Healthcare data is protected by law, and any personally identifiable information (PII) or Protected health information (PHI) is bound by federal laws in the United States. This article will cover all the HIPAA rules and regulations that guard our sensitive patient health information.
Data is valuable; not only does it contain all sorts of interesting facts relevant to us, but it also has monetary value. Eric Schmidt, one of the founders of Google, famously said, “We have created more data in the last two years than in the entire history of mankind.” Most of Google and Facebook’s revenue comes from buying and selling data. Data certainly makes the world go around; it creates insights into our lives, helps to predict our future, and holds the key to our health.
Data in healthcare is a serious business; it’s illegal for healthcare organizations to sell your data to the highest bidder, and rightly so.
A Definition of Health Insurance Portability and Accountability Act
HIPAA was signed into federal law in 1996 by President Bill Clinton. HIPAA served two purposes:
Purpose #1: Health Insurance Portability
The often overlooked part of HIPAA was the initial requirements to fix “job lock,” a scenario where employees felt pressured to stay in unsatisfying jobs to keep their health insurance. HIPAA fixed this issue practically overnight by making health insurance policies portable.
HIPAA also fixed another injustice in healthcare insurance, guaranteed health insurance coverage for pre-existing conditions, and broadened access to insurance coverage.
Purpose #2: Administrative Simplification Provisions
The second objective of HIPAA was to streamline healthcare transactions, such as healthcare claims processing. This made it more efficient and cost-effective for providers and insurers and made fraud and abuse harder.
However, the administrative simplification provisions have evolved into the HIPAA safeguards we know today. It paved the way for the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule amendments.
Who needs to be HIPAA compliant?
Essentially, anyone who handles HIPAA data is in the scope of HIPAA compliance requirements. Those that create the data, those that process the data, and businesses or third parties involved in each step of processing protected health information.
To simplify this categorization, the HHS Office for Civil Rights classifies all parties as a covered entity or a business associate.
Covered Entities
A Covered Entity (CE) is an organization that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as:
- Healthcare Providers – doctors, dentists, nursing homes, pharmacies, etc.
- Health Plans – health insurance companies, HMOs, Medicare, Medicaid, etc.
- Clearinghouses – transcription services, etc.
Each Covered Entity has a legal requirement to protect patient data from loss, theft, and misuse. The CE may work with a business associate to outsource specific business functions like cloud hosting. To appropriately place the responsibility into the hands of a Business Associate, all involved companies must agree to the terms of Business Associate Agreements (BAA).
Business Associates
These individuals or organizations perform certain functions or activities for a covered entity, such as billing services, medical transcription, or data storage. A Business Associate who also handles or processes PHI on behalf of the covered entity is classified as a business associate.
Atlantic.Net is a business associate, as we provide HIPAA-compliant hosting services to the healthcare industry. Covered Entities may use our service to process and transmit protected health information. We sign a BAA with each of our healthcare clients to document our responsibilities and the guarantees we adhere to when handling PHI.
What is Protected Health Information?
Any patient-identifying information stored digitally falls under electronic protected health information (ePHI). Nevertheless, it’s crucial to grasp which data qualifies as protected health information (PHI) under HIPAA regulations.
According to the HHS, Protected Health Information is classified as:
- Past, present, or future physical or mental health condition: This includes diagnoses, test results, medical history, medications, allergies, genetic information, etc.
- The provision of healthcare to the individual: This includes details about appointments, procedures, treatments, referrals, etc.
- The past, present, or future payment for the provision of healthcare to the individual: This includes insurance information, billing information, claims data, etc.
Any information that can identify the patient is considered individually identifiable health information and is in-scope of HIPAA legislation; this includes:
Direct identifiers:
- Full name
- Postal address (including street name, city, state, and ZIP code)
- Telephone number
- Fax number
- Email address
- Social Security number (SSN)
- Medical record number (MRN)
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers (including license plate numbers)
- Device security identifiers and serial numbers
- URLs
- IP addresses
- Biometric identifiers (e.g., fingerprints, facial images, iris scans, voiceprints)
- Full-face photographic images and any comparable images
- Dates (e.g., birth date, admission date, discharge date)
Indirect identifiers:
- City, state, and ZIP code
- Elements of dates (e.g., year, month, day)
- Age
- Gender
- Race
- Ethnicity
- Religion
- Marital status
- Occupation
- Education level
- Income level
- Type of health insurance
- Geographic location (e.g., city, neighborhood)
- Type of medical treatment received
- Dates of medical appointments
- Unique identifying numbers assigned to individuals for research or other purposes
Therefore, considering everything above, we can conclude what is PHI and what is not.
What is Classified as Protected health information?
PHI is:
- A patient’s medical record containing their name, diagnosis, and treatment plan.
- A laboratory report with the patient’s name and test results.
- An X-ray with the patient’s name and date of birth.
