HOW To Be HIPAA Compliant

Any company that deals with patient health records or comes in contact with electronic protected health information (e-PHI) must ensure that all of the required administrative, physical and technical security measures are in place and followed according to the HIPAA Privacy and HIPAA Security Rules.

Specifically, companies must:

• Ensure the confidentially and availability of all e-PHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the health information;
• Protect against reasonably anticipated, impermissable uses or disclosures; and
• Ensure HIPAA compliance by their workforce.

The HIPAA Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the HIPAA Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security Rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. “Integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on-demand by an authorized person.

If you are hosting your data with a data center partner, they must have certain administrative, physical and technical safeguards ensuring HIPAA data security in place, according to the U.S. Department of Health and Human Services:

Administrative Safeguards

• Security Management Process. Identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
• Security Personnel. Designate a security official who is responsible for developing and implementing the data center's security policies and procedures.
• Information Access Management. Implement policies and procedures for authorizing access to e-PHI only when such access is appropriate, based on the user or recipient's role (role-based access).
• Workforce Training and Management. Provide for appropriate authorization and supervision of workforce members who work with e-PHI and train all workforce members regarding security policies and procedures. The data center must also have and apply appropriate sanctions against workforce members who violate its policies and procedures.
• Evaluation. Perform a periodic assessment of how well the data center's security policies and procedures meet the requirements of the Security Rule.

Physical Safeguards

• Facility Access and Control. Limit physical access to the data center facilities while ensuring that authorized access is allowed.
• Workstation and Device Security. Implement policies and procedures to specify proper use of, and access to, workstations and electronic media. The data center must also have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical Safeguards

• Access Control. Implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
• Audit Controls. Implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
• Integrity Controls. Implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
• Transmission Security. Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.