The privacy rules of HIPAA, establish the standards of using and handling patients information, which is called Protected Health Information (PHI). HIPAA has ensured the integrity and provenance of sharing of PHI amongst organizations. Security and privacy regulations strive to ensure organizations are adhering to necessary standards. Here are some common IT challenges in regards to HIPAA compliance:
1. Transmission Encryption
PHI must be encrypted during transmission
Website must have a SSL Certificate
Any page or web form that collects or displays PHI must have SSL
Any page used for logging in which transmits authorization cookies, etc., must be protected by a SSL
There should not be an alternate version of PHI for visitors, if applicable
SSL requires a digital signature by a trusted Certificate Authority
Browsers include a pre-installed list of trusted CAs, known as the Trusted Root CA store
Companies must comply with, and be audited against, security and authentication standards for browsing
If the end user submits PHI that is collected on your website, the transmission of data must be secure (Hardest to do)
PHI cannot be lost - Data needs to be backed up and it must be recoverable.
All data must be securely backed up able to restore
All Emails should be backup and able to restore
PHI stored in backups must also be protected in a HIPAA-compliant way — with security, authorization controls, data encryption etc.
A restoration policy should be in effect
PHI must only be accessible by authorized personnel using unique, audited
No everyone who has access to your site?
Must have Business Associate Agreement for all people with access to your site
Example of people who might have access: Web hosting, marketing agency. Etc.
If issued to a HIPAA third party company make sure they have gotten a revised agreement since the introduction of the Omnibus Rule
Make sure the staff and people with access to scheduling on your site are Hipaa Compliant with Hipaa security and privacy rules
Audit your logins
Alerting for multiple failed logins
Need to be maintained and monitored
PHI cannot be tampered with or altered.
ONLY information collected and store via your website that is encrypted and/or digitally signed is safe
It is up to your organization to determine if tamper-proofing your data
Generally, using PGP, SSL or AES encryption for stored data can accomplish this very nicely and also address the next point
5. Storage Encryption
PHI must be encrypted if it is stored or archived.
Data encryption is not required by HIPAA, but it is necessary due to huge fines
Ensure ALL collected and stored PHI is encrypted and can only be accessed/decrypted by individuals with the appropriate security keys
For back-ups use Storage encryption
All PHI must be permanently erased when it is no longer required.
Consider all of the places where the data could be backed up and archived
Have protocols for deletion
Inventory of devices and software
7. Business Associates
You must have a signed HIPAA Business Associate Agreement with every vendor that touches your PHI.
If your website or data is located on the servers of a vendor, then HIPAA (first in HITECH and subsequently in the Omnibus Final Rule) requires you have a signed and up to date Business Associate Agreement
It is up to you to ensure that your site is designed and managed in a way that is compliant with HIPAA.
Choosing a HIPAA-compliant provider will not make your website HIPAA compliant unless you and your designers ALSO take all of the steps to ensure that it is.