While all customer data is important to keep secure, electronic protected health information (ePHI) is even more sensitive. If your business does not comply with HIPAA regulations and a breach in private information happens, you can be fined, criminally charged, or have civil action lawsuits brought against your business.
HIPAA regulations apply to any covered entity that is a health care provider, health plan, or health care clearing house that creates, maintains, or transmits PHI as well as their business associates. These are people or businesses that provide services to covered entities and has access to PHI. This could include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, and more.
Prior to gaining access to a patient’s confidential health information, business associates must sign an agreement with the covered entity that outlines what PHI that business associate has access to, how that PHI is to be used, and that it will be returned or destroyed upon completion of the task that PHI is needed for.
Both covered entities and business associates must ensure there are technical, physical, and administrative safeguards to comply with the HIPAA Privacy Rule to protect PHI. If a breach happens, then covered entities and business associates must follow the HIPAA Breach Notification Rule.
HIPAA Security Rule
The HIPAA Security Rule outlines the standards that must be used to protect ePHI and the rules apply to anyone with access to personal data.
EPHI should be encrypted to National Institute of Standards and Technology (NIST) standards once it is sent outside an organization’s internal firewalled servers. NIST standards ensure that any breach results in confidential data becoming unreadable and unusable. Accessing ePHI should be done through centrally controlled unique usernames and PINs for individual users. Devices used by authorized users must be able to encrypt and decrypt messages. Devices should have automatic log-off functions to keep any unauthorized users from gaining access to ePHI.
EPHI can be stored in a variety of locations, all of which must be protected. Procedures should be in place to prevent unauthorized access, tampering, and/or theft of ePHI. Users who access ePHI on their mobile devices must follow policies to make sure ePHI is taken off that device in the event that they change jobs or decide to sell or deactivate that device.
For more tips on keeping your data secure and compliant, subscribe to our blog.