HIPAA compliance is all about protecting the integrity of Protected Health Information (PHI), and a major part of the legislation requires a wide range of security and privacy safeguards to protect patient data at rest or in transit. What this means is that when your medical files are traveling around cyberspace, it must be done with the utmost due diligence in an environment that is designed to protect against any form of a data breach.
Atlantic.Net has over 25 years of experience providing IT services. We are a specialist HIPAA-compliant hosting provider. We have compiled this Q&A page to help answer some of the most popular questions we are asked about HIPAA-compliant file sharing.
Yes, it is a mandatory requirement of HIPAA-compliance for both covered entities and business associates to provide training to their employees about HIPAA and the physical, administrative and technical safeguards needed to protect patient data.
Your staff should know reasonable ways (as with phishing prevention) to guard against the intrusion of malware, and they should understand when it is appropriate and inappropriate to access health data.
In order to prevent non-compliant password sharing, you want to have strong password policies implemented. An organizational culture that respects compliance is founded on training that ensures your workforce has strong security knowledge.
How Do I Protect PHI Data in Transit?
Preventing unauthorized access to Protected Health Information is of the utmost importance, whether the data is moving or at rest. When considering data-in-transit, protections are critical because mobile devices are increasingly used to send health data and health information exchanges (HIEs).
There are two key elements to consider:
Protect data in transit using security protocols, best practices, and secured systems
Encrypt all files in transit containing health data
To achieve this, each employee has the personal responsibility to consistently encrypt in-transit data. It does not matter if your staff has no encryption expertise; training must be provided. This training must explain the “dos and don’ts” when it comes to transmitting PHI and when it is not acceptable. A minimum of AES256 bit encryption must be used and PHI should not be sent via email unless encrypted first.
How Do I Protect Employee Workstations?
Employers must put policies and procedures in place that address how their employees can access and use end-user devices, typically mobile devices, laptops, and workstations. Create policies and procedures that control how media is transferred, decommissioned, thrown out, or reused. All pertinent health data must be destroyed prior to any equipment reuse.
Key concerns for this aspect of physical security are:
the number of individuals who use the workstation; and
whether it is in a private or public setting.
Why Do I Need a Security Management Plan?
In order for your staff to properly follow administrative safeguard rules, you will need policies and procedures to support a comprehensive security management approach. A critical aspect of this effort is a risk analysis and management process. Overall, this plan is based on the need to maintain the availability, integrity, and confidentiality of health data.
What Audit Controls are Needed to Protect PHI?
HIPAA compliance requires detailed logging of nearly all aspects of a system that hosts PHI. The logging and analysis of everything that occurs within these systems are essential.
Anyone handling health data, whether a covered entity or business associate, will want to assess what the intervals will be for auditing, the specific processes used to study the ePHI, the location of storage for audit results, and the policy for personnel who do not follow guidelines.
Detailed logging to smart SIEM solutions can offload a large amount of the workload to AI, and combining intelligent monitoring, an intrusion protection service, and due diligence creates the best environment to protect and audit sensitive data.
How Do I Respond to a Security Incident?
In order to comply with HIPAA, you have to know how you will respond to security incidents in advance with documented policies and procedures. A key element is evaluating the spectrum of different incidents that could potentially occur.
The procedures should specifically indicate an individual who is the organization-wide point-person to be notified if a security incident occurs (i.e., your HIPAA Security Officer, who may also be your HIPAA Privacy Officer).
Everyone who is working at your organization should know exactly what they need to do in various types of difficult scenarios in order to make sure digital health data is safe no matter the situation.
What Authentication Methods Should I Use?
You want robust and thorough steps in place to authenticate access to your systems and determine the real identities of all users. One such method to achieve this is by using user accounts (such as Active Directory) which have minimum password requirements, lockout capabilities, and are centrally managed, either in-house or by your MSP.
The budget should be considered alongside training and the actual procedures and protocols that will be utilized. Authentication is necessary so you can determine whether someone has the correct permissions for ePHI or what the source of transmission is.
Multi-factor authentication provides the best possible protection to sensitive data, MFA is widely used, and just like it does with mobile banking, MFA will protect access to your accounts. The same principle applies to PHI in a HIPAA-compliant context; MFA helps greatly in protecting PHI.
Who Protects Facility Access Controls?
The facility can be any physical location that is used to house PHI; this may be a terminal in a hospital, the data center of your managed hosting provider, or an employee cell phone. You need to go above and beyond protecting your workstations and devices, all the way to considering the whole building. Do you require a 24×7 security guard presence, CCTV monitoring, and potentially even further physical security controls in the facility?
Ensure you restrict physical access to people without proper authorization. While all of the stipulations for access – maintenance records, access validation and control procedures, contingency operations, and a facility security plan – are “addressable” rather than “required,” you still must use any of these elements that you find are appropriate based on analysis of your situation.
What Integrity Controls are Needed?
From an administrative perspective, ensuring the integrity of your data (verifying that it is not wrongly destroyed or changed) requires you to establish (via policies and procedures) rules against wrongfully destroying or changing health data.
Consider how to promote data integrity when information is at rest (stored) and in-motion (transmitting). Malicious individuals could threaten the smooth operation of your organization and potentially do severe damage to your finances and reputation.
You want to know the extent to which your data’s integrity is protected against manipulation. Notably, you can best protect your critical information through authentication as achieved via checksum technology, digital signatures, magnetic disk storage, and error-correcting memory.
Any analysis of threats to integrity should include a look at outside individuals as well as people who are legitimately working for you, but are error-prone or who may become disgruntled.
How Do I Control Access to PHI Data?
One of the greatest fundamentals of security is to only give information to the people who are supposed to be able to see it, blocking access to others. A HIPAA-compliant organization must assess the procedures they have deployed and add defenses so that they can mitigate inappropriate ePHI access and disclosure.
Information access is based on a need-to-know basis: make sure your management plan complies with the minimum necessary stipulations in the HIPAA Privacy Rule.
Which File Transfer Programs are HIPAA Compliant?
It is not necessarily the program that must be HIPAA-Compliant; rather, it’s critical that the environment where the program is used is abundantly secure. When dealing with PHI, companies must make sure that they are using a HIPAA-compliant file transfer platform to protect the integrity of sensitive data.
HIPAA legislation requires organizations to implement the following to ensure compliance:
Data backups and disaster recovery
Business Associate Agreements (BAA)
What is a HIPAA-Compliant Business Associate?
HIPAA compliance goes beyond the above file transfer concerns to encompass a consideration of your entire ecosystem, including sometimes trusting third parties (business associates) to strengthen your approach. Are you looking for hosting for your online healthcare presence? At Atlantic.Net, over the years, we’ve steadily built a reputation as an exceptional healthcare HIPAA hosting company, known for demonstrating trustworthiness to our clients.
Get Help with HIPAA Compliance
Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.
Your 10-Step HIPAA Checklist
Start Your HIPAA Project with a Free Fully
Audited HIPAA Platform Trial!