How to comply with HIPAA in the framework of cybersecurity in healthcare?

HIPAA or Health Insurance Portability and Accountability Act (HIPAA) are a set of laws in the U.S that every healthcare organization must abide by. They are in place to protect the privacy of protected healthcare information, also known as patient data. Breach of the HIPAA laws can result in large fines, up to millions of dollars or euros and potential criminal penalties of up to ten years in jail[1] .

Let’s take an overarching look at HIPAA and some of the main rules that are part of HIPAA. We will also discuss steps that healthcare organizations can take to ensure they remain compliant with the HIPAA law.

[1]https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

HIPAA Privacy Rule

The privacy rule focuses on keeping patient data private and only permits the sharing of patient data with the patient and authorized representatives, unless the correct consent is given. This applies to any organization that transmits medical records electronically, including healthcare providers, healthcare payers, healthcare clearinghouses and more. The rule aims to allow protected healthcare information to be accessible, in order to provide the best possible care, whilst also protecting the patient from cybersecurity threats.

Protected information

Protected health information covers any data where an individual can be identified. This includes many common identifiers such as name, address, social security number and date of birth.

HIPAA security Rule

The HIPAA security rule is a set of standards that organizations must apply when they have access to protected healthcare information. This applies to anyone who has the ability to read, write, modify, or communicate electronically stored protected patient data.

The security rule has three parts: technical safeguards, physical safeguards and administrative safeguards. Each of these are detailed below:

Technical safeguards

The technical safeguards refer to the technology that organizations use to protect electronic healthcare information.

These three technical safeguards are required by all healthcare organizations that have access to patient data.

  • Access control
  • Audit logs
  • Audit controls

There are also a set of addressable technical safeguards which organizations must decide if they are applicable to their company. If they decide these aren’t applicable and don’t need to be addressed, then they must document clearly why these aren’t needed. This documentation is required for HIPAA compliance.

The addressable technology safeguards are:

  • Tools for encryption and decryption
  • Automatic log-off functions
  • A method to authenticate electronic health data

Physical safeguards

The physical safeguards are in place to provide security for the physical location of the patient data, whether this is stored in a cloud-based system or on a physical server. This aspect of the law also protects devices where patient data can be accessed from. This includes mobile and desktop devices.

Here are the physical safeguards that each healthcare organization is required to comply with:

  • Policies and procedures for mobile devices
  • Policies for the use and positioning of workstation

There are also several addressable safeguards that organizations need to consider:

  • Facility access controls
  • Inventory of hardware

Administrative safeguards

Administrative safeguards bring together the physical and technological safeguards. They require a security officer and a privacy officer to meet the outlined requirements by conducting regular reviews, assessments, and training.

Here is a list of the required administrative safeguards:

  • Risk assessments
  • Risk management policy
  • Developing a contingency plan
  • Restricting third party access

As with the other safeguards there are also some addressable administrative safeguards. These are:

  • Employee training
  • Contingency plan testing
  • Reporting security incidents

Complying with HIPAA

Complying with HIPAA is not a simple process. There are many different areas of cyber security that need to be considered. Identity and access management systems are a must-have for healthcare organizations to comply with the technical safeguard requirements as part of the HIPAA security rule. At Atos we provide comprehensive identity and access management solutions to help healthcare organizations comply with this rule. For more information you can read our whitepaper on maintaining HIPAA compliance with identity and access management solutions.

In addition to identity and access management, at Atos we can help healthcare organizations to comply with HIPAA through mock assessments, secure data protection, facility access control, encryption, and decryption, restricting third party access, authentication of data, and more. We can provide end to end cybersecurity advice, expertise and implementation for your healthcare organization. Get in touch with our experts who have in-depth technical knowledge and experience to help you comply with HIPAA. Contact our healthcare team.

Related resources

White Paper

Maintaining HIPAA Compliance with Identity and Access Management solutions

Read what IAM can bring to Covered Entities to remain compliant and safeguard Protected Health Information (PHI).

Brochure

HIPAA Security Rule Compliance with Evidian IAM

Discover in which implementation specifications you can achieve HIPAA compliance with Evidian IAM.