What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) regulates Protected Health Information (PHI). This information is most likely to be found at health clinics and hospitals.

There are three primary sets of requirements of HIPAA compliance to key in on:

• Administrative Requirements: Ensure patient data is accurate and accessible to authorized personnel.
• Physical Requirements: Prevent physical theft and loss of items or devices that contain PHI, whether it’s written or electronic.
• Technical Requirements: Digital measures taken to protect your networks and devices from breaches and attempts to gain access maliciously.

Notice the mention of electronic PHI. Another thing to consider is that electronic protected health information (ePHI) is defined as any Protected Health Information (PHI) that is created, stored, transmitted, or received electronically. In our growing digital landscape, this is practically a given.

What does each requirement mandate for compliance?

For the purposes of this guide, we’ll highlight a checklist of items to ensure you’re meeting these requirements.

Administrative Requirements:

• Create a privacy policy that the office acknowledges and understands.
• Hire an employee (or Digital Privacy Officer) to oversee data security / compliance.
• Identify which employees should have access to the data.
• Require vendors who need access to private data to follow HIPAA standards and sign a business associates agreement that outlines these security requirements.
• Backup data and have a disaster recovery plan (DRP) that also accounts for unexpected emergencies (storms, fires, etc) and includes communication to anyone impacted.
• Schedule frequent risk assessments to determine any potential security issues.

Physical Requirements:

• Limit physical access to computers / servers to authorized personnel only.
• Restrict access to secure areas and require sign in for access to those areas.
• Shred, incinerate, or pulp hardcopy materials so data cannot be reconstructed.
• Render data on electronic media unrecoverable so that data cannot be reconstructed.
• Destroy media containing data when it is no longer needed.
• Schedule frequent risk assessments to determine any potential security issues.

Technical Requirements:

• Encrypt files you send via email or securely upload into the cloud.
• Protect your network from any attacks using security software & encryption methods.
• Authenticate data transfers to another party by requiring some form of authentication. Whether that’s: password, token, or callback.
• Keep the latest documentation of your existing technology stack and network configurations, as well as HIPAA practices pertaining to such.
• Ensure that all software and any security configurations are up to date and available.

What are examples of data that fall under HIPAA?

Examples of the type of data these institutions may be handling include:

• Past, present, or future physical or mental health data of an individual.
• Past, present, or future payment data for the payment of health care for an individual.

If we dive further into HIPAA security requirements of the data involved, you’ll need to ensure you’re monitoring into the following forms of data that can be included as part of a HIPAA compliance checklist.

• Health care claims or health care encounter information, such as documentation of doctor’s visits and notes made by physicians and other provider staff;
• Health care payment and remittance advice;
• Coordination of health care benefits;
• Health care claim status;
• Enrollment and disenrollment in a health plan;
• Eligibility for a health plan;
• Health plan premium payments;
• Referral certification and authorization;
• First report of injury;
• Health claims attachments;
• Health care electronic funds transfers (EFT) and remittance advice; and
• Other transactions that HHS may prescribe in future regulations.

This is regardless of whether you share this information digitally, in written form, or whether you speak to another unauthorized individual.

Who is responsible for this data?

In short, your organization is. More importantly, whether the PHI must be authorized or not, your organization must always release only as much data is absolutely necessary to address the need of the entity requesting the information (what the regulation refers to as the “minimum necessary” information to satisfy the inquiry).

What is Sucuri’s role with HIPAA compliance?

In terms of HIPAA security compliance, Section 164.312 (a) (1) which requires organizations to establish procedures to maintain their systems from suffering unauthorised access. This would include preventing attackers from accessing data by gaining access through a vulnerable server and triggering a HIPAA security incident.

164.312 (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Other elements of the HIPAA rules standards which would also be applicable are 164.306 (a) (1-3) and 164.308 (a) (1) and (5). These are more generalised elements which refer to security and safeguards, which of course would be relevant to 164.312 (a) (1) as not allowing unauthorised access to records is essential to security and safeguarding of information.