HIPAA compliance makes sense if you understand all the rules, but unfortunately, only a few have the time, resources and training invested. Most healthcare professionals understand the importance of PHI, and their intentions would never be to purposely place this information at risk. The challenge is that these professionals earn their living by providing the services that they spent eight years in school for. Their level of success is directly tied to billable hours, or how much time is spent offering healthcare services. School did not prepare them to be IT or legal experts, yet HIPAA regulations pertaining to PHI treat them that way. The fines associated with a data breach carry the power to cripple their business. The risk doesn’t stop at the practice. HIPAA Compliance is a requirement for all covered entities, including business associates. If you're an IT service provider, it doesn’t really matter if you are healthcare specific or not. Having at least one healthcare customer with PHI, and hosting/managing that data as a business associate, makes you just as “at risk” for non-compliance penalties. Today, my network of PHI protection experts and I offer you the following instructions* to help solve the HIPAA PHI compliancy puzzle. PHI protection under the laws of HIPAA covers three main areas:About the Author: Mike Andrews, is a 20-year veteran of the data-protection and security software industry and serves as Managing Director of NovaStor Corporation. NovaStor® represents “Backup for the Rest of Us” by empowering overwhelmed and underfunded IT administrator’s with all inclusive, fast, highly scalable, budget sensitive data backup solutions for both physical and virtual environments. NovaStor’s disruptive approach redefines service by including personalized local, expert level professional services as part of every solution - helping ease the enormous expectation being placed on maintaining a working, compliant backup under even the strictest of budgets. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Confidentiality – PHI under your care needs to be saved in a non-readable format, and there must not be any visible association to a specific individual (or patient).
- Integrity – The data must remain in the same format that it was originally saved – it has to be tamperproof. Also, access to this data must be limited to only those qualified to view it.
- Availability – PHI can’t be lost, and it needs to be recoverable and usable within a reasonable period of time.
- PHI protection is NOT optional – All covered entities, including medical practices and BAs, must securely maintain retrievable exact copies of electronic protected health information.
- PHI must be recoverable – The key here is that you must be able to fully "restore” any loss of data. Without the ability to restore, data protection is rather useless.
- PHI must have a copy stored offsite – There is some flexibility here with regards to what “offsite” is, but you need to have a copy of your critical data in a separate location than your practice.
- PHI must be protected frequently – These days, even losing a day’s worth of data would be considered significant.
- PHI must be encrypted – PHI needs to be encrypted while at rest and also during transmission to prevent outside access. Make certain that the data is encrypted with an industry-accepted encryption algorithm. AES is the industry standard.
- PHI recovery must be documented – HIPAA requires written procedures related to your PHI backup and recovery plan. Showing your intent and taking the time to document the protection of your PHI could protect you from penalties.
- PHI recovery must be tested – You must be able to demonstrate that you tested your ability to restore lost PHI.