It’s critical to review the requirements of HIPAA technical safeguards to ensure that your healthcare organization is compliant and able to keep PHI safe.
- While no healthcare organization can guarantee that a data breach will never take place, implementing the necessary technical safeguards can go a long way toward decreasing the possibility of a security issue.
As technology itself continues to evolve, healthcare organizations must ensure that their technical safeguards in place are current and comprehensive. Patients’ electronic protected health information (ePHI) must remain secure from any external – or even internal – threats. Even though recent data shows that the majority of health data breaches are through the loss of devices, facilities should still understand exactly what is required of them in terms of HIPAA technical safeguards.
What are technical safeguards?
According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Essentially, a covered entity must use any security measures that allow it to reasonably and appropriately implement the necessary standards for protection. Moreover, a covered entity must determine which security measures and specific technologies are reasonable and appropriate.
For example, a smaller healthcare organization might not need the same type of computer malware program as it is likely operating on a less complicated system than a large health information exchange.
“A covered entity must establish a balance between the identifiable risks and vulnerabilities to EPHI, the cost of various protective measures and the size, complexity, and capabilities of the entity,” stated the Department of Health and Human Services’ (HHS) HIPAA Security Series.
Cost is an important factor, but it must not be the only one that a healthcare organization considers, according to HHS. With “reasonable and appropriate” security measures, facilities of any size should be able to keep electronic data secure.
Access and audit control requirements
Two of the major aspects of strong technical safeguards are within the access and audit control requirements. For example, a facility needs to determine the access control capability of all information systems with ePHI and ensure that system activity can be traced to a specific user. It is also critical to create a formal policy for access control that will guide the development of procedures. Implementing a mechanism to encrypt and decrypt ePHI will also be beneficial. This can help healthcare organizations determine if the chosen encryption is appropriate for storing and maintaining ePHI while it’s being stored and while it’s being transmitted.
In terms of audit control requirements, facilities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
A covered entity also needs to document and communicate audit control procedures and protocols. Employees at all levels must understand how often audits will take place, how the results will be analyzed, what the organization’s sanction policies are for employee violations, and where audit information will reside.
Authentication and integrity
Covered entities must also institute policies and procedures to protect ePHI from improper alteration or destruction. These integrity controls can be created by figuring out how outside sources might jeopardize information integrity. Furthermore healthcare organizations should determine how to secure that data while it’s being stored – at rest. For example, error-correcting memory, magnetic disk storage, digital signatures, and check sum technology are all electronic mechanisms that can be used for authentication.
Overall, a comprehensive view needs to be taken when confirming user identities. Healthcare organizations must ensure that a user who is viewing ePHI is actually authorized to do so. Even guaranteeing the validity of a transmission source or access privileges to patient data can go a long way in building strong technical safeguards.
Securing the data ‘in motion’
Secure data transmission is essential for healthcare organizations, especially with the growth of electronic medical records (EMR) and health information exchanges (HIEs). How can covered entities function properly within an HIE if it cannot securely transmit a patient’s medical records to another facility?
According to the National Institute of Standards and Technology (NIST) HIPAA Security Rule Guide, organizations must encrypt ePHI in motion, while also making sure the encryption is reasonable and appropriate. Moreover, covered entities need to ensure the chosen encryption is cost-effective, feasible, and efficient. Staff members have to be trained in all aspects of the chosen encryption option so they can properly use their acquired skill set.
Comprehensive HIPAA safeguards
When technical safeguards are properly applied with physical and administrative safeguards, a healthcare organization will be much better prepared for numerous types of data breaches. Data encryption and firewalls are just the beginning, as employees must be trained properly and understand how best to handle ePHI.
Technical safeguards must evolve along with healthcare technology. But, if an organization takes the necessary steps to keep pace, it will have a much better chance at keeping ePHI from falling into the wrong hands.