expectation of consistently protected e-PHI. Not only does this mean maintaining IT in the face of the constant threat of unauthorized access, it means avoiding any errors in a system that might improperly destroy or alter patient data during upgrades, physical moves, and other changes that occur in the workplace.
HIPAA compliance is a complex and constantly shifting aspect of your business. Let Vertical Technologies do the work of keeping your patient data safe, with constant security monitoring and solutions that stay up-to-date with technological threats.
