The murky waters of the HIPAA security rule

Laura Rose Lambert Electronic records, TWH blog 1 Comment

Additional resources for your notebook

The text of the HIPAA law does not specifically point to a standard way to encrypt data or type of technology to use. This aspect of the law must remain flexible to keep up with the rapid advancement of healthcare related technology. The Department of Health & Human Services relies on the National Institute of Standards & Technology to decide what makes technology secure. Unfortunately the documents produced by NIST are not straight forward, even for someone like me who understands the lingo. However, if you are curious,  NIST has “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” The HHS also provides a list of relevant NIST documents.

NIST has also developed a program titled, “HIPAA Security Rule Toolkit,”  that helps providers go through all the aspects of the security rule. After going through the program, I would recommend it if you already have your policies in place. It is helpful for you to identify any gapes in your implementation of the HIPAA security rule.

I have found that HealthIT.gov provides slightly more straight forward answers about the expectations of healthcare providers. They have a wonderful Privacy & Security section that addresses most, if not all, of the HIPAA security and privacy rules. Their CyberSecurity section is also particularly useful.

The Office of the National Coordinator for Health IT also published a complete “Guide to Privacy and Security of Health Information” that serves as a step-by-step guide.

Evaluating a system, service or device for HIPAA compliance

As you have read, adding a new device or service to your practice is a difficult endeavor. Here are a few tips for researching if something is “HIPAA compliant”

Optical Vs Flash Storage by Petr Kratochvil

Optical Vs Flash Storage by Petr Kratochvil

First decide exactly what you need for your practice and patients.Don’t make compromises simply for HIPAA compliance. I promise you that there are a very wide range of choices and you will find something that satisfies HIPAA law and your personal needs. For example, when I shopped for online scheduling services, 2 way calendar sync was an essential feature for me. I also looked for a style that would adequately match the website I spent hours to perfect. This narrowed my choices quite a bit.

Labeling & certification

Often services that are not labeled as “HIPAA compliant” are compliant, they just don’t advertise the fact or they serve a variety of professionals who may or may not need the security and privacy standards HIPAA requires. Always ask! Often you can chat online with a sales rep and get a good feeling for how they treat customers. They should be happy to answer any and every questions you have.

Is there certification?

It depends on what you are looking at. Devices and software can be NIST certified or compliant, however it is an expensive process and this cost is usually passed along to the consumer.

A ONC Health Information Technology certification program started evaluating Health Information Technology products in October 2012. There is a current list of approved products. Of course the great thing about this certification is you know it adheres to meaningful use requirements and HIPAA law. But like NIST certification the consumer pays for the cost of certification. Keep in mind that many providers change the EHR program they use within the first year.

Cost of compliance

Don’t pay for HIPAA compliance. There is a lot of fear-based advertising among companies that have jumped on the electronic records band-wagon. Don’t let a commercial company dictate what you need or want from technology. When it comes to understanding the requirements, consult the HHS, ONC or an expert in the field (lawyer).

Take the time to survey the most popular devices/software/services for prices. From this survey you can make an informed decision about your budget. As I mentioned earlier, it is hard to know if a service, device or piece of software is the right fit, so I find it best to not make a huge investment without at least 30 days of continuous use in your existing system.

Besides the components that I personally need from a piece of technology, there are several things I always ask vendors/companies:

  1. Do you have a HIPAA/privacy/security document/policy?
  2. What kind of HIPAA training do you do with your employees? The answer is usually in the HIPAA policy, but I like to hear it directly. This will give you a clear indication if they are actually making a good faith effort to be HIPAA compliant. They have invested money into educating their work force.
  3. Do medical professionals use your service/technology? – It is helpful to deal with a company that is familiar with the problems common to a healthcare practice.
  4. What type of encryption do you use for data in transport? What do you use for data in storage? Sometimes vendors won’t be able to answer or understand what you’re asking. If they can’t adequately answer this question; continue with caution. At a minimum, they should be using 128-bit Secure Socket Layer (SSL) for transmitting data. Another standard, Transport Layer Security (TLS) is slowly, but surely replacing the SSL standard. I prefer higher than 128-bit and you can often find 256-bit encryption. 128-bit Advanced Encryption Standard (AES) is the standard for encrypting data in storage and like, encryption in transport, higher than 128-bit is always preferred, but not required.
  5. Will we be signing a business associate contract? – A company that refuses to sign a business associate contract is not worth the risk. Companies that work with healthcare professionals will most likely have a contract on hand, make sure it has everything required by HHS  is present in the contract.

Comments 1

  1. Laura, what a wonderful breakdown of the HIPAA Security compliance process. I’m not just saying that because you quoted me, either. 😉

    I should point out that HIPAA is also not the only player in these processes. For example, clients are given leeway to accept the risks of email by HIPAA. State licensing boards or legislatures may have caveats or gotchas around that, though. My board, for example, requires email to be secured if I am to use it for therapeutic communications. Without security, I need to keep it to scheduling and other administrivia. HIPAA would let me send the client’s whole medical record by email if the client wanted it.

Leave a Reply

Your email address will not be published. Required fields are marked *