Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe.
Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored.
Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud.
Start by Conducting a Risk Analysis
One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before Amazon´s cloud-based web services were launched, and four years before the first Apple iPhone was released. At the time, mHealth apps such as Fitbit were still many years into the future.
Therefore, in order to identify issues relating to electronic records and HIPAA compliance in a modern healthcare environment, Security Officers must conduct an accurate assessment of potential risks and vulnerabilities. The nature of risks typically falls into three categories:
- Unauthorized disclosure, modification of deletion of ePHI (both malicious and accidental).
- IT disruptions due to man-made or natural disasters.
- Business Associates and the failure to conduct due diligence.
Each category has a huge scope for potential breaches of ePHI and covering everything related to electronic records and HIPAA compliance is a huge task. Some Covered Entities have inventoried and analyzed the use and disclosure of all PHI (not just ePHI) as part of their efforts to comply with the HIPAA Privacy Rule, and this level of data can be invaluable for risk analysis.
Assess Your Current Security Measures
Once the risks have been identified and documented, the next step is to assess the organization´s current security measures. Both technical and non-technical security measures have to be assessed in order to determine whether the security measures required by the HIPAA Security Rule are already in place and, if so, are they configured and used as intended.
This assessment will lead to a risk analysis, from which Security Officers will be able to establish whether certain risks need to be addressed immediately, and what additional security measures and policies need to be implemented in the future. It is not advisable to make too many changes to work practices at the same time, so the risk analysis can also be used to identify priorities.
HHS has Issued Guidance on Cloud Computing
As part of its “special topics for HIPAA professionals” series, the US Department of Health & Human Services (HHS) has issued guidance for Covered Entities and Business Associate on Cloud Computing. This area of electronic records and HIPAA compliance is evolving all the time and – as with the HIPAA Security Rule – HHS – does not endorse specific technologies to safeguard the integrity of ePHI.
The same rules apply for electronic records and HIPAA compliance as if a medical professional was sharing PHI in paper format. Covered Entities are expected to conduct due diligence on the Business Associate (in this case the Cloud Services Provider), a Business Associate Agreement must be in place, and the Business Associate is responsible for notifying the Covered Entity of any breach of ePHI.