For healthcare organization IT teams tasked with keeping personal health information secure, there’s nothing more pressing than remaining compliant with security and privacy regulations.
As healthcare organizations become targets for hackers, and breaches become more common putting patients’ PHI at risk of exposure, it’s paramount that organizations adhere to guidance that aims to protect health data — not to mention that lack of compliance can result in significant fines for providers.
Still, as digital health technology grows and medical devices become more connected, PHI and access to it may be scattered among devices and more vulnerable than ever.
So, what should IT teams be on the lookout for as they approach HIPAA compliance in the modern age? HealthTech Magazine breaks down the rules and nuances of keeping PHI secure and compliant.
1. Find HIPAA-Compliant Email and Messaging Solutions
Communication among care providers is key to improving clinical outcomes, but finding HIPAA-compliant messaging solutions can prove tricky, and many fear the process of communicating PHI between care teams securely will be onerous. A difficult process could leave clinicians feeling tempted to use their personal devices or accounts to transmit PHI, which is why solutions must be both easy and secure.
One organization that’s tapped a simple email solution is George Washington University Hospital, which uses Microsoft 365 in conjunction with Proofpoint encryption software to secure emails.
“There’s no training required. It’s very simple,” Marvin Onyemaechi, the hospital’s director of IT operations, tells HealthTech. Typing the word “private” in the subject line automatically triggers encryption. “That’s all you need to do,” he says.
These days, while email is important, it’s also likely a single part of a strategy that spans several. For this reason, it’s important for IT teams to consider a multipronged approach to HIPAA-compliant communications.
As Susan Snedaker, Tucson Medical Center's director of IT Infrastructure and operations, writes in an article for HealthTech: “Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions — such as encrypted email to communicate with patients and secure messaging systems to facilitate time-sensitive internal communications — might be the better bet.”
2. Understand HIPAA-Compliant Cloud Storage
Healthcare organizations have begun to adopt the cloud in earnest. But that move has also triggered concerns about privacy and security for data stored in the cloud. The good news is that an understanding of the basics of HIPAA compliance can assuage these fears and free providers to adopt cloud technology appropriately.
What are these basics? According to healthcare attorney and consultant David Harlow, any cloud storage provider should be approached by the payor or health provider as a business associate, with appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule. Once the cloud provider has been established as a business associate of the covered entity, the rest follows suit.
3. Conduct Regular HIPAA Risk Assessments
As part of HIPAA’s Security Rule, entities covered under HIPAA must conduct risk assessments in order to stay compliant. Moreover, regular risk assessments are key to helping providers understand weak spots or potential vulnerabilities and how to fix them. There is no specific way to undertake a risk assessment, although the Health and Human Services Department does lay out what a typical risk assessment should aim for.
The basic goals of a HIPAA risk assessment are to help the healthcare organization:
Design appropriate personnel screening processes
Identify what data to back up, and how
Decide whether and how to use encryption
Address what data must be authenticated in particular situations to protect data integrity
Determine the appropriate manner of protecting health information transmissions
If you don't have the internal resources to conduct an assessment, consider retaining a professional resource which specializes in HIPAA compliance
4. Weigh Patient Security Against HIPAA Compliance
There’s no doubt that in 2019, patients have begun to expect greater access to their healthcare information. Where portals were once seen as a great improvement in patient access to health data, now tools like Apple Health Records, which offers patients access to their own electronic health records directly on their smartphones, have made “bring your own data” a reality.
But not all transfer of PHI to patients is as cut and dried as Apple’s EHR. As smartphones make their way into examination rooms and radiology suites, patients seeking to photograph images of their own tests have encountered much reluctance on the part of providers who are uncertain if that is HIPAA compliant.
Snedaker breaks down Health and Human Services Department guidance on the topic of medical release laws for HealthTech, noting that patients have the right to:
See and get a copy of their medical records
Have errors and omissions in their medical records corrected (or their disagreements documented)
Get a paper or electronic copy of their medical records
Request the provider send their medical records to another party with permission
“If patients are legally permitted to see and obtain a copy of their records in their preferred
form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider,” Snedaker notes.
For more information on HIPAA compliance, contact the experts at HIPAAcraticRx.