BY Stephen Cavey | 11 August 2021
There has been a lot of buzz around The Health Insurance Portability and Accountability Act (HIPAA) recently, especially with the influx of health information relating to the COVID-19 pandemic. But what is it exactly? Passed by congress in 1996, HIPAA is a federal law that was put into effect to protect sensitive patient health information from being disclosed without consent or knowledge. While this still holds true, a lot has changed over the past couple decades.
Since its initial implementation, rules were added to HIPAA to ensure that patients’ protected health information (PHI) is truly secure: the Privacy Rule, to help cover the physical security of PHI, and the Security Rule, to safeguard electronic protected health information (ePHI). The HIPAA Privacy Rule explains what data needs to be protected and who should abide, whereas the Security Rule explains how to protect ePHI.
For the purpose of this blog, we are going to take a look at an important component of the Security Rule: technical safeguards. As the healthcare industry continues to advance technologically, ePHI is stored in a surplus of places and has become much more complex to protect. As a result, these technical safeguards have become a critical component to mitigating growing security risks and ensuring that patient information remains protected.
So what exactly are technical safeguards? According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.” These can often be the most challenging regulations to understand and implement. It’s important to note that many of these specific safeguards are “addressable” within HIPAA, essentially meaning that they are non-negotiable parts of compliance but can be customized based on your organization’s size, technology, and ePHI collected. Let’s dive into these further.
Access controls aim to carefully control access to ePHI and consist of two required aspects: assigning unique identifiers to all employees in order to track their virtual activity and setting up specific methods to retrieve ePHI in the event of an emergency. The specific systems used to encrypt and decrypt data or control how users log on and log out of these systems are addressable and can be customized depending on the organization.
These apply to the entities using systems that record and track activity relating to ePHI, such as hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. As part of remaining in compliance, these entities need to document and communicate their audit control procedures and protocols. In addition, employees need to understand how often audits will take place and how the results will be analyzed to ensure that this data is being handled properly.
This third control ensures that ePHI and other sensitive health information are not destroyed or altered. When ePHI is changed in any way, this has the potential to significantly impact patient care. Integrity controls are a critical component to helping organizations implement policies and procedures that protect ePHI from any threats – whether through human or electronic error.
This final safeguard pertains to protecting ePHI from unauthorized access when transmitted electronically – something that is becoming much more prevalent today than ever before. By implementing transmission security best practices and precautions, organizations can prevent ePHI from being compromised when shared electronically. In fact, the HIPAA Security Rule permits ePHI to be sent via electronic networks as long as integrity is secured and is properly encrypted.
While an understanding of these safeguards are a critical and mandatory component to HIPAA compliance, many still struggle to implement them. At the bottom line, effective use of these safeguards relies on a holistic understanding of where ePHI and other sensitive health information lies within the organization. Today, this information is being gathered and stored at unprecedented volumes, and it is increasingly difficult to keep track of all this information manually.
Luckily, data discovery solutions can serve as a valuable tool to automate this process and accurately ensure that all data is accounted for throughout the process of implementing these technical safeguards. Ground Labs Enterprise Recon is an enterprise class solution equipped to find over 300 types of data including insurance information, health care IDs, and other medical data.
If you’re ready to consult with a data privacy expert and meet HIPAA compliance, schedule a demo or contact us today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.