- A list of patients treated for a specific condition without including any names.
What is NOT Classified as Protected health information?
PHI is not:
- Vital signs data without any patient identifiers.
- Aggregate statistics about a population’s health, such as the number of people with diabetes in a city.
- De-identified genetic data used for research purposes.
As you can tell, classifying what is classified as protected health information is a complicated process. You have to consider the HIPAA security rule checklist and the HIPAA Privacy rule to gather a complete understanding of what is in scope. HIPAA regulations bind any electronic protected health information that falls into these classifications.
When creating applications and managing and maintaining data, it’s essential to remember these stringent guidelines of HIPAA data compliance.
HIPAA Privacy Rule
The HIPAA Privacy Rule was created to balance the need for secure medical data protection with the requirement of digitizing the patient information flow needed for quality healthcare and public cloud health services.
The HIPAA Privacy Rule sets the standard for how protected health information can be collected, processed, and, in certain circumstances, disclosed.
The Privacy Rule can be broken up into six key areas:
#1: Authorization
Protected health information can be disclosed when certain conditions are in place. The Privacy Rule already allows PHI to be disclosed with other healthcare providers involved in the patient’s care, as well as with insurance companies, billing services, or other services related to the cost of healthcare. PHI can also be shared as requested by healthcare operations, such as quality improvement, case management, and healthcare fraud and abuse detection.
PHI can be shared if required by law, such as a criminal investigation; it can also be declared to authorize the next of kin or in cases where the patient’s well-being is threatened.
#2: Minimum Required Standards
When PHI is approved for collection, specific rules exist about what information can be collected. Covered entities and business associates are bound by the rule that only the minimum required data, data necessary for the patient’s care, can be collected. You are not allowed to harvest all the personal information you want.
This approach encourages minimal data collection and the de-identification of PHI wherever possible. Consider personal biometrics; redacting any protected health information will allow the information to be used in research and training.
#3: Individual Rights
An essential human right is for the patient to be allowed access to inspect what information is held on record about them. The patient can also request for any inaccuracies to be corrected if they believe it is inaccurate or incomplete.
The Privacy Rule also gives the patient the right to request restrictions on certain uses and disclosures of their PHI. The idea is to enforce the requirement that the patient controls their data.
#4: Accounting for Disclosures
You only need to view the OCR Hall of Shame to see that unauthorized data breaches still occur. It is a mandatory step of HIPAA compliance requirements to account for unauthorized disclosures of PHI. It doesn’t matter how big or small the incident is; the case must be reported to the OCR, who will pass judgment independently.
The HIPAA Privacy Rule requires covered entities to maintain records of disclosures of PHI for purposes other than treatment, payment, or healthcare operations and allows individuals to request an accounting of these disclosures to track how their PHI has been shared.
#5: Security Safeguards
The HIPAA Privacy Rule directly references the HIPAA Security Rule by mandating covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI’s confidentiality, integrity, and availability.
Including specific requirements for access controls, data encryption, and breach notification procedures. We will cover this in more detail in the section below.
#6: Enforcement
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) enforces the HIPAA Privacy Rule to ensure HIPAA compliance. The OCR can investigate complaints, conduct compliance reviews, and impose civil penalties for a HIPAA violation over how PHI is handled.
HIPAA Security Rule
The HIPAA Security Rule plays a vital role in upholding HIPAA Data Complaint. Launched in 2003, it helped to create the cornerstone of data security requirements covered entities and business associates must adhere to.
The Security Rule sets out three main types of security measures that need to be put in place for compliance:
Administrative safeguards
The full suite of HIPAA administrative simplification regulations involves establishing, selecting, implementing, and maintaining security measures that effectively shield ePHI (electronically protected health information).
This includes managing how the workforce behaves in safeguarding this sensitive patient data. Examples of administrative safeguards include:
- Setting up comprehensive security policies and procedures, like access control and authentication measures, to monitor and regulate workforce access to ePHI.
- Conducting a routine risk assessment and vulnerability scans to identify potential security gaps and manage security risks proactively.
- Providing ongoing security training and awareness programs for employees to educate them about the best practices in securing ePHI.
- Developing and implementing incident response plans to address and mitigate a security data breach or incidents effectively.
Physical safeguards:
Physical safeguards are tangible measures, policies, and procedures to safeguard electronic information systems, infrastructure, and equipment from natural hazards, environmental threats, and unauthorized access.
The goal is to create a physical barrier preventing unauthorized individuals from accessing ePHI. Examples include :
- Installing security cameras and access control systems to monitor and control physical access to areas where ePHI is stored.
- Measures like locked server rooms, secure cabinets, and biometric authentication systems to limit physical access to ePHI.
- Safely disposing of physical media (such as hard drives, CDs, or printed records) containing ePHI through secure destruction methods like shredding or degaussing.
