Resources

All you need to know about HIPAA compliance

In an era where healthcare records are increasingly maintained online and in the cloud, compliance with the Health Insurance Portability and Accountability Act, that is, HIPAA compliance, is more important than ever to keep information from becoming vulnerable.

Working in healthcare often requires sifting through a preponderance of sensitive personal information (PHI)—and if you work with sensitive data, following the established HIPAA guidelines in an ever-evolving world will ensure appropriate and consistent security, accessibility, and confidentiality. It’s important to know what your company needs to do in order to comply with federal regulations for protecting patient information.

The U.S. Department of Health & Human Services established the HIPAA Rules in order to ensure that PHI remains confidential and is disclosed only as needed for patient care. These rules also critically arm the patient with rights to his or her own personal information and provide safeguards for health care providers and other covered entities.

What protected health information (PHI) is subject to HIPAA compliance rules?

HHS refers to any “individually identifiable health information” as protected health information. This includes any information about a patient’s past, present, and future physical or mental health or condition; any health care provided to the patient; past, present, or future payment to the patient for health care provision; and identifying personal details, including demographic information. So, HIPAA casts a wide net in limiting and restricting the use or disclosure of sensitive info.

Who should be mindful of HIPAA regulations?

First, the usual suspects in the healthcare should be on high alert when it comes to HIPAA. By usual suspects, we mean any individuals, organizations, and agencies defined as a “covered entity.” Covered Entities are required to comply with HIPAA to protect the privacy and security of health information, and include health care providers, health plans, or health care clearinghouses. More specifically:

  • Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies if they transmit information electronically regarding any transactions for which HHS has adopted a standard.
  • Health plans include health insurance companies, HMOs, company health plans, and government programs like Medicare, Medicaid, or military and veterans programs that pay for health care.
  • Health care clearinghouses are public or private entities that process health information, such as billing services, repricing companies, or community health management information systems.

The Centers for Medicare and Medicaid Services provides convenient charts to determine whether you are considered a covered entity.

Recently, the Department of Health and Human Services announced that it would require HIPAA compliance for any covered entities’ business associates who create, receive, transmit, or maintain PHI. The change acknowledges that it’s no longer just doctors who deal with private information; for example, attorneys, accountants, or tech companies who provide data storage can be considered business associates. This means that even smaller organizations might be audited for HIPAA compliance, reinforcing the need for airtight security all around.

What does HIPAA compliance accomplish?

HIPAA compliance ensures sensitive information is appropriately protected. Covered entities are, after all, entrusted with details that should never fall into the wrong hands. Yet health care providers and other entities must still be able to share information with the patients themselves and other authorized parties. These workflows might be essential for doing business and providing care, but they also introduce new weak points, which is why the regulations were designed.

HIPAA rules put a system of checks on covered entities’ practices and allow patients to control how their personal information is used. HIPAA compliance also ensures that only properly authorized users are accessing protected information, thereby diminishing the likelihood of security breaches and subsequent, potentially malicious exploitation of personal details.

What’s at stake with HIPAA compliance?

There are all kinds of HIPAA compliance violations, ranging from exposing unencrypted data to unintentional employee error to lax agreements with business associates to unreported security breaches. Violating HIPAA can cost a covered entity up to $50,000 per violation.

What’s more, violations can cause irreparable damage to your business. If you work in healthcare, trust is often your most important asset. And with state-specific breach notifications—and a new national standard potentially on the way—you’re required to let people know if a breach involves the PHI of 500 people or more. You also might find yourself unflatteringly reflected on HHS’ so-called Wall of Shame, where it publishes information about entities and business associates whose management of PHI has been found deficient.

But often these violations can be prevented—or easily resolved—with the implementation of something as simple as PINs or password changes. It’s worth it to familiarize yourself with the HIPAA requirements and appraise your company often—especially in the wake of any major changes.

How do I know if my company is complying with HIPAA?

The HIPAA regulations consist of various standards, safeguards, and implementation specifications a covered entity must meet in order to be fully compliant. Because HIPAA takes many aspects of the work environment into consideration, the full extent of HIPAA compliance is rather complex, especially when it comes to security measures.

We’ve put together a checklist to get you on the right track, but you should have a privacy officer vet the entire set of administrative rules and standards to help you determine what steps are right for you to take.

How can I ensure HIPAA compliance in the cloud?

Cloud-based storage has become par for the course for many health care organizations, and there’s no surprise that it’s an appealing solution providing space, mobility, and ease for health care professionals in the office and on the move. As care organizations come under increasing pressure to deliver quality care under tighter timelines, efficiency is essential—and that’s where the cloud can be most effective.

In some ways, the cloud makes complying with HIPAA easier; for instance, PHI can be easily accessed in the event of an emergency and authorized access can be clearly designated. On the other hand, storing PHI in the cloud comes with its own set of problems, including accidental sharing of data with unauthorized users or theft of unencrypted devices.

As of 2013, however, cloud service providers are considered “business associates” in HIPAA parlance, meaning that any company providing cloud storage for a HIPAA-compliant organization must itself be HIPAA compliant. That’s a good start in mitigating your own risk, suggesting that security for your PHI will remain tight even outside the physical confines of your office.

Solutions like Sookasa take things a step—or several—further. By encrypting sensitive files before they ever reach the cloud, Sookasa ensures that PHI remains protected wherever it resides, from the cloud to your mobile devices. What’s more, Sookasa effectively separates the data—which Dropbox handles—from the keys—which Sookasa manages—implementing sound data security hygiene. So even if Dropbox were breached, your encrypted PHI would be jumbled to malicious actors seeking to profit from the potential trove of data. And with Sookasa’s web-based centralized dashboard, administrators have unprecedented control over files, users, and devices for their whole organization, an essential component of guaranteeing not only HIPAA compliance, but real security. Sookasa ensures that only those who should see the files do, putting your workforce—and your patients—at ease.