The Health Insurance Portability and Accountability Act of 1996 or HIPAA didn’t just transform the healthcare industry and how it utilizes IT. Solutions providers working with healthcare institutions are also required to comply with the security and privacy requirements defined in HIPAA, especially after the HITECH Act was introduced in 2009.
The privacy and security requirements of HIPAA can be broken down into three major groups: the privacy rule, the security rule, and the breach notification rule. The privacy rule is the relatively easy part to interpret. It governs how electronic Protected Health Information or ePHI can be disclosed and used. It requires the consent of the patient or the guardian of the patient at every endpoint.
The same can also be said for the breach notification rule. The rule makes notifying all stakeholders mandatory. In this case, the stakeholders are the Department of Health & Human Services, affected individuals, and healthcare institutions, and the media in some cases. Notification of all breaches must be sent immediately after a breach is discovered.
The tricky part of HIPAA compliance lies predominantly in meeting the high-security standards. It involves protecting the confidentiality, integrity, and availability of ePHI.
Understanding the Objectives
Before we get to the steps that need to be taken—and standards to follow—in HIPAA compliance, we need to first understand the objectives to achieve when complying with this law, starting with improving continuity of healthcare-related information, particularly patients’ electronic health records or EHRs.
The law also takes data protection a step further by making threat assessment and identification mandatory. It is up to service providers—defined as business associates—to help healthcare institutions identify and mitigate potential risks effectively.
Finally, a set of rules is put in place to ensure the privacy and safety of patients. Medical records and other healthcare related information is sensitive information that could affect patients’ lives. Data integrity and protection become very important when you consider the sensitive nature of the information stored.
Things to Consider
Many IT practitioners admire the flexibility of HIPAA privacy and security requirements for the right reasons. This is one of the few laws that take scalability and structure into consideration. These happen to be the first two factors to consider when implementing HIPAA security standards. The size, complexity, and structure of the organization will pose different challenges, which is why a unique approach is often required.
The same can be said for technical and infrastructure-related challenges. Business associates are there to help healthcare institutions and their employees maintain the highest security standards. The role means business associates must adopt a more active stance, including recommending regular evaluations and proactively identifying additional risks.
Last but certainly not least, there are cost concerns to take into account before moving forward with the implementation of security measures. Security measures that are too expensive to implement and maintain are certainly not the right solutions to HIPAA compliance. Fortunately, most of the available solutions suit even private practices and smaller healthcare institutions.
HIPAA Security Best Practices
Here comes the fun question: what are the steps to take in order to comply with HIPAA privacy and security requirements? While the law seems complicated from the outside, the security standards to meet are very straightforward. The steps you need to take include:
- Choosing and setting up secure infrastructure: Any compliance effort needs to start from the very basic. The demand for HIPAA-compliant infrastructure is on the rise, so it is not surprising to find providers like Amazon offering HIPAA compliance out of the box. AWS compliance with HIPAA provides the perfect base for HIPAA-compliant apps and services.
- Establishing sufficient access control: A good role-based access control system is required. Even with AWS HIPAA compliance, you still need to manage who has access to the AWS cloud services and related accounts. The same applies to service-level access, all the way to end users of the system.
- Implement logging and audit routines: Audit controls are important as a HIPAA technical safeguard. It also an essential part of risk assessment processes. Audit controls monitor access and other activities in a secure environment. Monitoring is a big part of audit routines too but monitoring AWS status should not be a problem.
- Adding integrity audit loops: As mentioned before, maintaining information integrity is a big objective of HIPAA. With logging in place, adding audit loops and maintaining a consistent information chain are the next steps to take in order to ensure maximum information integrity.
- Securing data transmissions: The last piece of the puzzle is securing data transmissions to and from the infrastructure. Every transmitted information must be sufficiently encrypted and transmitted via secure channels. No insecure data transmissions are allowed as long as those transmissions contain ePHI.
Of course, these are not the only steps to take to comply with HIPAA completely. You also have to add physical security measures to the infrastructure. Administrative safeguards, including on-site security measures designed to limit access to the system, are also necessary.
There is one additional challenge to overcome when working towards HIPAA compliance, and that is getting everyone involved. Compliance isn’t just about setting up a secure environment and the right security measures.
It is also about making sure that all employees and stakeholders understand how to maintain the highest security standards possible. Sufficient security policies, frequent security training, and regular audits are the tools to use in order to maintain compliance at all times.
For more on cloud security, check out our article, A Useful Overview of the Cloud Controls Matrix.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.