Document sharing is a double-edged sword in modern healthcare. On one hand, the ability to quickly and efficiently share critical patient information between authorized medical professionals can make all the difference in patient care. On the other hand, health care organizations with multiple facilities may need to transmit these documents through public internet services thanks to the geographic distance that separates them.
While this may not seem like an issue at first, the HIPAA Security Rule would say otherwise. In one instance, ignorance of these rules cost an organization some $218,000 in HIPAA fines. In this case, the offending organization didn't actually lose any data, but simply placed it at risk by not fully investigating the security prowess of the document-sharing app its employees used.
With $26.4 million in HIPAA fines collected by the Office for Civil Rights, what are some key rules to be aware of to avoid future fines? Better yet, how can IT better tackle compliance management?
Playing by the Rules
Health care IT is bound by the HIPAA Security Rule which governs how electronic patient health information (ePHI) is handled at rest and in motion. This rule is broken down into three parts with specific standards for data access in an effort to protect the welfare of patients. Here's a brief overview of the policies IT should be aware of:
Physical Safeguards: These standards focus on ePHI protection from a physical standpoint. Whether data is stored on-site, in the cloud or with a third party, HIPAA calls for strict restrictions to prevent the risk of data access by unprivileged users. They include:
- Safeguards to record and prevent unauthorized access
- Organized inventory and location history of all hardware
- Policies governing restrictions of mobile-device and workstation use when ePHI is involved. These should cover device use, recycling and data movement
Technical Safeguards: These are implemented to protect the logical aspects of ePHI access and generally deal with encryption of data in rest and in motion. They include:
- Deployment of tools that provide encryption and decryption of ePHI by authorized users.
- Deployment of tools that allow assessments of ePHI to determine recent access, modification and destruction of data.
- Centrally controlled user-access management.
Administrative Safeguards: These standards were created to protect the privacy of ePHI from an administrative perspective. They include:
- Assignment of a security officer to assess and enforce compliance procedures
- Create a risk management plan and conduct an assessment to determine vulnerabilities
- Train employees in safe handling of ePHI using provided tools
An Easier Way to Manage Compliance
The above list of requirements dictated by the HIPAA Security Rule can be a bit daunting. Even more so when other compliance regulations enter the picture. So how can IT manage the growing list of rules to prevent such hefty fines?
The easy answer is to centralize and automate. Since HIPAA compliance requires specific safeguards to govern data in rest and in motion, deploying a single, centralized solution to manage these aspects will take the burden off your shoulders. Such a solution should allow access control, logging, encryption, decryption and visibility of data at all points in your environment. It would also ideally offer automated processes to handle these tasks with efficient alerting to keep your team abreast of all developments.
When it comes to governance and compliance in IT, it's clearly better to be safe than sorry. With modern tools to streamline the process of enacting data policy and enforce protections, it's actually never been more manageable to maintain compliance.