HIPAA compliance makes sense if you understand all the rules, but unfortunately, only a few have the time, resources and training invested. Most healthcare professionals understand the importance of PHI, and their intentions would never be to purposely place this information at risk. The challenge is that these professionals earn their living by providing the services that they spent eight years in school for. Their level of success is directly tied to billable hours, or how much time is spent offering healthcare services. School did not prepare them to be IT or legal experts, yet HIPAA regulations pertaining to PHI treat them that way. The fines associated with a data breach carry the power to cripple their business. The risk doesn’t stop at the practice. HIPAA Compliance is a requirement for all covered entities, including business associates. If you're an IT service provider, it doesn’t really matter if you are healthcare specific or not. Having at least one healthcare customer with PHI, and hosting/managing that data as a business associate, makes you just as “at risk” for non-compliance penalties. Today, my network of PHI protection experts and I offer you the following instructions* to help solve the HIPAA PHI compliancy puzzle. PHI protection under the laws of HIPAA covers three main areas:
- Confidentiality – PHI under your care needs to be saved in a non-readable format, and there must not be any visible association to a specific individual (or patient).
- Integrity – The data must remain in the same format that it was originally saved – it has to be tamperproof. Also, access to this data must be limited to only those qualified to view it.
- Availability – PHI can’t be lost, and it needs to be recoverable and usable within a reasonable period of time.
Basic guidelines for data protection under HIPAA:
- PHI protection is NOT optional – All covered entities, including medical practices and BAs, must securely maintain retrievable exact copies of electronic protected health information.
- PHI must be recoverable – The key here is that you must be able to fully "restore” any loss of data. Without the ability to restore, data protection is rather useless.
- PHI must have a copy stored offsite – There is some flexibility here with regards to what “offsite” is, but you need to have a copy of your critical data in a separate location than your practice.
- PHI must be protected frequently – These days, even losing a day’s worth of data would be considered significant.
- PHI must be encrypted – PHI needs to be encrypted while at rest and also during transmission to prevent outside access. Make certain that the data is encrypted with an industry-accepted encryption algorithm. AES is the industry standard.
- PHI recovery must be documented – HIPAA requires written procedures related to your PHI backup and recovery plan. Showing your intent and taking the time to document the protection of your PHI could protect you from penalties.
- PHI recovery must be tested – You must be able to demonstrate that you tested your ability to restore lost PHI.
*These steps alone put you on the correct path for HIPAA compliance but of course do not guarantee that you are compliant in all areas regarding PHI. These recommendations are not legal advice; qualified counsel should always be consulted regarding legal issues specific to your practice. There are several ways that your data can become compromised, as disaster presents itself in many forms. It is best to identify these risks before they happen, speculate on what could happen, and build a plan for dealing with them. Being HIPAA compliant is necessary, and while it’s great to avoid audits and penalties, protecting your PHI serves the greatest interest of keeping the doors open. With or without regulations, every business (that wants to stay in business) should invest in putting together a quality data protection plan. Even the loss of every-day business data like accounting information can be devastating. Nobody can afford downtime or a bad reputation in the age of instant information. As much of a puzzle HIPAA compliance can be, by working with experts in this field, I’ve learned that HIPAA regulations can actually be rather forgiving. If you can prove intent, you can potentially avoid penalty. Nobody wants to lose or risk the integrity of their PHI or be fined hundreds of thousands of dollars in penalties. Therefore, take the time to document your procedures, build a PHI/data recovery plan, and maintain proof that you frequently test against this plan.
About the Author: Mike Andrews, is a 20-year veteran of the data-protection and security software industry and serves as Managing Director of NovaStor Corporation. NovaStor® represents “Backup for the Rest of Us” by empowering overwhelmed and underfunded IT administrator’s with all inclusive, fast, highly scalable, budget sensitive data backup solutions for both physical and virtual environments. NovaStor’s disruptive approach redefines service by including personalized local, expert level professional services as part of every solution - helping ease the enormous expectation being placed on maintaining a working, compliant backup under even the strictest of budgets. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.