webinarsbreadcrumb separatorultimate-masterclass-to-understanding-hipaa-compliance-chapter-2

Chris Reddick (president, CEO, and co-founder of Clarity Ventures) and Ron Halversen (vice-president sales and marketing) continue their discussion of HIPAA compliance.  

Part 2 of a 4-part series. (Click to return to Part 1)

CHRIS REDDICK: If you were to just completely summarize [the HIPAA Security Rule] down, it's basically saying that you follow industry best practices to ensure that the data that you're storing is physically secure, it's technically secure, and then because administrators have access to it, there are safeguards so that the administrators have limited access, and there are safeguards to prevent if their accounts get hacked or what have you, their accounts from accessing things without having multifactor and other forms of authentication. And so it's kind of like we're putting a vault around this data, and we're doing it from a physical perspective, literally. We're doing it from a technical perspective, so kind of digital security. And then we're also making sure that the folks who can access the vault are properly validated before they can get in and—

RON HALVERSEN: That can even include rules about who gains access and how they assign and give access to other people as well.

what is hipaa

CHRIS: That's right. Yeah. And this ultimately ends up resulting in a lot of confusion in the industry about what exactly that means. What is it that security, where does it begin, and where does it end? How can you say that your system is meeting these standards of security, the HIPAA security rule? And the reality is, is technically, there isn't a literally 100% clear cut compliance audit that the government does, and in their enforcement, it's not literally just make or break one way or the other. The general concept though is that data does need to be encrypted at rest, the resources that are in place to set up the physical safeguards need to be very secure. So generally, this is going to be similar to the level of security that you would see with the payment card industry, PCI DSS payment card data security standard. 

And so in addition to the physical security, and like you were saying, Ron, some of this administrative security on the technical side, there are constantly breaches. Everyone hears about them all the time where ransomware is taking over large oil refineries or oil distribution companies, or possibly crippling healthcare organizations directly, or there's malware and things like this, people's accounts get hacked into. So this is a real legitimate concern that there need to be actual technical safeguards in place. And probably the best way to look at this is that, it's an ongoing effort. In order to ensure that the security rule is met, you're going to want to incorporate ongoing maintenance and patching of whatever software that you have, and actually have a plan, and document the plan, and then actually execute on that plan to keep your software up to date. 

So whenever you have ePHI data directly, or you're working with a vendor that does have that data, you need to make sure that you or the vendor or vendors actually comply with the security rule. And the security rule, it's ultimately going to be more and more complex if you have a lot more complex scenarios, if you're dealing with a lot more robust sets of data, and you're transferring it between different locations, that becomes more complex. So you need to budget and allocate resources based on the complexity. If it's a simple form, like you were saying, Ron, it really needs to be something that the company is aware of, the covered entity or the organization is aware of, but they probably don't need to put a huge budget out there, there are some nice SaaS-based offerings, right? 

RON: Yeah. Yeah. The thing I always see where our clients make the mistake is, they come to us, they ask for a HIPAA compliant website, we put it in place, and off they go, and they're like, great, we're done, and they don't have any of that ongoing stuff, and then they don't necessarily engage us for ongoing maintenance. Fortunately, I haven't seen any of our HIPAA compliance sites ever be breached, however, the handful of clients that I have seen in my almost 10 years here that their sites have been hacked, they were sites that we did seven years ago, and then they did their own internal maintenance, but like you just literally explained, they didn't stay up on the patches, they didn't have a plan in place, a security officer wasn't assigned to ensure that specific protocols were met, and sure enough, over six or seven years, they either missed a patch or got lazy, and boom, their site got hit. 

So this is much more important, because it's not just your information on your website anymore, you're literally talking about the patients protected by the government law's data, and you have to have a really good plan in place for ongoing maintenance and continued improvements. As technology changes, your securing of this data has to change with it.

what is hipaa

CHRIS: That's right. Well said. And there are other details here that you can see in the bullets around logging and some of the other safeguards, but let's continue on and let's talk about the next tenant, which is the privacy rule. And Ron, I would love for you to just share your thoughts on the privacy rule from a high level for folks. 

RON: Right. So I think all of you've been to the dentist or the doctor, and one of the first things they do when you sign out that first paperwork, one of the papers is, you get a copy of their privacy rule, and you have to sign it, and you've read it. And I don't think anybody ever reads it, but this is really one of the things of why they do that, is they understand that they're going to collect some protected health information from you as you go in for your appointment, so one of the pieces of paper they give you is a copy of their HIPAA privacy policy, and they have to do that. And you typically either sign your name to the bottom of that, sometimes they'll have your initial. I've seen both. And that privacy policy states what they can and can't do with your data. 

So at my dentist office, there's more than one dentist in that office, so one of the things in their privacy policy says, hey, my dentist can share this information with any other person in their office on staff, but they will not share it with anybody outside unless explicit permission's been given, like when I had to go in for...well, I just had my wisdom teeth out earlier this year, and they referred me to somebody else. And my dentist had already done all the x-rays and everything like that, so I had to literally sign a form to consent to them releasing... Because they're protecting the privacy of my data, to release that data to my orthodontist who took out my teeth. So the privacy rule is going to be different for many different organizations, depending on how they're collecting the data, what data they're holding, and what they might do with the data. A hospital might have in their policy the ability to share with any doctors that come and practice at their facility, where your general doctor, may it only be him and his handful of nurses or physician assistants, et cetera. 

CHRIS: Yeah. And it's interesting, because one of the things about the privacy rule is kind of talking about, like you said, Ron, it's kind of notifying the patient, it's making sure that...it somewhat ties into the security rule where we're basically notifying the patient of what their rights are, and what we're using it for as a covered entity and as partners of the covered entity, but we're also doing some other key things with the privacy rules. So it kind of ties back into the security rule, but we're allowing the patient to actually go in and see changes and be able to transport this to another provider securely. So being able to do things like that where they can actually request to export the data, they can actually request to have the data removed from the system as well. 

So if you can think of scenarios where there might be PHI data, and that's a key part of a business workflow, you want to be able to think about how you can continue to operate that business workflow while, literally with full integrity, removing that data if a patient requests to remove their data. So they need to be able to have their data removed at will. And sometimes, depending on the use case scenario, sometimes this type of scenario might only really typically occur with a pretty complex system where someone's interacting quite often, but as you can imagine if there are any issues, there does need to be a breach notification where, if there is a breach of some kind and the sensitive data is leaked, there needs to be a notification to the patients. 

And so that means that they may have quite a few of them that requests to have their data removed from the system. So these are things that need to be baked in upfront, and at least some reasonable plan to be able to deal with that. It doesn't have to necessarily be fully automated, but they do need to have the ability to get their data out of the system upon request. 

Continue to Chapter 3 to learn about the HIPAA Breaches

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps