By Bahar Sharifan
Many of those working in healthcare are all too familiar with the HIPAA requirements. However, more and more companies in other industries are seeing the HIPAA requirements as a framework to structure internal functions or analyze their own privacy and security policies and needs as they relate to IT and data security.
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was created and exists to create national standards for electronic healthcare records, transactions and security, allowing for proper protection while facilitating the proper flow of information required to provide a high level of care. A few of the most commonly discussed HIPAA rules are the Privacy Rule, Security Rule and Enforcement Rule.
• The Privacy Rule requires all covered entities (health plans, health- care clearinghouses and healthcare providers) follow the national standards on individually identifiable health information transmitted electronically. The Privacy Rule also grants individuals an enforceable right to request and obtain copies of their general health records held by providers. The Privacy Rule focuses data dissemination around “minimum necessary” disclosure and use, requiring a covered entity to make reasonable efforts to disclose and request the minimum necessary amount of protected information necessary.
• The Security Rule outlines protections surrounding the availability, confidentiality and integrity of electronically transferred or held health information. The Security Rule is designed to ensure the integrity and confidentiality of the protected health information and requires the proactive steps to protect against reasonably anticipated threats or impermissible uses or disclosures of the protected information.
• The Enforcement Rule governs the standards for the enforcement of the HIPAA rules.
Why do we need HIPAA?
Prior to HIPAA, no nationally accepted standards were required for the security and protection of health information — in spite of the growing reliance of electronic health records. As a result, Health and Human Services (HHS) implemented and has continued to evolve HIPAA in order to create a standard policy that can adapt to the changing technologies. More and more providers are using tablets and laptops from check-in through the visit. There are many possible opportunities for a data hack: having the actual device stolen, transmission between the tablets to the data warehouse or cloud or once the data is stored, etc. While anyone with a technological device or network should be considering their security and protection measures, the type of information contained is of greater interest and has potentially more damaging implications and therefore is a bigger target for hackers.
What information is protected? The Privacy Rule defines this as all individually identifiable health information. This information is information received through a covered entity and 1. Relates to the past, present or future mental or physical health or condition of an individual; provision of health care to that individual; or payment for such health care; and, 2. Identifies the individual or that the information, under a reasonable belief, would lead to the identification of the individual.
How is information protected? The Security Rule requires covered entities to maintain a reasonable effort in being proactive by creating a secure environment and proactively anticipating threats and impermissible use or disclosure of protected information and ensuring compliance in the workplace. Under the Security Rule, a covered entity is to protect the integrity and availability of protected data — “integrity” referring to the information not being altered or destroyed and “availability” being defined as accessible by an authorized individual.
The Security Rule requires covered entities to perform a risk analysis of its systems. This analysis is not limited to, but should contain an evaluation of, the likelihood of potential risks to the protected information and the impact of such potential risk; implementation of security measure to address the risks uncovered in the risk evaluation; documentation of the results of the analysis and the measures taken; and “maintain continuous, reasonable and appropriate security protections.”
While the Security Rule does not specify what measures are to be taken, the rule does require the covered entity to consider its size and complexity; technical, hardware and software infrastructure; costs of available security measures; and the likelihood and possible impact of risks to protected information.
Every company has some sort of sensitive information and a proactive approach cannot be overlooked or replaced by a reactive method. The importance of a proactive security policy is central to HIPAA due to the incredibly sensitive information held in health records. When companies decide to look at their own internal standards compared to HIPAA, much focuses around the requirements of the Security Rule. A frequent reader of my column will find the almost painfully repetitive theme surrounding around the necessity of proactive IT monitoring.
This is what the Security Rule in HIPAA requires. While it may not be necessary to go the full extent as required under HIPAA in your own business, deciding to take your own IT practices on the other end of the spectrum where you only react when there is a problem instead of creating and having a proactive, continuous watch on your system is likely to lead to some sort of loss. More likely than not, reactive maintenance will cost significantly more than being proactive from the start — and after factoring in any reputational damage, customer data loss, insurance premiums, etc., the amounts far exceed what a healthy, proactive IT plan would cost.
HIPAA requirements contain a level of complexity and importance suggested to be discussed with your legal professional and industry leaders. This article merely serves to create a general understanding of the issue.
While there are many specific requirements as a result of the sensitive information in healthcare, it is important to use this as a guideline for all industries. While many HIPAA elements will not be applicable, an increased emphasis on data security, accessibility rules, requirements of business associates (and employees) who touch sensitive information, etc., are all beneficial areas to strengthen in all industries. Most, if not all, companies all have some level of sensitive information. Do not avoid taking the proper precautionary measures merely because it may not be the most sensitive of information. While you cannot avoid all potential negative access, ensuring you take necessary steps to minimize your chances for information to fall into the wrong hands is key. Know your employees. Know your contractors. (Background and credit checks can be great tools — check with your attorney for any legal hurdles.) Know your network and environment. Know what data you must protect. Know how you are or aren’t protecting this data. Know the negative outcomes if there is a data breach. You are only as strong as your weakest link. Know the weakest link and strengthen it — then reanalyze and repeat. Review your options and make an informed decision to help your business, and its reputation, succeed in the long term.
Bahar Sharifan is president of Wasatch I.T., one of Utah’s largest providers of outsourced IT services for small and medium-sized businesses.