HIPAA Compliance
Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in order to standardize and simplify healthcare administrative processes. The components of an overall compliance include implementing non-intimidating and easy reporting system, training users of information systems to recognize suspicious incidences, having hospital staff follows through with the investigations and report back findings to the user.According to Intronis (2013), the privacy of patients is a major topic of concern as the technology continues to evolve. Since the majority of patient’s informationis transferred in digital format, healthcare Information Technology (IT) realizes that they are exposed to some risks.
According to HIPAA (2014), administrative safeguards are the administrative procedures, policies, actions used to manage implementation and maintenance of security measures for protecting electronic health information. Also, used to manage the conduct of the workforce in relation to protection of information.It is required that the hospital have formal security management process in place to address security issues. Implementation features of security management include: Conducting a risk analysis; the hospital should assess potential vulnerabilities and risks to the integrity, confidentiality and electronic protected health information (ePHI) confidentiality.Risk assessment first phase is identifying types of ePHI. The most covered entities of electronic protected health information include medical records, clinical studies, data found in billing and correspondence.The scope and depth of risk assessment should be consistent with the size and type of entity. Threat assessment should focus on security processes, network infrastructure, third parties, contingency planning and personal activities. Implementing risk management program; the factors that should be considered are the level of the risk, size of the entity, complexity of implementation and maintenance and cost mitigation controls. Developing and implementing a sanction policy; the covered entities must implement sanction policies for security violations regarding ePHI. Developing and deploying information system activity review; it is expected that a covered entity has in place a mechanism to review activity of information system and the reports reviewed regularly (HIPAA, 2014).
The second standard is assigning security responsibility. It is required that a security official be appointed and will be responsible for development and implementation of procedures and policies required in the hospital. The selected person should be able to assess security effectively and serve as a point of contact for implementation, security policy, and monitoring. The third standard is workforce security. This regulation focuses on the relationship between ePHI and people, this ensures that there are appropriate procedures, policies, and safeguards regarding to access to electronic protected health information by the workforce as a whole. In this standard, there are three implementation specifications namely; Implementing procedures for supervision/authentication, establishing workforce clearance procedure and establishing termination procedures.
The forth standard is information access management (HIPAA, 2014).The purpose is to make sure that the entities covered have formal procedures and policies for granting access to ePHI. In this section, there are two implementation specifications namely; Isolating healthcare isclearing house functions, implementing procedures and policies to authorize access and implementing procedures and policies to establish access. The fifth standard is security awareness and training.Since users are the first line of defense against intrusion, attack, and error they must be reminded and trained of the eminent dangers. In this standard, there are four implementation specifications namely.Establishing security awareness program; this is designed to remind the user of information systems of potential threats and their role in mitigating the risks in the hospital.Providing training on malicious software; users should be trained using proper procedures guarding against, reporting, and detecting malicious software.Providing training on login monitoring procedures,and providing training on password management; passwords selection should be in accordance with hospital’s policy (HIPAA, 2014).
The sixth standard is security incident procedures; this addresses reporting and responding to security incidents.The seventh standard is acontingency plan.It helps in establishing procedures and policies for responding to emergency that can damage systems containing ePHI. Implementation specifications include; conducting data and application critical analysis, establishing and implementing a plan for data backup and disaster recovery plan, and establishing emergency mode operation plan. The eighth standard is evaluation; all the entities covered should comply with HIPAA Security Rule. This standard focuses on developing metrics and criteria for reviewing all implementation specifications and standards for compliance (HIPAA, 2014).
Physical safeguards are the physical procedures, policies, and measures to protect covered entities. Physical safeguards are the set of requirements put in place to protectelectronic protected health information (ePHI) from physical access that is not authorized. The following are standards of physical safeguards aimed at protecting electronic protected health information from unauthorized physical access; these standards include.Facility access controls; these are procedures and policies that limit any physical access to electronic protected health information systems and ensuring that only properly authorized access is allowed.These standard implementation specifications include; creating a facility security plan, implementing validation procedures and access control, keeping maintenancerecords, and establishing contingency operations. Workstation use specifications facilitate proper use of workstations that have access to ePHI.These safeguards are generally outlined in an employee affirmation agreement.Implementation specifications require that procedures and policies be implemented specifically to a class of workstation based on location, function, or access to ePHI. Workstation security specification will apply to all workstations accessing ePHI. The motive is to allow access to only authorized users (HIPAA, 2014).
Technical safeguards are the procedures and policies that control access to and protect electronic protected health information.Technical safeguards use technology to control access to ePHI from unauthorized access. Technical safeguards have five standards. The first standard is access control.The aim of this is to use technical controls to allow users and processes with authorized access to access electronic protected health information. There are four implementation specifications in this standard namely;establishing emergency access procedures, requiring user identification that is unique, encrypting and decrypting stored information, and implementing automatic logout procedures(HIPAA, 2014)
The second standard is audit controls; this standard requires implementation of software, hardware, and procedural mechanisms that examine and record activity in information systems containing electronic protected health information(HIPAA, 2014).The third standard is integrity controls; this will help in identifying any sources that can compromise information integrity. The common integrity threats include malicious software, file alteration, internet hackers, and application vulnerabilities. The controls that the hospital should put in place to address these threats include. Antivirus software, antispyware software, file integrity checkers, e-mail filtering, and database integrity utilities. The forth standard is entity or person authentication; access control standard needs unique user identification, and authentication controls needs verification of unique user identification. Authentication approaches that can be used by the hospital are multi-factor and single factor. The fifth standard is transmission security; the covered entities should implement technical security measures to protectelectronic protected health information transmitted over electronic communication network from unauthorized access. It can be achieved by implementing encryption controls and implementing integrity controls.
In summary, as stated by HIPAA website (2014), HIPAA regulations are intended to standardize and simplify healthcare administrative processes. Administrative simplifications will help the hospital transition from keeping records in paper to transactions done electronically and store records electronically too.Security rules will help the hospital in ensuring that electronic protected information (ePHI) is safeguarded from those who may try to breach theintegrity, confidentiality, and availability. “HIPAA regulations are the best security practices.” Healthcare industry is currently taking leadership position in the implementation of information security controls.All costs should protect information assets and valuable information, this makes patients have peace of mind becausetheir trust is safeguarded and honored.
Physical safeguards will help the hospital in securing its premises and equipment within from any unauthorized physical tempering, access, and theft. Implementation of physical safeguards will minimize the possibilityof access to electronic protected health information (ePHI) through workstations.Implementing automatic logoff procedures in technical safeguards that terminate a session after predetermined time of inactivity will protect the users from any compromise of information. It is because most of the time's users may leave their workstations unattended and during this time their accounts are vulnerable to unauthorized disclosure.Implementing appropriate integrity controls will help the hospital in ensuring that electronic protected health information has not been modified or altered during transmission. These integrity controls that can be used in the hospital include point-to-point networks and applications layer protocols such as HTTP, and SSL. Therefore, if the hospital implements all the regulations, the electronic protected health information will be secure from any intrusion and will have much efficiency in all its activities.
References
Five Steps to HIPAA Security Compliance. (n.d.). HIPAA.com. Retrieved October 18, 2014, from http://www.hipaa.com/2013/10/five-steps-to-hipaa-security-compliance/
HIPAA Compliance and Data Protection. (n.d.). Intronis Cloud Backup and Disaster Recovery. Retrieved October 18, 2014, from http://www.intronis.com/cloud-backup-resources/hipaa-compliance-data-protection