A Closer Look at Technical Safeguards for HIPAA Compliance
As an IT service company dedicated to assisting small-to-medium-sized businesses with IT solutions, we are often asked about HIPAA rules and how they impact healthcare practices. There are several components that we evaluate for our clients, including physical, administrative, and technical safeguards that can keep our clients in compliance with HIPAA legislation. Today, we are looking a little closer at one aspect of this law: the technical safeguards. Read on to find out if your medical or dental practice is doing all it can to protect the protected health information of your clients.
What are Technical Safeguards?
According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
How can you be certain that your patients’ electronic health information is adequately protected? The HIPAA technical safeguards, if followed properly, are meant to keep electronic protected health information (ePHI) properly secured from unauthorized access. This is the case whether the data is at rest, stored in an electronic file, or while in transit to another location.
Each covered entity needs to determine which technical safeguards are necessary and appropriate for the organization in order to protect its ePHI. The Department of Health and Human Services states that you need to “establish a balance between the identifiable risks and vulnerabilities to ePHI, the cost of various protective measures, and the size, complexity and capabilities of the entity.”
Access and Audit Controls
Two of the major components of having strong technical safeguards are the access controls to electronic protected health information and auditing control requirements that record and examine ePHI. For example, each healthcare practice and/or facility needs to determine the access control capability of all information systems with ePHI and ensure that system activity can be traced to a specific user. It is also critical to create a formal policy for access control that will guide the development of procedures. Implementing a mechanism to encrypt and decrypt ePHI will also be beneficial. This can help healthcare organizations determine if the chosen encryption is appropriate for storing and maintaining ePHI while it’s being stored and while it’s being transmitted. (HealthIT Security)
In addition to access controls, there also need to be audit control procedures and protocols. This means that healthcare practices and/or facilities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Healthcare facilities need to take a comprehensive look at confirming user identity. This will protect ePHI from improper alteration or destruction as well as determining how outside sources might jeopardize information integrity. Authentication also examines how healthcare organizations should determine how to secure that data while it’s being stored. For example, error-correcting memory, magnetic disk storage, digital signatures, and checksum technology are all electronic mechanisms that can be used for authentication.
Data in Transit Safeguards
According to the National Institute of Standards and Technology (NIST) HIPAA Security Rule Guide, organizations must encrypt ePHI in motion, while also making sure the encryption is reasonable and appropriate. This will include employee training in encryption options and procedures to follow when transmitting a patient’s medical records to another facility.
If your practice or facility needs help reviewing or updating your technical safeguards call Spectra Networks at 978.219.9752 or visit our website.