While HIPAA law is broad, at its core is the Security Rule, the full name for which is the Security Standards for the Protection of Electronic Protected Health Information. The Security Rule applies the rights that are conveyed by the Privacy Rule – i.e., the Standards for Privacy of Individually Identifiable Health Information – within digital environments. In order to achieve this aim, the Security Rule requires administrative, physical, and technical safeguards. These three categories of defenses are critical to ensuring HIPAA-compliant file transfer. Specific elements of these types of Security Rule protections include these ten key healthcare file transfer considerations:
1 – Security training & awareness (administrative)
Your staff should know reasonable ways (as with phishing prevention) to guard against the intrusion of malware. They should understand when it is appropriate and inappropriate to access health data. In order to prevent noncompliant password sharing, you want to have strong password policies implemented. An organizational culture that respects compliance is founded on training that ensures your workforce has strong security knowledge.
2 – Transmission security (technical)
One of the primary concerns is to prevent any unauthorized access to electronic protected health information (EPHI) whether it is moving or at rest. When considering in-transit data, protections are especially critical because mobile devices are increasingly used to send health data and health information exchanges (HIEs) have become more prevalent.
First, you need protocols, practices, and systems that will allow you to transmit ePHI securely. Second, it is critical to use encryption for all in-transit health data, based on the following considerations:
- the extent to which you have the personnel necessary to consistently encrypt in-transit data;
- whether or not your staff has encryption expertise;
- the practicality and affordability of encryption;
- whether it is appropriate and reasonable to have encryption in place; and
- the encryption procedures and algorithms that can be used.
3 – Device protections and workstation use (physical)
In order to comply with HIPAA, you have to put policies and procedures in place that address how your employees can access and use electronic media (most notably computers and mobile devices) and workstations appropriately. There should also be policies and procedures in place that control how media is transferred, decommissioned, thrown out, or reused. All pertinent health data must be wiped prior to any reuse. Confirmation that no one can access or use ePHI is needed (through total destruction or the application of a powerful magnetic field via degaussing) before media/devices can be thrown out.
Key concerns for this aspect of physical security are:
- the number of individuals who use the workstation; and
- whether it is in a private or public setting.
4 – Security management plan (administrative)
In order for your staff to properly follow administrative safeguard rules, you will need the policies and procedures of a comprehensive security management approach. A critical aspect of this effort is a risk analysis and management process. Overall, this plan is based on the need to maintain availability, integrity, and confidentiality of health data.
5 – Audit controls (technical)
The logging and analysis of everything that occurs within ePHI-containing IT systems – via the deployment of procedures, equipment, and software – is the focus of audit controls. Anyone handling health data, whether you are a covered entity or business associate, will want to assess what the intervals will be for auditing, specific processes used to study the ePHI, the location of storage for audit results, and the policy for personnel who do not follow guidelines. Plus, and perhaps most obviously, communication is key: you need to write down in official documents and let everyone know about the methods and processes you will use to conduct audits.
To determine the specific audit controls you need, the National Institute of Standards and Technology (NIST) suggests considering the following:
- the sites of health data risk at your institution;
- what elements you will be checking related to health data, such as its production, updating, reading, and/or removal; and
- the processes, software, and hardware that are higher-risk for disclosure, use, or unauthorized access.
6 – Security incident procedures (administrative)
In order to comply with HIPAA, you have to know how you will respond to security incidents in advance through documented policies and procedures. A key element is evaluating the spectrum of different incidents that could potentially occur. The procedures should specifically indicate an individual who is the organization-wide point-person to be notified if a security incident occurs (i.e., your HIPAA Security Officer, who may also be your HIPAA Privacy Officer). Everyone who is working at your organization should know exactly what they need to do in various types of difficult scenarios in order to make sure digital health data is safe no matter the situation.
7 – Organization or individual authentication (technical)
You want robust and thorough steps in place to authenticate access to your systems – determining the real identities of all users. Budget should be considered alongside training and the actual procedures and protocols that will be utilized. Authentication is necessary so you can determine whether someone has the correct permissions for ePHI or what the source of transmission is. You can use a number of methods to validate that the individual seeking access is not an impostor.
8 – Facility control and access (physical)
You need to go beyond protecting your workstations and devices to considering the whole building. You need to make sure that you are restricting physical access to people with proper authorization. While all of the stipulations for access – maintenance records, access validation and control procedures, contingency operations, and a facility security plan – are “addressable” rather than “required,” you still must use any of these elements that you find are appropriate based on analysis of your situation.
9 – Integrity controls (technical)
From an administrative perspective, ensuring integrity of your data (verifying that it is not wrongly destroyed or changed) requires you to establish (via policies and procedures) rules against wrongfully destroying or changing health data. It is important to think about how to safeguard your data’s integrity both when information is at-rest (stored) and in-motion (transmitting). Malicious individuals could threaten the smooth operation of your organization and potentially do severe damage to finances and reputation. You want to know the extent to which your data’s integrity is protected against manipulation. Notably, you can best protect your critical information through authentication, as is achieved via check sum technology, digital signatures, magnetic disk storage, and error-correcting memory (as indicated by the National Institute of Standards and Technology HIPAA Security Rule Guide). Any analysis of threats to integrity should include a look at outside individuals as well as people who are legitimately working for you – but are error-prone or become disgruntled.
10 – Data access management (administrative)
One of the greatest fundamentals of security is to only give information to the people who are supposed to be able to see it – blocking access to others. A HIPAA-compliant organization must assess the procedures they have deployed and add defenses so that they can mitigate inappropriate ePHI access and disclosure. Also note that information access management is about the need-to-know basis: make sure your management plan complies with the minimum necessary stipulations in the HIPAA Privacy Rule.
Your HIPAA-compliant business associate
HIPAA compliance goes beyond the above file transfer concerns to considering your entire ecosystem, trusting third parties (business associates) to strengthen your approach. Are you looking for hosting for your online healthcare presence? At Atlantic.Net, over the years, we’ve steadily built a reputation as an exceptional healthcare hosting company, known for demonstrating trustworthiness to our clients. See our HIPAA-compliant file hosting solutions.