Technical safeguards:
Technical safeguards encompass the use of technology, along with appropriate policies and procedures, to secure ePHI and control its access.
This involves implementing solid technological measures to protect electronic information from unauthorized disclosure or alteration. Examples include:
- Encrypting ePHI during storage and transmission to prevent unauthorized access or interception and using secure protocols like SSL/TLS for data transmission.
- Implementing firewalls and intrusion detection systems to monitor and control network traffic, identifying potential threats or unauthorized access attempts.
- Requiring robust passwords, multi-factor authentication, or biometric verification to access systems or applications containing ePHI.
- Regularly applying security patches and updates to software, operating systems, and applications to fix known vulnerabilities.
Ultimately, the HIPAA Security Rule aims to create trust between healthcare providers, patients, and any third parties by setting stringent standards to protect sensitive patient data, ensuring its confidentiality, integrity, and availability while promoting a secure healthcare ecosystem.
How To Achieve HIPAA Data Compliance.
As we have discovered so far, ensuring compliance with healthcare regulations of the Health Insurance Portability and Accountability Act (HIPAA), and particularly the Security Rule and Privacy Rule, is crucial for covered entities and business associates dealing with sensitive patient data. Achieving and maintaining HIPAA compliance involves various measures, including administrative, physical, and technical safeguards.
HIPAA compliance requirements oblige covered entities to implement specific security measures and risk assessments. Healthcare organizations, including the covered healthcare providers and those who offer health plans, must ensure that integrity controls and access controls are in place to protect individually identifiable health information (IIHI). Failure to comply with such HIPAA regulations can lead to penalties, including civil money penalties for HIPAA violations or breaches.
Covered entities and business associates are required to establish robust security management processes and regularly conduct risk analyses. Employee training is also vital to maintain HIPAA compliance and prevent data breaches. Maintaining compliance involves ensuring that electronic health records (EHRs) and medical records are secure and that breach notification rules are promptly followed in case of any data breaches.
Partnering with reliable and reputable cloud service providers (CSPs) that demonstrate HIPAA compliance and are willing to enter into Business Associate Agreements can significantly aid in maintaining regulatory compliance. A suitable CSP (or Managed services provider) will help healthcare organizations navigate the complexities of HIPAA compliance and provide turnkey solutions tailored to specific compliance needs.
It’s crucial to note that HIPAA compliance goes beyond just meeting the minimum requirements; it’s about safeguarding sensitive patient data and ensuring the security and privacy of healthcare information according to national standards. Complying with HIPAA regulations is a continuous process that requires diligence, accountability, and a comprehensive understanding of the privacy and security rules to protect patient data effectively.
How Atlantic.Net Creates HIPAA Data Compliance Services
Atlantic.Net is approaching 30 years of providing telecoms and IT solutions to a wide range of global customers. Healthcare organizations choose Atlantic.Net because we are big enough to handle the demands of their businesses but small enough to care immensely about how your business succeeds in the competitive healthcare industry.
Our hosting service offers a secure environment for storing and managing electronic health records. We prioritize protecting patient data and implement advanced security measures to achieve this. Access control tools like passwords and PINs are used to prevent unauthorized entry, encrypting access to authorized personnel only, and fortifying the security of patient information.
Our HIPAA platform encrypts all static data at rest (like files saved on disk) and data in transit (such as network traffic between Atlantic.Net and healthcare providers), adding an extra layer of security to hinder unauthorized access.
A significant feature of our HIPAA hosting service is the SIEM-powered audit trail tools, recording access to patient information, changes made, and timestamps. This provides a comprehensive record of activities related to a patient’s electronic health record, allowing healthcare providers to monitor access and changes effectively.
Additionally, we offer various features that further enhance electronic health record protection, including HIPAA-compliant web and database hosting, managed HIPAA cloud, dedicated servers, and secure block storage. These solutions are tailored for healthcare applications, surpassing the administrative, physical, and technical safeguards mandated by HIPAA.
Our HIPAA-compliant hosting solutions are SOC 2 and SOC 3 certified, HIPAA and HITECH audited, reflecting our commitment to maintaining the highest security and compliance standards. The hosting platform is built to industry-leading standards, providing a robust, feature-rich solution powered by cutting-edge technology, ensuring high performance in dedicated and cloud server environments with a 100% uptime SLA.
Furthermore, we offer managed services like backups, server management, intrusion prevention systems, vulnerability scans, anti-malware, and network security to further fortify the security of electronic health records.
We comply with HIPAA by providing a Business Associate Agreement (BAA) with all HIPAA hosting plans, ensuring external organizations handling electronic protected health information meet HIPAA responsibilities.
If you seek a reliable and secure solution for healthcare data needs that surpasses standards, consider Atlantic.Net’s HIPAA-compliant data hosting services. We aim not just to meet but to exceed these standards.