HIPAA Data Security Requirements
HIPAA Data Security Requirements
Complying with the HIPAA Data Security Requirements
In order to comply with the HIPAA data security requirements, healthcare organizations should have a solid understanding of the HIPAA Security Rule. The HIPAA Security Rule contains the administrative, physical and technical safeguards that stipulate the mechanisms and procedures that have to be in place to ensure the integrity of Protected Health Information (PHI).
- The Administrative Safeguards primarily concern the requirement to conduct ongoing risk assessments in order to identify potential vulnerabilities and risks to the integrity of PHI.
- The Physical Safeguards concentrate on the measures that should be implemented to prevent unauthorized access to PHI, and to protect data from fire and other environmental hazards.
- The Technical Safeguards relate to the controls that have to be put in place to ensure data security when PHI is being communicated on an electronic network.
Why the Administrative Safeguards are Important
When considering the HIPAA data security requirements, it is essential not to overlook the administrative safeguards. The administrative safeguards have an important role to play in ensuring the integrity of PHI, as they establish the security management process and control the management of information access.
Managing information access is a key part of the HIPAA data security requirements. The appropriate management of who, when and how PHI can be accessed – and how access is monitored – is important to the accurate completion of risk assessments. Without accurate risk assessments, there may be data breaches happening that are not identified and a healthcare organization could be exposed to sanctions.
The administrative safeguards are particularly relevant in an environment that promotes BYOD policies. If medical professionals are allowed to use personal mobile devices to support their workflows, there has to be a suitable policy in place to advise the medical professionals about appropriate use and best practices in order to reduce the risk of a breach of PHI to the minimum possible.
The Physical Safeguards Apply to Mobile Devices as Well
The physical HIPAA data security requirements are often interpreted as referring to the physical locations in which computer hardware is maintained. Although the physical safeguards do concern monitoring access to facilities in which computer equipment is stored and the validation of personnel entering these facilities, they also apply to PHI accessed by and stored on mobile devices.
At a time when the use of personal mobile devices is increasing in medical facilities (87% of doctors use a Smartphone at work to support their workflow according to a Manhattan Research/Physician Channel Adoption study), the physical HIPAA data security requirements stipulate that any device used to access PHI must an automatic log-off facility so PHI cannot be accessed by unauthorized personnel when a workstation or mobile device is left unattended.
Mobile devices (and USB flash drives) should also be a consideration when developing and implementing policies about the transfer, removal, and disposal of PHI. Specific measures must be implemented to ensure that PHI can be deleted remotely in the event that a personal mobile device or USB drive is lost, stolen or otherwise disposed of.
Further Controls within the Technical Safeguards
The technical HIPAA data security requirements contain three sets of “controls” – access controls, audit controls and integrity controls. The first two sets of controls stipulate how personnel accessing PHI should authenticate their identity, while the integrity controls provide instructions of how PHI at rest should be stored to ensure it is not improperly altered or deleted.
Also within the technical safeguards are the requirements concerning PHI in transit – i.e. PHI being communicated from one medical professional to another. These requirements state that healthcare organizations must implement measures that protect against the interception of messages or third party retrieval of messages that are transmitted over an electronic network.
This means that healthcare organizations have a responsibility to ensure that all emails and SMS messages containing PHI – or that have attachments containing PHI – are secure and accountable. This is a difficult requirement to fulfill when copies of messages remain indefinitely on service providers´ servers. The alternatives would appear to be either to encrypt every email and SMS, or instruct medical professionals never to send PHI in an electronic communication.
Secure Messaging Resolves Potential Security Rule Issues
The logistics of encrypting every email and every SMS would be a massive problem. Finding an encryption solution that works across different operating systems and different devices – and complies with the other HIPAA data security requirements – would create a major headache for IT departments, and the potential for breaches of PHI may still exist.
This is why many healthcare organizations have implemented secure messaging solutions. Secure messaging solutions work via messaging apps that can be downloaded onto desktop computers and personal mobile devices irrespective of the operating system. They assist compliance with the HIPAA Security Rule by encrypting and encapsulating all communications containing PHI within a healthcare organization´s private communications network.
Security measures are in place to prevent the accidental or malicious disclosure of PHI; and message lifespans can be set so that communications are automatically deleted from a user´s app after a predetermined period of time. ID authenticating systems, automatic archiving and forced log offs also enable healthcare authorities to comply with the HIPAA data security requirements.
The Benefits of Secure Messaging in a Healthcare Environment
In addition to helping healthcare organizations comply with the HIPAA data security requirements, secure messaging has a number of benefits in a healthcare environment. Secure messaging increases message accountability and reduces phone tag, freeing up more time for medical professionals to attend to their patients and increase patient satisfaction.
As test results, wound images and CT scans can be attached to secure messages, doctors are quickly able to access key data regarding their patients with secure messaging, while nurses (67% of whom use Smartphones at work according to an American Nurse Today study) can securely request physician consults or escalate patient concerns.
Multi-party conversations can accelerate hospital admissions and patient discharges, while – when integrated into an EMR – secure messaging solutions have been shown to reduce patient safety issues by 27 percent and medication errors by 30% (2015 study conducted by the Tepper School of Business at the Carnegie Mellon University on hospitals in Pennsylvania).
Prevent Employees Undermining the HIPAA Data Security Requirements
Not all of the Security Rule relates directly to the HIPAA data security requirements. There are some areas of the safeguards that concern the development of best-practice policies. It is equally important to be aware of these areas of the Security Rule in order to implement policies that will prevent an employee from undermining the efforts made to comply with the HIPAA data security requirements.