HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA and Healthcare Data Compliance

Access to healthcare can be considered a basic human right, although many counties have different views on the services that are provided by the state, and to whom. Privacy is also important and can also be considered a basic human right, with the rights of individuals showing just as much variation.

In the UK, British citizens have access to the National Health Service. Formed in 1948, the NHS provides universal healthcare to all but there is no common law right to privacy, although privacy issues can usually be resolved in court.

Across the Atlantic in the United States, privacy laws affect how doctors can operate. If they want to assess how effective treatments are across the country for the treatment of a particular disease, privacy laws prevent them from having automatic access to data from any patient who is not their own. This is a problem, as sharing of patient data enables doctors to gain a better understanding of the treatments that are working the best.

A way around this is for doctors to share some of their patient data using a service such as Sharepoint. Data can be accessed by any doctor that is provided with a login name and password. Access can therefore be made secure. Unfortunately, since data is stored in the hospital’s active directory, it is not possible to demonstrate that the data is being controlled, and that is required under HIPAA compliance guidelines.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Compliance is essential to ensure both data and systems are properly protected and data access is restricted to authorized users. Data includes spreadsheets, word documents and PDF files as well as on-site and offsite networked data storage devices and all networked equipment.

Any organization looking to ensure compliance is required to consider the following three areas:

• Control of data access
• Separation of duties
• Auditing to ensure continued compliance

Access control is essential. All users must be given access only to the data they need with access to any non-essential data restricted. It is important to separate duties to ensure that individuals are not given too much power and knowledge. In order to ensure the above, audits should take place to ensure continued compliance.

Healthcare organizations should have IT departments able to grant or restrict access to databases and Sharepoint sites. They must be able to quickly determine who has access to data and ensure that sensitive data access is restricted. Viewing, accessing and uploading data to any site or storage facility must also be subjected to appropriate security controls.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.