How Do Security and Compliance Intersect In Healthcare?

Today’s healthcare industry has to constantly adapt and change to meet the stringent guidelines of HIPAA regulations, including those that pertain to security. That’s why it’s so important for healthcare organizations to have an expert IT partner to help them stay compliant and avoid consequences.

The fact is that cybersecurity in healthcare IT is more difficult than other sectors. It requires a lot of data sharing with a lot of different people, more so than in other sectors. It exists on more different devices in more dispersed settings. The complexity and breadth of health IT systems have increased.

There are complex and ever-evolving government standards that can be hard to understand but must be complied with, and the data being dealt with has a high market value and a high negative impact on individuals if it becomes compromised.

Remember Wanna Cry? The infamous ransomware struck a few years ago, encrypting the data of thousands of businesses in the UK (including the entirety of the National Health Service) and holding them to ransom. By the end of the weekend, Wanna Cry had infected thousands of networks in over 150 countries around the world.

It’s threats like these combined with compliance concerns that make healthcare cybersecurity so difficult. Healthcare IT systems need to be flexible enough that all doctors, nurses, and other personnel have access to the data they need with minimal obstacles, but secure enough that the data does not get into the wrong hands.

Do You Understand The HIPAA Security Rule?

The Security Rule sets standards for the handling of electronic Protected Health Information (ePHI), which is the specific type of data the HIPAA Privacy Rule covers. This rule establishes national standards for properly securing patient data that is stored or transmitted electronically. The rule requires that three different types of safeguards are put in place:

1. Administrative
2. Physical
3. Technical

The purpose of these safeguards is to ensure the security of ePHI as it is transported, maintained, or received. Essentially, the Security Rule is meant to allow for new technology to be integrated into your operations uninterrupted while still keeping private patient data protected.

By law, the Security Rule applies to health plans, healthcare clearinghouses, and any other healthcare provider that handles any sort of health information electronically. Any provider or entity that comes in contact with ePHI must comply with the HIPAA Security Rule.

A healthcare provider is not required to handle every aspect of these activities or functions on their own. A business associate can be brought in to help with these activities, or the handling of certain functions can be outsourced. Business associates are allowed to have access to ePHI under the strict condition that this access will only be used to complete the tasks you’ve hired them to complete.

The Security Rule will protect the covered entity (which is your practice) in the event that there is a misuse of the ePHI, and will help the entity to comply with their expected duties under the Privacy Rule. The ePHI in question must never be used for any other purpose, except when required for appropriate management and administration.

What Information Is Protected?

Protected Health Information (PHI) and includes any information that can be used to identify a patient.

Some examples of PHI include:

• Name
• Address
• Telephone or Fax Number
• Email Address
• Web URLs/IP Addresses
• Biometric Data
• Full-Face Photos
• Medical Record Numbers
• Health Plan Beneficiary
• Medical Device Identifier Numbers
• Vehicle Identifiers/ License Plate Numbers
• Banking/Credit/Billing Information

Information pertaining to an individual’s employer or relatives are also subject to the Privacy Rule. It’s important to remember that all data that falls under these three points is protected:

1. An individual’s previous, current, or future physical or mental health
2. A provision of health care to that individual
3. A previous, current, or future payment for a provision of health care

The Privacy Rule excludes employment records that a covered entity maintains in its capacity as an employer, and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g from protected information regulations.

What Is The End Goal Of The Security Rule?

The goal of the Security Rule is to make sure a covered entity has the needed protective measures in place to protect the confidentiality, integrity, and availability of their ePHI. The increase in transmissions of ePHI between covered and non-covered entities has made setting standards necessary to keep that data secure. These standards are designed to protect patient privacy without impeding an entity’s ability to access and share ePHI as required to facilitate patient care.

While these standards were created at a Federal level, State laws are also in place. These State laws are often more stringent and will overrule Federal standards.

The good news is that you don’t have to handle HIPAA compliance on your own.

As important as it is to work on your business’ HIPAA security compliance, there’s still the matter of making sure it’s done right. That’s where a trusted partner in IT support can be so helpful. By having an expert team of healthcare IT professionals manage your compliance, you can ensure that your PHI is secure, without having to see to it yourself. The NCG-Net team now has the certification needed to ensure our valued clients are fully HIPAA compliant.

Like this article? Check out Important FBI/DHS Warning: Update On FBI And DHS Warning: SamSam Ransomware, Threat Advisory: SamSam Ransomware, or What Are The Top 5 New Features In MacOS Mojave? to learn more.