Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) discuss the technical safeguards needed for HIPAA compliance.

Part 7 of a 13-part series (Return to Part 6)

CHRIS: Ultimately these summaries are pretty helpful. “Access control: implementing technical policies and procedures that allow only authorized persons to access ePHI data.” So we talked about that earlier. This is the rules thing. Think about the bank vault and who has access to the inner vault. You have to maintain that and keep that up to date.  

“Audit controls.” And this one is interesting. And if you haven't heard of this, it can be helpful. It's “a covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use.” So that's pretty general, but it also is specific enough that it's talking about multiple layers of infrastructure and capability that have to be monitored with HIPAA auditing.

what is hipaa

CHRIS: Again, if you want to get into the weeds, you can look at the actual laws. There are some great examples that will go into with our HIPAA series, so you'll have that as well. But this is something that a lot of folks overlook 

“Integrity controls.” Similar concept, “a covered entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed, and electronic measures must be put in place to confirm that has not been improperly altered or destroyed.” So this is the same idea. This is something that a lot of folks overlook, those two are sort of like blind spots for a lot of people.  

And then “Transmission security. a covered entity must implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.” Generally speaking, SSL is great for this, but really you can also encrypt the data and then send it over SSL, effectively doubling encryption. Depending on your situation, you can even do things with tokenization, de-identification, then putting yourself in a position where, even if the HIPAA data protection was compromised while it's being transmitted, it's not technically going to meet the definition of a breach.  

These are details and nuances—one of the things I would say, just in summary of the Security Rules section is, they generally pass into other spaces like PCI DSS level compliance (payment card industry data security standard). You'll see a lot of similar overlap in that space.  

There's a framework called HITRUST that is a nonprofit—outside of HIPAA and the government—an organization that put together a framework or a blueprint for meeting, and in many cases exceeding, these standards, which is really what you want to shoot for. And if you follow that HITRUST framework, you're generally going to be following a framework that's going to get updates. They're going to keep you apprised, and you can essentially become part of a community that is adhering to HIPAA and generally exceeding some of the HIPAA requirements. So that can be a really helpful starting place as well, the HITRUST framework. 

what is hipaa

CHRIS: We have a series of videos that go into the different Cloud hosting providers and general infrastructure side of complying using HITRUST. Whether you're AWS. or Google Cloud or Azure, we have detailed information on complying with HIPAA using HITRUST within all of those environments. So that might be really helpful.  

Ultimately, a lot of folks that are watching this, you might be overwhelmed just by hearing me talk about all these details. Usually, the best thing that you can do is to work with an expert who specializes in this and even share this video with them if you'd like, we would love for you to take advantage of it and utilize it. We have detailed guides, and obviously we're going from the HHS offical HIPAA website and essentially bringing you a summary of that so you can collaborate with folks like ourselves. We offer a complimentary discovery, and we really encourage you to use the resources on the HHS website. Reach out to folks like us who offer these complimentary discoveries and just get answers to the questions that you have so that you can sleep well at night when it comes to the Security Rule,  

There are some details and complexities. But also keep in mind that, right out of the gate, they state very clearly that it is variable based on what your organization can bear. They don't want to inhibit your ability to implement new technology and improve the care that you're giving patients. So there has to be a healthy balance there. Any thoughts on this one, Ron, before we move on to HIPAA enforcement
 
RON: Gosh, yeah, there's so much there. I think you said it really well. I love the bank example. I always use an x-ray technician example, right? An x-ray technician, when they take my x-ray and they evaluate it and they upload the results, they obviously need access to my record. But they shouldn't be able to go into my record and see that whatever I have—diabetes or whatever—they shouldn't be able to have access to that other information. And that's what they're talking about, to get very specific. A teller would never have access to go look in my safe deposit box. So that's where people, especially with the size of the organization, get hung up.  

I've been going to [my doctor] for 20 years, it's him and his nurse. The great thing about him is, he's old-school, he's got the folders. So every time he walks in, he reaches back and grabs my two-inch folder. everything is printed out, and it's there. Well, [the Security] Rule doesn't apply. Most of this rule doesn't apply to him, because if you remember what Chris said, it was the ePHI data and the electronic distribution and the ease of being able to breach, gain access to that information and wrongfully share that information. 
 
Well, if he only has a printed copy in his office and it's physically locked and he and his nurse are the only two that have access to that, there's a lot less risk there. So that's what they're saying is that you can go in and say, “Okay, well, maybe instead of spending $20,000—and I'm making up numbers here—to set up all these different roles, maybe I only allow the PAs and the doctors, who do have the right to see everything, access to the record. And then the x-ray technician will give me the results and I, as the PA, would upload that into Ron’s [record]. Then I have to spend a whole bunch of money creating and monitoring all these different roles.

what is hipaa

RON: And that's what they're saying, that you've got this variability, you don't necessarily have to have the—again, making up numbers—the $300,000 solution. If a $30,000 solution will work with a little bit of manual workaround, you can be in adherence to the guidelines very strictly without having to spend the ton of money that the larger corporations would.

When Chris was talking about how some people have to have a privacy officer, the compliance officer, and all this stuff. If you don't have time to do that—like my doctor, he doesn't have time to do that. It's literally him and his nurse. Well, he might come in and outsource that to a partner like Clarity where we’ll go in and sign a HIPAA BAA [business associate agreement], become an extension of their team, help them with that, walk them through the process, and use tools like Accountable HQ, the NIST tools, or the HHS tools off the website. 
 
So yeah, Chris, great job on the Security Rule. Let's go ahead and move on to the Enforcement Rule. Any closing thing on security, or are we good to go? 
 
CHRIS: No, let's dive into the Enforcement Rule. 

Continue to Part 8 to investigate the HIPAA Enforcement Rule.