HIPAA Compliance: How a Small Lab Can Be Compliant
Most would consider their privacy, especially the privacy of their personal information such as health-related information, to be something of tremendous importance. This was considered of such importance, in fact, that the health insurance portability and accountability act or HIPAA that was passed in 1996, set forth guidelines for a national standard to keep personal health information protected. However, this can be even more difficult in these times where personal information seems to be leaked, intentionally or not, by companies with access to it. Cybersecurity is more important now than ever, as the world spends billions to prevent hacking and DDoS (distributed denial of service) attacks, and this can be even more of a threat in a world where personal health information is stored is stored in cloud services or electronic storage. (1)
This is why understanding HIPAA laws is so important. Unfortunately, the sheer vastness of HIPAA can be intimidating to anyone who doesn’t have much experience with interpreting laws. The security rule (one of five rules) set forth by HIPAA advises on how companies can keep protected health information private, protected, and unchanged by unauthorized individuals. This can be a burden on a small facility that might not have enough resources to keep a dedicated cybersecurity officer on staff.
This article should be able to help you to decipher some of the more challenging parts of HIPAA rules and regulations for small businesses working with protected health information (or PHI). But something to take away from these rules and regulations is that the more that staff understood the rules and regulations of HIPAA, the more compliant a lab tended to be. (3)
Please note that not every security rule is strictly required, and some can be addressed in different ways that don’t require a company to follow a rule specifically. In these cases, it can be considered ‘addressable’ and as such it is left to a company’s own discretion how they wish to find a solution that still falls within the standard of that rule. However, such a change must be both reasonable and appropriate. Any rules that can be considered addressable will be indicated as such.
As an additional side note, any state laws that are contrary to HIPAA policies do not supersede the federal laws of HIPAA assuming it is more lax than federal law. Because it is federal law, it must be followed over laxer state law, and in cases where state laws work alongside HIPAA or could be stronger, both must be followed. This article will be discussing federal HIPAA laws specifically.
In HIPAA law there isn’t a single piece of software or one size fits all solution that works for every company. The Department of Health and Human Services (DHHS) recognizes this by allowing a number of different programs to exist that are compliant with HIPAA. Independent researchers have found that compliance or security alone isn’t enough to keep programs secure, but a combination of the two is what truly impacts the safety of HIPAA programs. (2)
So what are the required rules for HIPAA, specifically? As mentioned, they fall into three different categories: administrative safeguards, physical safeguards, and technological safeguards. Each of these is further broken down into particular rules that are either required (meaning that they must be followed as close to exactly as possible) or addressable (which means there’s a little more leeway with how they can be implemented). Make no mistake, both must be met by any HIPAA compliant system, but again, it’s the difference in rigidity to how the guidelines must be followed that sets them apart from one another.
One of HIPAA’s most important features is the security rule, which is meant to ensure that electronic personal health information (ePHI) remains private but available to appropriate parties and maintains its integrity. This means that it should only be accessible by authorized parties, and not able to be altered or useable by those who are not. Any secure electronic storage program must be able to identify and protect against reasonably anticipated threats against the system or access to this information, and discuss any possible breaches that could occur. Finally, they must be able to have a workforce that is compliant with these laws.
There are several rules to the law’s guidelines, one of which being being administrative safeguards. This means being able to manage the security and possible breaches, having people on-staff to develop and implement any necessary security, keeping PHI without identifying data if necessary (de-identifying), training the workforce and having evaluations of a company’s safety protocol all involve the responsibility of the management for PHI. For example, when a breach is discovered, there must be notification within 60 days of the breach discovery, as part of keeping any security issues dealt with in a standardized manner. Additionally, if it effects more than 500 individuals, then it must also be reported to prominent media in the area. (3) While these rules are especially for administrative staff, all staff understanding the importance of administrative rules contributes to making a facility’s overall comprehension of HIPAA. As mentioned earlier in this article, the more staff that understand these rules, the more compliant a facility will tend to be.
Another part of the security rule involves physical safeguards, which includes the security of the facility and how mobile a particular platform is (can it be removed from the facility it is housed in, for example). A platform is considered to be any device from which a person can access PHI like laptops or smartphones. This, however, brings in the question of whether or not electronic health records can be considered compliant, especially if they can be accessed from a number of different devices. It is possible, and this shall be discussed in a later article. For now, we shall continue to discuss other steps for complying with these healthcare laws.
For any facility, physical guards against intrusion are a must. Addressable ways that a facility can use to follow this rule include a security plan with things like alarms or locked doors, or maintenance records that indicate when particular security measures have been checked. Verification of physical safeguards and maintenance of the corresponding logs/records are necessary to ensure that DHHS, auditing services, or others can see evidence of compliance.
Technical safeguards are the final category that is addressed within these laws. The data should only be accessible by authorized personnel, and this should be recorded and examined so that audits can easily identify irregularities that could indicate whether or not there was a data breach. There must be policies and procedures in place so that all PHI is neither altered nor destroyed improperly, as well as policies so that it isn’t accessed or transmitted by unauthorized parties.
