- HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect.
Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance.
As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential.
What are HIPAA technical safeguards?
The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics.
For example, a small primary care clinic with less than 10 doctors and does not allow employees to use their own mobile devices, might not need to implement health data encryption on its devices. Instead, the organization may want to focus on firewalls and multi-factor authentication for its office computers.
HHS outlines four main areas for healthcare organizations to consider when implementing HIPAA technical safeguards:
- Access Control
- Audit Controls
- Integrity Controls
- Transmission Security
Essentially, covered entities need “to implement technical policies and procedures that allow only authorized persons to access” ePHI, to limit who is accessing sensitive information. Along similar lines, hardware, software, and/or procedural mechanisms must be implemented to record and examine access and other activity in information systems that contain or use ePHI.
Integrity controls are policies and procedures that ensure ePHI is not altered or destroyed, while transmission security is where CEs implement technical security measures to protect against unauthorized ePHI access transmitted over electronic networks.
Examples of HIPAA technical safeguards
Again, just because one healthcare organization opted for a certain technical safeguard does not mean that all healthcare organizations are required to implement the same one. Here is a quick rundown of some of the more common options for HIPAA technical safeguards. These are not the only technical safeguard options, and are not necessarily applicable to all covered entities or all business associates.
Anti-virus Software: Installing and maintaining anti-virus software is a basic, but necessary defense to protect against viruses and similar code designed to exploit vulnerabilities in computers and other devices. Computers can become infected in numerous ways, such as through CDROMs, email, flash drives, and web downloads.
Authentication: There are numerous types of authentication, and multi-factor authentication is also becoming more popular. For example, a password, PIN or passcode can help ensure that only authorized users gain access to sensitive information. Login attempt limits, voice control features and disabling speech recognition could all further help with authentication.
Data Encryption: With this type of safeguard, a covered entity converts the original form of information into encoded text. This way, the health data is unreadable unless an individual has the necessary key or code to decrypt it. There are numerous encryption methods available, so covered entities should review their systems and policies to determine if encryption is appropriate, and what kind of encryption to use.
De-identification of Data: This is where identifiers are removed from PHI. From there, medical information can be used in areas such as research, policy assessment, and comparative effectiveness studies. One example of this would be removing specified individual identifiers, such as patient names, telephone numbers, or email addresses.
Firewall: This is used to prevent unauthorized users from accessing a system in the first place. Firewalls could be a software product or a hardware device, and inspect all messages coming into the system from the outside and determine whether the message should be allowed in. Unless an EHR is totally disconnected from the internet, a firewall should be used.
Mobile Device Management (MDM): MDM helps facilities maintain control of PHI at all times and can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability.
Remote Wipe Capability: With this tool, healthcare organizations can permanently delete data stored on a lost or stolen mobile device. This could help unauthorized individuals from gaining access to ePHI that had been stored on a mobile phone or laptop. However, employees may be reluctant to install this option on their personal mobile devices.
Staying HIPAA compliant
The key thing to remember is that the Security Rule does not dictate which safeguards covered entities and business associates need to put in place. It simply states that the necessary and applicable physical, administrative and technical safeguards have to be implemented to keep ePHI secure.
Healthcare organizations should review their daily workflows and see how their equipment needs to be protected from unauthorized users. Whether a covered entity requires data encryption, mobile device management, or another type of technical safeguard, HIPAA compliance can be maintained by ensuring that the right solutions for its needs are properly used.
Furthermore, HIPAA technical safeguards should be used along with physical and administrative safeguards. All three must be put in place to remain compliant and give healthcare organizations the best chance at staying secure.