The Health Insurance Portability and Accountability Act (HIPAA) was established in the U.S. in 1996 to protect an individual's personal health care information. Healthcare institutions are required to meet all standards and comply with the appropriate security measures in order to safeguard
Under HIPAA, several things must be protected including any patient healthcare information that is written, spoken or electronic. Electronic data can be faxed, printed, copied or emailed and includes lab reports, insurance claims, consent forms and patient records.
Safeguarding patient data is a key concern among healthcare Chief Information Officers all over the world, as healthcare is a target of most information attacks.
If a healthcare organisation hosts data with a HIPAA compliant provider, there must be certain administrative, physical and technical safeguards in place that are required by the U.S. Department of Health and Human Services (HHS).
Physical safeguards include limited facility access with required authorised access. All covered entities must have usage and access policies regarding workstations and electronic media. Part of this safeguarding effort requires standards for transferring, removing, disposing, and reusing electronic media and protected health information.
Technical safeguards of HIPAA compliance require restrictions on access to protected health data. In other words, authorisation is required to access the health record. This form of protection includes the use of user IDs, emergency access procedures, automatic log off and encryption and decryption of data.
Also, on the technical side of HIPAA compliance, tracking logs must be implemented to keep a record of activity of hardware and software. This practise helps to identify the source or cause of any security violations with greater ease.
Policies should also be put into place to ensure that personal health data is not altered or destroyed. Disaster recovery and offsite backups are necessary to ensure that any electronic media errors or failures can be resolved quickly, and that patient health information can also be accurately recovered. Failure to comply with these guidelines and requirements could lead to significant fines and other legal action from the Federal government. Ensuring compliance can prove to be a tremendous challenge.
HIPAA Compliance Checklist
- Determine annual audits/assessments that are required for your healthcare organisation. Perform an organisation wide assessment and evaluate your security against HIPAA requirements. Review the US Department of Health and Human Services office for civil rights audit protocol.
- Launch an internal HIPAA compliance audit and assessment. Document the results of this work in case you need it to support an outside audit by the government. Consider using a third-party compliance organisation to conduct the audit alongside your organisation.
- Document all aspects of building and implementing your compliance programme.
- Appoint a security and compliance team in your organisation and designate a HIPAA Compliance Officer.
- Calendar annual HIPAA training for all employees and contractors. Make sure that your staff understands everything that is required from them for your organisation to remain HIPAA compliant. Make sure that all people involved understand the civil and criminal penalties for noncompliance.
- Document all employee training activities including attestations that employees attended such training and understood the materials. This may be needed in the case of an outside audit.
- Put a process in place that is understood by all employees to report breaches. Make sure that all employees are aware of what constitutes a HIPAA breach. A system should be put in place to track security incidents and report on all breaches.
- Establish an annual review that assesses compliance activities against the latest HIPAA rules.
- Continuously assess and manage risk by building a risk management programme and integrate continuous monitoring.