When a business knows that a data breach is possible either through a particular activity or practice, then they must take steps to correct it and make certain that patient privacy isn’t violated; this is another rule in place for HIPAA guidelines. As with any violation, the fines and damage to a company’s reputation can be tremendous, along with any breakdown of trust between patients and that company. This rule applies to both the business itself and of any businesses associates it contracts with, and as such any facilities or software involved need to remain vigilant for possible data leakages. Additionally, up-to-date rules and policies must be maintained as well as records of any required actions done regarding these policies. Any updates or changes should be done to prevent breaches in ePHI.
For security management, all parts (risk analysis, risk management, and/or sanction policy) are required. Essentially, this means that every company must figure out any risks to the privacy of the system, decide what policies they need to deal with it, and have procedures in place to deal with employees who don’t abide by them. The emphasis on HIPAA is making absolutely certain of the privacy of each person’s data and as such it’s especially important that breaches or violations by employees are appropriately punished, which is why these particularly policies have to be enforced.
Another rule under security management is workforce security, which means that the appropriate employees can have appropriate access to PHI and that other workers do not have access without appropriate supervision. This particular rule is addressable, which means that while the guidelines for following aren’t as strict, it must still be followed reasonably. It’s up to an individual entity to decide how they feel this rule can be implemented effectively and without a huge impact to workflow. Security training and management, such as having training on the importance of password security, is another addressable rule. This is important for all levels of the workforce, including management. However, each entity can decide how to appropriately incorporate this into their workplace.
A contingency plan for cases where an emergency occurs (like a hurricane or vandalism) is a required rule for HIPAA. Backing up your data is a required part of keeping ePHI. Thus, even when data disappears, it can still be reasonably retrieved from a backup.
Business associate contracts and other such arrangements are required to assure that anyone maintaining contact as a business associate abides by HIPAA rules. This rule is required and as such these contracts and other documentation necessary must be used when a business associate is involved.
Workstation use is required to remain private to those who can make alterations for ePHI. This can be a little trickier for some companies to implement, but it generally means using things like privacy screens or password verification when someone wishes to alter these health records.
Any hardware that is used to store or transport any PHI is required to have policies regarding its disposal also known as device and media control. However, backup and storage rules for said hardware is addressable rather than required. This demonstrates the importance of keeping this data private (and thus disposed of properly) rather than allowing it to possibly spread around.
Technical safeguards are rules that keep the technology itself safe from being hacked or viewed unlawfully. This includes such things as having unique login credentials for individual users (required) or an automatic logoff system (addressable). As with essentially every aspect of HIPAA, the most important takeaway here is that only authorized persons should be able to view or alter PHI.
Another aspect of technical safeguarding is verification that the user is who they claim to be. This is required, and there must be some sort of way to verify this; this can be through a PIN given prior, setting up a particular password, or using a specific and safe device. Finally, and perhaps most importantly for cloud-based storage systems is transmission security. This is an addressable concern because it might not be applicable to every system, but encryption is a vital part of any system that requires transcription. This might mean using a pin or password for documents or banning sending PHI through email.
These are the main parts of HIPAA that even small businesses are required to address when dealing with PHI. Once again, here are the required rules for healthcare entities: security management process (risk management, risk assessment, and sanction policy), contingency plans (data backup), business associate contracts and other arrangements (written contracts, etc.), workstation use, device and media control (disposal), access control (unique user identification), person or entity authentication. Addressable rules include workforce security (being authorized or supervised), security awareness and training (password management), facility access controls (security plans and maintenance records), device and media control (data backup and storage), access control (automatic logoff), transmission security (encryption).
As was noted at the beginning of the article, the more that a staff of any particular facility know about HIPAA, the more compliant a lab tended to be. Because these laws help to establish a feeling of trust between patients and any faculty that handles their personal health information, being a compliant facility can help to extend this trust over to your company. Therefore, the more people who can understand these laws, the better it is for any facility.
Hopefully, having discussed these rules has brought a new understanding to the rules and regulations of HIPAA, or that it at least made some of the law a little more understandable. In our next article, we’ll discuss some of the ways that a cloud-computing system can be HIPAA compliant and how this can help your company.
(Thank you so much for reading to the end! Hope this lovely dog helped make it worth it.)
Citations: (1)- Mohammad, D. Mariani, R. Mohammad, S, 2015. “Cybersecurity Challenges and Compliance Issues within the US Healthcare Sector”. International Journal of Business and Social Research Vol. 5, Issue 2. Retrieved from https://thejournalofbusiness.org/index.php/site/article/viewFile/714/502
(2)- Kwon, J, et al. 2011, “THE IMPACT OF SECURITY PRACTICES ON REGULATORY COMPLIANCE AND SECURITY PERFORMANCE”. 32nd Shanghai conference on information systems. Retrieved from http://www.ists.dartmouth.edu/docs/icis-proc2011-johnson_kwon.pdf
(3)- Martin, N. L. Imboden, T. Green, D. T. 2015. “HIPAA SECURITY RULE COMPLIANCE IN SMALL HEALTHCARE FACILITIES: A THEORETICAL FRAMEWORK” Issues in Information Systems. Vol 16, Issue 1, pp. 180-188. Retrieved from https://pdfs.semanticscholar.org/8449/87d95cb4b29988817a1622fe141a7ee4ae5f.pdf ml