HIPAA Compliance: A Model for all Businesses
The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 in order to set minimum standards for healthcare insurance, with the legislation also covering the safe storage of electronic healthcare data of patients. All entities covered under HIPAA, as well as their business associates, must take appropriate measures to ensure that the Protected Health Information of patients cannot be accessed by unauthorized individuals.
In order for a healthcare organization to be HIPAA compliant, a number of policies and procedures must be introduced. All systems and servers must be assessed for security risks, data must be stored securely, backed up and a disaster recovery plan should be documented so that in the event that data is lost, corrupted or stolen it can be easily recovered.
A standard contingency plan must be devised and a number of documents created to confirm that HIPAA regulations have been addressed. The documentation must cover the back up of data, include a detailed disaster recovery plan and there must also be procedures documented for operating in case of emergency. Additionally, documents must detail the testing of computer systems, apps and devices for security risks. A schedule must also exist for revising and updating procedures on a regular basis.
Healthcare data must always be available to doctors, and in emergency situations any lost data must be recovered promptly. After all, patients cannot be expected to wait for their data to be retrieved before receiving urgent medical services. Healthcare organizations need to take a highly granular approach, detailing every small step and precaution which must be taken in order to protect ePHI, as well as to restore that data if lost or corrupted.
Data must be correctly labeled as large databases are likely to require numerous data storages tapes and it is essential that the correct backup tape or device can be quickly identified. Policies must be developed for the safe storage of backed up data – which should be located off site – and procedures documented on cloud data storage and recovery. Each entity must conduct a thorough risk assessment to identify any potential privacy or security holes and action must be taken to ensure that any security issues are addressed to prevent unauthorized access to the data. The administration involved in protecting data under HIPAA is considerable, but essential.
While HIPAA regulations only covers healthcare entities, their business associates and subcontractors, the practices which must be employed to protect confidential patient data serves as a template for non-healthcare institutions to follow. If businesses adopt the same procedures and security policies it will help to ensure that sensitive data remains private and secure and quickly recoverable in emergencies.