Security & Compliance
Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) mandates protecting the privacy and security of patients’ confidential health information, including when and with whom that information can be shared.
A supplemental HIPAA Privacy Rule regulates the use and disclosure of patient data—whether verbal, written, or electronic (both via email and file transfer)—for health care providers, health plans, and health care clearing houses, all known as covered entities. The HIPAA Security Rule specifically defines security standards for the management of personal health information in electronic form (ePHI) by covered entities.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (2010) and the HIPAA Omnibus Rule (2013) strengthen HIPAA’s privacy and security rules and toughens the penalties for breaches in patient privacy and health information security.
Covered entities must be in compliance with HIPAA’s privacy and security standards even if they contract with vendors to perform some of their essential functions. In other words, your responsibilities and liabilities under HIPAA extend to all of your business associates. These include labs, billing offices, clinical services, and the like, as well as the providers of your cloud-based IT services.
Under HIPAA, you need to have total security and control for the storage of your email, health records, and other systems that handle ePHI in order to prove compliance.
You must have systems and procedures in place to record and analyze all activity in your systems that store or use ePHI. In fact, you have to be able to track and verify access to ePHI at every attempt. This includes tracking and reporting all emails sent inside and outside of your network. And you must also be able to document the access and security controls you have in place to protect patient privacy in your voice communications as well.
Such audit and reporting capabilities are not just your responsibility. They are also your best protection. They enable you to maintain your systems’ performance and compliance at peak levels and spot vulnerabilities before they escalate into problems. And they give you the data you need to demonstrate your compliance with federal regulations. That’s essential, because in addition to complying with HIPAA's broad set of requirements, you also have to prove your compliance by satisfying regular audits, inquiries or claims.
Email. HIPAA compliance requires that the technical safeguards for your email system and practices fall into three main categories:
Files. Multiple parties, both inside and outside of your organization, need access to your patients’ electronic health information and that imposes a complex set of requirements on your IT systems, including:
Remember, the same requirements apply to covered entities with whom you communicate and share protected information with, including cloud IT providers that you outsource your essential business services to.
SECURITY & COMPLIANCE