Security Officers in the healthcare sector with a responsibility for electronic records and HIPAA compliance have lots to stay up to date with. In most of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and saved.
Ensuring the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the larger picture, the scale of the requirement is daunting. Not only does ePHI created and used within a group have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI saved in the cloud.
Start by Completing a Risk Analysis
One of the main issues with electronic records and HIPAA compliance is that the technical, physical and administrative security measures of the HIPAA Security Rule were published three years before Amazon’s cloud-based web services were made available, and four years before the first Apple iPhone was put on the market. At the time, mHealth apps such as Fitbit were still many years away.
Therefore, in order to spot issues relating to electronic records and HIPAA compliance in a modern healthcare environment, Security Officers must conduct an accurate assessment of potential risks and flaws. The manner of risks typically falls into three categories:
- Unauthorized sharing, modification of deletion of ePHI (both malicious and accidental).
- IT down time due to man-made or natural disasters.
- Business Associates and the failure to complete proper due diligence.
Each category has a huge scope for possible breaches of ePHI and covering everything related to electronic records and HIPAA compliance is a huge job. Some Covered Entities have inventoried and reviewed the use and disclosure of all PHI (not just ePHI) as part of their attempts to adhere with the HIPAA Privacy Rule, and this level of data can be invaluable for risk analysis.
Review Your Current Security Efforts
Once the dangers have been identified and documented, the next step is to assess the group’s current security measures. Both technical and non-technical security measures have to be reviewed in order to determine whether the security measures made necessary by the HIPAA Security Rule are already in place and, if so, are they configured and used as intended.
The review will lead to a risk analysis, from which Security Officers will be able to establish whether certain dangers need to be addressed immediately, and what extra security measures and policies need to be put in place in the future. It is not advisable to make too many amendments to work practices at the same time, so the risk analysis can also be used to identify priorities.
HHS has Published Guidance on Cloud Computing
As part of its “special topics for HIPAA professionals” series, the US Department of Health & Human Services (HHS) has published guidance for Covered Entities and Business Associate on Cloud Computing. This area of electronic records and HIPAA compliance is changing all the time and – as with the HIPAA Security Rule – HHS – does not endorse specific technologies to secure the integrity of ePHI.
The same rules are in place for electronic records and HIPAA compliance as if a medical expert was sharing PHI in paper format. Covered Entities are expected to carry out due diligence on the Business Associate (in this scenario the Cloud Services Provider), a Business Associate Agreement must be present, and the Business Associate is responsible for notifying the Covered Entity of any violation of ePHI.