HIPAA stands for Health Insurance Portability and Accountability Act. This US law was designed to provide privacy standards to protect patient medical records. Health information provided to health plans, hospitals, health care providers and doctors must be protected by HIPAA.
Compliance with HIPAA respects the physical, administrative and technical safeguards described in HIPAA. Therefore, the main question pops up: what is the key to HIPAA compliance?
What are the key elements of HIPAA compliance? Let’s touch on the key elements of HIPAA compliance that everyone involved in healthcare must respect. Their fulfilment is a key to HIPAA compliance.
Technical protections
- Network Encryption. Each ePHI must meet NIST cryptographic standards whenever it is transmitted over an external network.
- Access control/registration. Each user must be assigned a unique and centrally controlled username and PIN code. A detailed log is required to track all accesses (and attempts) to ePHIs.
- Automatic logout. Users must be logged out after a specific time, recommended between 30 seconds and 3 minutes.
Physical protections
- Access control. People who have physical access to data storage must be carefully monitored. Reasonable measures must be taken to block unauthorized entry.
- Manage workstations. A policy must be written to define which workstations can have access to health data and which are restricted. It should describe the way in which a screen must be protected by the parties and the appropriate use of the workstation.
- Protection and tracking. If a mobile device is used by one user and then passed on to another, a policy for mobile devices must be written that removes data before the device is given to another user.
Administrative protections
- Risk assessments. A comprehensive risk assessment must be completed for all health data.
- Train your staff. All employees must be trained on all ePHI access protocols and understand how to identify and recognize potential cybersecurity threats, such as phishing attacks. All training sessions must be recorded and kept.
- Building emergencies. Continuous business continuity must be achieved by preparing processes to keep data secure.
- Block access: Verify that subcontractors and other entities do not have access and cannot view the ePHIs. Trade agreements must be signed with all partners.
- Documenting security incidents. Any security incident must be acknowledged by personnel and personnel must report the events.
HIPAA privacy rule
- Responding to requests. Patient access requests must be processed within 30 days.
- Inform patients. It is needed to have data sharing policies.
- Train your staff. All staff must be trained on privacy and understand what can and cannot be shared internally or externally.
- The integrity of ePHIs. Appropriate measures must be taken to maintain the integrity of ePHIs and patient personal identifiers.
- Authorisation for the use of APIs. The patient must grant permission for research or marketing.
- Form Update / Copy. Authorisation forms must include references to changes in the treatment of school vaccinations, restriction of ePHIs regarding the closure of health plans, and patient’s rights to their electronic records.
HIPAA Violation Notification Rule and Omnibus rule (key aspects of HIPAA compliance)
- Notify patients. Patients and the HHS department should be made aware of any violations of ePHI.
- 4 elements. The breach notification messages must contain four elements, including a description of the ePHIs and personal identifiers who gained unauthorised access, whether the data was viewed or captured, and the degree of success of risk reduction.
- Update the BAAs and privacy policy.
- Submitting new copies. To maintain compliance, new copies of the BAA must be sent and signed.
- Modernising PNPS
- Staff training: All staff must be aware of the Omnibus rule through thorough training.
Zuella Montemayor did her degree in psychology at the University of Toronto. She is interested in mental health, wellness, and lifestyle.