HIPAA and Your Website
Technology has improved almost every aspect of daily life. More than any other technology, the Internet has changed the way businesses operate. However, the healthcare industry has often lagged behind in adopting new technology. Therefore, there is increased pressure to take greater advantage of the Internet and offer more online services such as electronic prescriptions, appointments, and even remote medical care. But in the age of cloud-based data storage, there is also a growing concern about security and privacy. Upgrading your medical business to include web-based services is vital for sustaining and growing revenue. Accomplishing this task requires more than just a well-designed website. Your site must be compliant with government legislation known as HIPAA.
The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is legislation that establishes privacy and security provisions for medical information. HIPAA is designed to allow medical businesses to take advantage of e-commerce opportunities without exposing the private information of patients. In 2013, the Department of Health and Human Services (HHS) introduced the HIPAA Omnibus Rule. This new set of regulations modified HIPAA by implementing the various provisions of HITECH (Health Information Technology for Economic and Clinical Health Act.
HIPAA SECURITY RULE
The HIPAA security rule requires three distinct safeguards so that protected health information (ePHI) is secure and confidential. The integrity of this information and supporting systems must be maintained and upgraded on a regular basis.
The three safeguards are:
All three aspects listed above have specified methods of implementation. However, HIPAA is unusual in that specifications are separated into “required” and “addressable.” Naturally, all required specs must be implemented. Addressable specs are also required but are flexible and are to be applied to a “reasonable and appropriate” degree. Choosing to implement Addressable Specs requires documentation that must be provided to HHS.
The Technical Safeguards of HIPAA are:
Unique User Identification is required.
Users must be assigned a unique name and number for identification and tracking.
Emergency Access Procedure is required.
Establish protocols for obtaining ePHI during an emergency.
Automatic Logoff is addressable.
Implement procedures that will terminate a user’s session after a specified time of inactivity.
Encryption and Decryption are addressable.
Implement a mechanism to encrypt and decrypt ePHI.
Audit Controls are required.
Implement software, hardware, and procedural mechanisms that record and examine activity that contains or uses ePHI.
Mechanism to Authenticate ePHI is addressable.
Implement electronic mechanisms to corroborate that ePHI has not been altered or deleted in an unauthorized manner.
Authentication is required.
Implement procedures to verify that a person or entity seeking access to ePHI is accurately identified.
Integrity Controls is addressable.
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified.
Encryption is addressable.
Implement a mechanism to encrypt ePHI whenever deemed appropriate.
For more detailed information about Technical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
The Physical Safeguards of HIPAA are:
Facility Access Controls
Contingency Operations is addressable.
Implement (as needed) procedures that allow facility access in support of the restoration of the last date of the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security Plan is addressable.
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation Procedures is addressable.
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records is addressable.
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
Workstation Use is required.
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
Workstation Security is required.
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Device and Media Controls
Disposal is required.
Implement policies and procedures to address the final disposition of ePHI, and the hardware or electronic media on which it is stored.
Media Re-Use is required.
Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
Accountability is addressable.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data Backup and Storage is addressable.
Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
For more detailed information about Physical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
The Administrative Safeguards of HIPAA are:
Security Management Process
Risk Analysis is required.
Perform and document a risk analysis to identify and mitigate possible risks of unauthorized ePHI access.
Risk Management is required.
Implement sufficient measures to reduce risks to an appropriate level.
Sanction Policy is required.
Implement Sanction policies for employees who fail to comply.
Information Systems Activity Reviews is required.
All system activity (logs, audits, etc.) must be reviewed on a regular basis.
Assigned Security Responsibility – Officers is required.
Designate HIPAA Security and Privacy Officers.
Workforce Security – Employee Oversight is addressable.
A procedure to authorize or de-authorized and supervise any employee who will work with ePHI.
Information Access Management
Multiple Organizations is required.
ePHI should not be accessed by any organization that is not authorized. This includes subcontractors, partners, or parent companies.
ePHI Access is addressable.
A procedure for granting access to any document, service, or system request to ePHI.
Security Reminders is addressable.
Update employees about policies regarding privacy and security.
Protection Against Malware is addressable.
Institute procedures for guarding against, detecting, and reporting malicious software.
Login Monitoring is addressable.
Ensure that logins are monitored and discrepancies are reported.
Password Management is addressable.
Create procedures for creating, changing, and protecting passwords.
Response and Reporting are required.
Identify, document, and respond to security breaches.
Contingency Plans is required.
Ensure that there are available backups of ePHI and that there are procedures to restore any lost data.
Contingency Plans Updates and Analysis are addressable.
Periodic assessments to ensure that contingency plans are up-to-date so that critical data is protected.
Emergency Mode is required.
Establish and implement procedures for the continuation of critical business processes to protect the security of ePHI while operating in emergency mode.
Evaluation is required.
HIPAA rules are often updated. Periodic assessments are needed to make sure that your business remains compliant.
Business Associate Agreements is required.
Have exclusive contracts with business partners who will have access to all ePHI that ensures they will be compliant. Any partners should also have similar agreements in their contracts with a third-party.
For more detailed information about Administrative Safeguards:
HIPAA rules are regularly upgraded and evaluated in an effort to improve the overall system. HHS provides all available information on HIPAA here:
Let Cloud Talk help you through this daunting compliance when it comes to your website. We understand what needs to be done to keep you compliant and your patient’s information safe.