HIPAA Compliant File Sharing Requirements
In this article, let us explore a bit about origin of HIPAA privacy & security rules and its major parts such as – who are covered, what information is protected, and what safeguards need to be in place to protect electronic health information stored in the cloud, mainly in the context of HIPAA complaint file sharing.
HIPAA (Health Insurance Portability & Accountability Act of 1996) enforced the Secretary of the US HHS to develop regulations that protect the security and privacy of health information that is stored in the cloud. In accordance, HHS published the HIPAA privacy and security rule.
- The Privacy Rule establishes countrywide standards for protection of cloud information.
- The Security Rule establishes set security standards to protect electronic information.
The Security Rule puts in motion the protections from the Privacy Rule, and addresses technical as well as non-technical safeguards which the organizations need to have in place for securing e-PHI.
Before HIPAA, there were no accepted security standards or requirements to protect cloud information. New technologies kept evolving, and the industry started moving away from paper and began relying on electronic systems more for paying claims, proving eligibility, providing and sharing information, etc.
Today, providers use clinical applications like CPOE systems, EHR, pharmacy, radiology, etc. Health plans provide access to care and claim management and self-service applications. This may mean that the workforce is more efficient and mobile, but the potential security risk also increases at the same time.
One of the main goals of this rule is to protect individual privacy with regard to cloud information while entities are allowed to adopt new technology to improve the efficiency and quality of patient care. The security rule is scalable and flexible which means covered entities can implement procedures, policies, technologies, etc. which are appropriate for their size and organizations structure.
This rule, just like all administrative rules, applies to health care, health plans, clearinghouses and any health care providers who transmit health information electronically.
This rule protects individually identifiable information known as PHI (Protected Health Information). It protects the subset of all information covered in the privacy rule which is all of the individually identifiable information created, received, maintained or transmitted electronically by an entity. It doesn’t apply to PHI which is transmitted in writing or orally.
On related note, here is a good article on What is PII and PHI? Why is it Important?
The rule requires all covered entities to maintain an appropriate and reasonable technical, physical and administrative safeguard for e-PHI. Covered entities must:
- Ensure confidentiality, availability, and integrity of e-PHI created, received, maintained or transmitted by them.
- Identify and even protect against anticipated threats to integrity or security of information.
- Protect against impermissible, anticipated disclosures or uses.
- Ensure workforce compliance.
Risk Management and Analysis
The provisions in the rules need entities to conduct risk analysis as a part of security management. The management provisions and risk analysis of this rule are separately addressed here, since determining which security measures are appropriate for an entities shapes the safeguard implementation for the rule.
- Security Personnel: Covered entities have to designate security officials who are responsible for implementing and developing security procedures and policies.
- Security Management Process: Covered entities need to identify and analyze any potential risks to e-PHI. They must implement security measures which will reduce the vulnerabilities and risks to appropriate and reasonable levels.
- Information Access Management: The security rule tells covered entities to implement procedures and policies that authorize access to e-PHI only at appropriate times depending on the role of the user or recipient.
- Workforce Management and Training: Covered entities need to provide for appropriate supervision and authorization of the workforce who use e-PHI. Covered entities need to train all members of the workforce about procedures and policies for security and need to have and apply relevant sanctions against any members who violate procedures and policies.
- Evaluation: Covered entities need to perform periodic assessments on how well security procedures and policies are meeting the requirements of this rule.
- Faculty Control and Access: Covered entities need to limit physical access to facilities and ensure only authorized access is granted.
- Device and Workstation Security: Covered entities need to implement procedures and policies which specify the correct use of electronic media and workstations. They must also have procedures and policies in place for the removal, disposal, transfer, and reuse of media.
- Access Control: Covered entities need to implement technical procedures and policies for allowing authorized person’s access e-PHI.
- Audit Controls: Covered entities need to implement software, hardware and procedural mechanisms for examining and recording access and any other activity in information systems which use or contain e-PHI.
- Integrity Controls: Covered entities need to implement procedures and policies which ensure e-PHI isn’t improperly destroyed or altered. Electronic measures have to be in place to confirm this as well.
- Transmission Security: Covered entities need to implement security measures which protect against unsanctioned access to e-PHI which is being transmitted over electronic networks.
- Business Associate Contracts: HHS develops regulations related to associate obligations and contracts under HITECH Act, 2009.
- Covered Entity Responsibilities: If covered entities know of activities or practices of associates which constitute violation or breach of their obligation, the entity needs to take reasonable steps to end the violation and fix the breach.
Procedures, Policies and Documentation Requirements
Covered entities need to adopt appropriate and reasonable procedures and policies for complying with provisions of the rule. They must maintain, until six years after the date of creation or last effective date, written procedures, policies, and records, of required activities, actions and assessments.
Updates: Covered entities need to periodically update documentation as a response to organizational or environmental changes which affect the security of e-PHI.
Noncompliance Penalties and Enforcement
Compliance: The rule establishes a set of standards for confidentiality, availability, and integrity of e-PHI. The HHS and OCR are responsible for enforcing and administering standards, in connection with their enforcement of the Privacy Rule and might even conduct investigations into complaints and reviews for compliance.
Author: Rahul Sharma