Implemented in 1996, the Health Insurance Portability and Accountability Act (HIPAA) ensures that all healthcare information is kept and transmitted securely. If you’re an organization in the healthcare industry, chances are you guys are dealing with Electronic Protected Health Information (ePHI) files. These files are the core of becoming HIPAA compliant–as the law mandates ePHI to be securely saved, transferred, and received without any tampering. Failure to comply with HIPAA can result in fines, legal problems, and worst of all the closure of your business. Fines can range from a minimum of $100 (For not knowingly violating the HIPAA) to a minimum of $50,000 (For knowingly violating the HIPAA) per case.
Speaking from the IT-side of things, there are 5 points that your organization should have in regards to becoming HIPAA compliant:
- Access Control
- Audit Controls
- Transmission Security
We shall now discuss how you and your IT team will tackle the needed implementation of each of the 5 HIPAA compliance points.
1. Access Control
User Accounts or Identification
All personnel with access to the ePHI files must be given a user account that is uniquely their own. This allows us to log and identify who accessed what and when.
Access to electronic data in an emergency
All ePHI files need to be accessible in case of a disaster or an emergency. For instance, when power or internet goes out due to unforeseen circumstances. There are two things we recommend for this:
- Battery Backups or UPS (Uninterruptible Power Supply): These are battery banks that allow your machines to be powered for a short period of time when power runs out. Should hopefully be enough until a backup generator or the actual power grid comes online.
- Fail-over-internet: A system in which two or more internet providers are used. If the ‘primary’ provider goes down, this system will automatically turn over to whichever line is still running.
Accounts/Users need to be booted off access if they are inactive for a set amount of time. Some quick ways to do this:
- A time based lock screen or screensaver
- Creating timed access in Active Directory
- Implementing this via Group Policy
All ePHI files must be encrypted while in storage to prevent unauthorized access and tampering. Some encryption methods we suggest:
- Mac machines already have encryption built-in from the get go. It’s called File Vault and your team just needs to enable the feature to run.
- Windows “Bitlocker”: These are built-in volume-wide encryption available on Win 7 (Ultimate and Enterprise), Win 8 (Pro and Enterprise), and Win 10 (Home and above). There are no additional fees for this feature.
When using Bitlocker, it is recommended that the system has a Trusted Platform Module (TPM) installed in the motherboard. The TPM is a dedicated piece of hardware that handles encryption separately from the rest of the machine. Since it is isolated from the normal Operating System, trying to break Bitlocker encryption is nearly impossible.
Machines without a built-in TPM can still have Bitlocker encryption. A removable USB drive may be used as a viable replacement.
2. Audit Control
There needs to be a system in place that allows the organization to record and monitor activity on databases containing the ePHI. In this case, most Medical/Healthcare class database programs will already have this feature–please contact their support team to confirm.
The HIPAA states that all ePHI must not be tampered/altered without proper authorization. Luckily, the encryption and other security features implemented in point #1 (Access Control) covers this section of the compliance list. Medical database software will also have features that log changes and deletions of ePHI.
The ePHI sharing and storing system must be able to verify if a person or group have the right to access an ePHI they are seeking. For instance, medical records must be available for doctors, nurses, and other medical professionals but should not be accessible by non-medical personnel. Here’s how we suggest tackling this issue:
- Using the unique user logins from point #1, Active Directory can bestow access to certain folders and files to a certain group of users.
- File Share Permissions can also be customized in the main server or NAS (Network Attached Storage) that are storing the files.
- Some database keeping programs also contain an authentication feature. Contact your provider and see if they support this.
5. Transmission Security
Lastly, the system in place must have security measures in place to make sure that ePHI that are sent electronically are not modified in any way and arrives to the seeker intact and unaltered. Files being sent over the internet–this is in a worst-case scenario–could be intercepted, altered, and finally sent to its original destination. Us here at Techonsite recommend the following measures to combat this:
- Transmit files through a Virtual Private Network (VPN). One can think of this as sending files as if you’re in your office, protecting the files being sent from the prying eyes of the public internet.
- “BOX For Healthcare” is a good tool to use as it transmits all ePHI securely and can also be shared to other colleagues and patients.
- “Fast Attach” is another great program to use. It usually is used by dental clinics and can transmit confidential data just as well as BOX.
- If all else fails and your files have been intercepted during the transfer process, the tools mentioned above will encrypt all sent data. To hackers, the files they just intercepted are useless as they won’t be able to open them.
Ultimately, HIPAA compliance can be achieved easily with well thought out implementation and execution. Again, failing to meet HIPAA compliance can lead to pretty serious consequences–but with due diligence you can keep your client’s data safe and your company open for business! Make sure to take each of the 5 points a step at a time with your IT team and you and your company will be HIPAA compliant in no time.