HIPAA Compliance does not just apply to hospitals, medical offices and insurance companies. Although the law is clearly directed at the healthcare industry, technically anyone who collects protected health information (PHI) that could be considered “individually identifiable” becomes a “Covered Entity”. Covered entities for HIPAA purposes include independent medical practitioners, health insurance providers, or any “business associates”.
Business associates include anyone with access to PHI, which includes lawyers, accountants, and even IT service providers such as cloud storage operators or email service providers.
It does not matter how the PHI is provided. Even paper records and oral conversations between patients and staff qualify. Although HIPAA is focused on patients, it also covers the PHI of medical staff. Therefore, employees at any facility subject to HIPAA rules are also protected to the same extent as patients.
Aparavi can help you find and classify unstructured PHI, whether you’re a Covered Entity or not, with our easy-to-use platform.
PHI is a very broad term, but HIPAA breaks it down into three categories of data that are granted equal protections. First is personal information, including basic details such as your date of birth or current address.
The second area is medical information, which covers everything from your blood type to your height and weight, your medical history, and test results. The final category includes financial information, for instance, medical bills and payment methods used.
Any time a covered entity hires an employee or a contractor, they must sign an agreement that determines just what kind of PHI the hired party can access. The covered entity also vouches for the business associate’s ability to protect that data, although the associate can be held liable if they are dishonest along the way.
The Aparavi Platform makes it easy to respond to information requests or records request, and find PHI no matter where it is located. Simply type in a search query like a patient name, or select a pre-defined classification policy from more than 140 options, including HIPAA, COVID, ICD-10, medical record number, social security number, insurance ID number and more, to quickly find what you need, when you need it, across any location.
HIPAA compliance requires three distinct types of security measures that all covered entities must implement and routinely audit. There are technical safeguards, which are geared towards electronic data; physical safeguards that apply to both physical and electronic data as well as the devices used to access that data; and administrative safeguards that cover employee behavior and the responsibilities of the entity as a whole.
Technical safeguards apply to electronic personal health information (ePHI) and access to it. Every user must have a unique username and password to access an entity’s databases. Likewise, every user’s activity on the server must also be logged and stored for review if problems arise. Data that leaves the entity’s secure, on-site server should be encrypted. Additionally, there must be a way to authenticate ePHI. For example, a secure backup of all files can serve as a way to validate ePHI if it has been altered or deleted in a way that violates protocol. Finally, for extra security, all users must be automatically logged off after a set amount of time.
Physical safeguards put up literal walls between unauthorized users and data access points. For instance, the most secure information in a hospital should be kept in an area that is not accessible by visitors. An inventory of all hardware is necessary to make sure no devices have left the building without authorization. Workstations that have access to ePHI may be limited to specific users and specific data. For example, computers in the accounting department may only be able to access billing information and could not be accessed by doctors themselves, further segregating data and limiting the potential for breaches.
These policies cover the entire entity’s operations. Risk assessments and routine audits are a must. Employee training for data privacy is another requirement. Third-party access to ePHI should also be strictly reviewed on a case-by-case basis and audited periodically. Finally, contingency plans in the event of an emergency should be developed and tested.
Unfortunately, HIPAA compliance issues often arise when healthcare employees download patient files onto their workstations, or because a file is improperly stored in a location with open access. Aparavi makes it easy to find all of your company’s unstructured PHI across any storage locations, including endpoints. Once you can visualize where all unstructured data containing PHI is across your entire organization, it is much easier to control access and implement security measures to protect that information.
Hopefully, if you’ve followed all the safeguards and have implemented HIPAA’s best practices, you won’t have to deal with this issue. Unfortunately, especially since COVID-19, healthcare facilities are increasingly under attack. Data breaches happen, and HIPAA has outlined a procedure to follow and punishments for non-compliance.
In the event of a data breach, the HIPAA Breach Notification Rule comes into play. Patients must be informed any time a breach of their PHI has occurred. If 500 or more individuals have been affected, then you also must notify the Department of Health and Human Services. Your notification needs to occur within 60 days of the breach and must include as many details as possible. This includes the kind of PHI involved, who may have been responsible, and whether the data was actually copied off-site or simply viewed with unauthorized access.
Aparavi helps you quickly comply with reporting requirements in the required time frame. Once you locate where the breach occurred, you can quickly use the Platform to identify which patients’ information may have been compromised, and only contact those individuals.
HIPAA enforces its rules via fines for noncompliance. However, the exact amount depends on your level of negligence and the severity of the breach. The fine can be anywhere from $100 to $50,000 for each violation, depending on the situation. If you can prove that you have been following all the safeguards and had no reasonable way of detecting the breach, your fines are likely to be lower.
The Aparavi Platform is a great way to demonstrate compliance to limit your liability under HIPAA.
HHS has relaxed some of its enforcement of the rules due to the current pandemic. Most notably, the agency has allowed private virtual communication tools like Zoom or Skype to be used for consultations and telemedicine.
Medical practitioners are also allowed to divulge a tiny bit of PHI to first responders to protect their health. For instance, if they know you have tested positive for COVID-19, they can tell the medics about this in advance before they come to see you or before you enter a medical facility.
In addition, we also have a pre-defined COVID classification policy, for reporting or tracking unstructured data related to the virus in your organization.
With the flood of new data hitting healthcare providers today, it’s good to have a secure data management system built with HIPAA compliance in mind.
Aparavi’s platform makes it easy to determine who can access PHI and prevent unauthorized transmissions. For more information about how Aparavi helps with HIPAA Compliance, download the Data Privacy ebook and listen to the HIPAA Compliance podcast episode.