Data Security Requirements Under HIPAA

In order to adhere with the HIPAA data security requirements, healthcare groups should be completely aware of the HIPAA Security Rule. The HIPAA Security Rule contains the administrative, physical and technical security measures that state the mechanisms and processes that have to be established to ensure the integrity of Protected Health Information (PHI).

  • The Administrative Safeguards mainly concern the obligation to conduct ongoing risk assessments in order to identify potential flaws and risks to the integrity of PHI.
  • The Physical Safeguards focus on the measures that should be set up to stop unauthorized access to PHI, and to protect data from fire and other environmental dangers.
  • The Technical Safeguards refer to the controls that have to be put in place to ensure data security when PHI is being sent on an electronic network.

Why the Administrative Safeguards are Crucial

When reviewing the HIPAA data security requirements, it is essential not to overlook the administrative safeguards. The administrative safeguards have a vital role to play in ensuring the integrity of PHI, as they set up the security management process and control the management of information access.

Managing information access is a chief part of the HIPAA data security requirements. The proper management of who, when and how PHI can be obtained – and how access is monitored – is important to the accurate completion of risk assessments. With no accurate risk assessments, there may be data breaches taking place that are not identified and a healthcare group could be exposed to sanctions.

The administrative safeguards are very relevant in an environment that promotes BYOD policies. If medical staff are permitted to use personal mobile devices to support their workflows, there has to be a suitable policy in place to advise the medical workers about proper use and best practices in order to reduce the risk of a breach of PHI to the minimum possible.

The Physical Security Measures Apply to Mobile Devices Also

The physical HIPAA data security requirements are often thought to refer to the physical locations in which computer hardware is managed. Although the physical safeguards do concern monitoring access to locations in which computer equipment is stored and the validation of personnel entering these locations, they also apply to PHI accessed by and stored on mobile devices.

At a time when the use of personal mobile devices is rising in medical facilities (87% of doctors use a Smartphone at work to support their workflow according to a Manhattan Research/Physician Channel Adoption study), the physical HIPAA data security requirements state that any device used to access PHI must an automatic log-off facility so PHI cannot be accessed by unauthorized personnel when a workstation or mobile device is left unmonitored.

Mobile devices (and USB flash drives) should also be reviewed when developing and implementing policies about the transfer, deletion, and disposal of PHI. Specific measures must be implemented to ensure that PHI can be deleted remotely should it occur that a personal mobile device or USB drive is lost, stolen or otherwise disposed of.

Additional Controls within the Technical Safeguards

The technical HIPAA data security requirements include three sets of “controls” – access controls, audit controls and integrity controls. The first two sets of controls state how personnel accessing PHI should authenticate their identity, while the integrity controls give instructions of how PHI at rest should be stored to ensure it is not improperly altered or erased.

Also within the technical safeguards are the requirements relating to PHI in transit – i.e. PHI being sent from one medical professional to another. These requirements state that healthcare groups must implement measures that protect against the interception of messages or third party retrieval of messages that are sent over an electronic network.

This means that healthcare groups have a responsibility to ensure that all emails and SMS messages including PHI – or that have attachments containing PHI – are secure and accountable. This is a difficult requirement to meet when copies of messages remain indefinitely on service providers´ servers. The other options would appear to be either to encrypt every email and SMS, or instruct medical workers never to send PHI in an electronic communication.

Secure Messaging Settles Potential Security Rule Issues

The logistics of encrypting all emails and every SMS would be a huge problem. Finding an encryption solution that works across different operating systems and different devices – and adheres with the other HIPAA data security requirements – would establish a major headache for IT departments, and the potential for breaches of PHI may still exist.

This is why many healthcare groups have put in place secure messaging solutions. Secure messaging solutions are conducted using messaging apps that can be installed onto desktop computers and personal mobile devices irrespective of the operating system. They help compliance with the HIPAA Security Rule by encrypting and encapsulating all communications containing PHI within a healthcare group’s private communications network.

Security measures are set up to prevent the accidental or malicious disclosure of PHI; and message lifespans can be set so that communications are automatically erased from a user’s app after a predetermined period of time. ID authenticating systems, automatic archiving and forced log offs also enable healthcare bodies to comply with the HIPAA data security requirements.

The Advantages of Secure Messaging in a Healthcare Environment

Along with helping healthcare groups comply with the HIPAA data security requirements, secure messaging has a number of advantages in a healthcare environment. Secure messaging increases message accountability and minimizes phone tag, freeing up more time for medical professionals to attend to their patients and increase patient satisfaction.

As test results, wound pictures and CT scans can be included in secure messages, doctors are quickly able to access key data regarding their patients with secure messaging, while nurses (67% of whom use Smartphones at work according to an American Nurse Today study) can securely request physician consults or heighten patient concerns.

Multi-party conversations can speed up hospital admissions and patient discharges, while – when integrated into an EMR – secure messaging solutions have been able to reduce patient safety problems by 27 percent and medication errors by 30% (2015 study carried out by the Tepper School of Business at the Carnegie Mellon University on hospitals in Pennsylvania).

Stop Employees Undermining the HIPAA Data Security Obligations

Not every one of the Security Rule refers directly to the HIPAA data security requirements. There are some areas of the security measures that relate to the development of best-practice policies. It is just as important to be aware of these areas of the Security Rule in order to create policies that will stop an employee from undermining the efforts made to comply with the HIPAA data security obligations.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.