What Is HIPAA Compliance?
HIPAA, or Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company handling protected health information (PHI) must ensure that all required security measures are in place. Essentially, you can think of HIPAA like PCI compliance, except with health information instead of financial info. HIPAA compliance ensures that companies handling PHI follow proper security practices and procedures.
HIPAA vs PCI Compliance
With PCI compliance the requirements are very technical in nature at their core. This can mean that a requirement may include specific technical implementation details. For example, Port XYZ must be secured from the public internet. Unlike PCI compliance, where requirements include specific technical implementations, HIPAA is more general. Rather than spelling out how secure specific infrastructure should be HIPAA focuses on the big picture. Most HIPAA requirements relate to and focus on: risk assessment, security policies, staff training and incident response.
The Key to HIPAA Compliance
With everything we’ve covered in mind, you should know there is no complete guide to mastering HIPAA compliance. Many of the requirements are what most consider common sense for good security practice. This article will be a great primer, but every business must assess their compliance on a case by case basis. Ultimately, every organization should have their own compliance reviewed by an independent agency. In the context of hosting, HIPAA has three main components:
- The Privacy Rule – Covers the usage and disclosures related to PHI. Applies to all forms of PHI, meaning info communicated in any way, not just data security.
- The Security Rule – Covers the safeguards required for electronic PHI (ePHI).
- The Breach Notification Rule – Covers your responsibilities during a security or privacy breach.
All three are important to HIPAA compliant hosting, but the security rule is the most relevant. Think of it like a technical version of the Privacy Rule since it complements those requirements by dictating specific details on ePHI. The Security Rule lays out three security safeguards required for compliance: administrative, physical, and technical. The Rule defines security standards, for each safeguard type, and specifies if they are required or addressable. Rule specifications set as required must be adopted as dictated. However for specifications considered addressable the adoption can be a bit more flexible in interpretation. The last rule to highlight is the Breach Notification Rule. Technically part of the HITECH Act, this rule was added to HIPAA with the 2009 Recovery Act. This rule defines disclosure requirements for HIPAA compliant organizations who find themselves with a compromised system. Generally an organization will have to disclose any breach of ePHI. Organizations that prove a low probability the data was not compromised are an exception. Disclosure requirements are determined by risk assessment of the, at least the following:
- The type and scope of protected health information involved;
- The unauthorized person who used the ePHI, or who the disclosure is made to;
- Whether ePHI was actually viewed or acquired by unauthorized persons; and
- The extent that the risk has been mitigated.
Vigilance, Procedures, and Consistency
Operating a HIPAA compliant organization can be difficult. There’s ensuring your organization is HIPAA compliant; keeping systems up to date to ensure continued compliance; staff training; and more. Successful compliance starts by getting educated and staying vigilant. Organizations will also need to assign, or hire, the required Privacy Officer and ensure their procedures are properly implemented. Equally as important, always make sure that every organization member follows the procedures consistently. In most cases compliance standards will apply to all your organizations’ employees.
The Path to HIPAA Compliance
Now, with a little more familiarity on HIPAA compliance you can better understand how it affects your organization. If you do any handling of electronic Protected Health Information then it’s very likely that you must use HIPAA compliant hosting.