The Health Insurance Portability and Accountability Act (HIPAA) has evolved considerably to keep up with the demands of our modern society. Now that protected health information (PHI) is kept via electronic records, healthcare organizations need to comply with the HIPAA Security Rule if they want to keep their patients’ data private (and avoid a hefty fine).
What’s Required for HIPAA Compliance?
HIPAA compliance requirements can be complicated, but at a minimum, you’ll need to do the following:
- Only access PHI information when you need to and/or when you have permission. First, you’ll need to comply with all former iterations of HIPAA by not accessing PHI data unless you have the patient’s explicit, written permission to do so, or if it’s required to treat your patient adequately.
- Have an emergency plan to access PHI. In some cases, you may not be able to get your patient’s permission, and you may not have the account access necessary to retrieve it. What happens then? To be HIPAA-compliant, you’ll need to have an emergency plan in place.
- Limit and secure email transmissions of PHI. At times, you may need to transmit patient information via email. Avoid these situations when possible, and make sure you’ve upgraded your email platform to be HIPAA-compliant when transmitting via email becomes necessary.
- Back up all patient data. This should be common sense, but have a backup in place for all patient data, preferably, a HIPAA-compliant source of cloud storage. Don’t risk the damage or destruction of patient data.
- Give role-based permissions to staff. Your staff members shouldn’t have universal access to patient records. Establish multiple roles, with varying types of permissions, so staff members can access only the data they need.
- Take precautions against malware. Malware can bring your entire system down, so make sure you have a strong antivirus platform in place, and keep all your apps updated.
- Maintain different passwords, and change them routinely. Every staff member should have a unique password, and be prompted to change those passwords regularly.
- Maintain activity logs and audit controls. Your digital systems should keep track of activity, noting when records are accessed or changed. That way, you can audit them in event of a breach or other suspicious activity.
- Never leave PHI out in the open. Avoid leaving PHI open on a computer. Always log out before leaving a room.
- Enable automatic logouts. Computers should log out automatically if left unattended for a few minutes.
- Don’t share PHI information. Staff members shouldn’t share PHI with anyone unless they have explicit permission from the patient and/or orders from a physician to do so.
- Dispose of PHI information properly and completely. If and when you need to delete patient records, do so completely and securely. That means shredding all documents and wiping all hard drives.
- Keep an updated training program. Your staff should always be up-to-date on the latest HIPAA security practices. Make sure your training program dedicates enough time to learning these fundamentals, and introduces new information as it becomes available.
- Have and test a disaster recovery program. What happens if your system’s integrity is compromised? Have a plan in place and test it to ensure it’s working and that staff understand it.
- Ensure all partners and vendors are following proper procedures. A breach from outside your organization can compromise your PHI; make sure your partners and vendors are HIPAA-compliant as well.
- Report any security incidents. If you do encounter a security breach, report it, and update your policies to guard against similar events in the future.
Are these standards enough?
Meeting HIPAA standards will ensure your organization remains HIPAA-compliant, avoiding legal trouble that could arise if you slip up. But is it truly enough to keep patient data safe?
HIPAA doesn’t have set requirements for specific types of security; for example, it doesn’t mandate that you use a certain encryption standard, or set your passwords in a specific format. Instead, it’s up to your discretion how to set those standards for your own organization. Competent security isn’t just about checking items off a list; it’s about creating an environment that’s actively searching for and guarding against potential new threats, and evolving to face those threats more efficiently.
In short, HIPAA standards are a great start to any organization’s data security, but they aren’t enough to have a truly comprehensive security program.
Learning to keep up
Even if you believe all your current practices keep your organization HIPAA-compliant, and even if that level of compliance is enough to keep your patients’ data safe, it may not stay that way for long. HIPAA is constantly being updated to respond to new threats and add newer, better layers of protection for patients in the United States. If you want to stay ahead of cybercriminals, and remain in compliance with these regulatory requirements indefinitely, you’ll need to stay plugged into the latest news—and be willing to adapt your security protocols at a moment’s notice.