The Health Insurance Portability and Accountability Act (HIPAA) has been in existence since 1996. Meant for the protection of patients’ electronic protected health information (ePHI), this act reminds healthcare providers of the need for comprehensive patient confidentiality.
HIPAA is even more relevant in recent times. Cybercrime has become more rampant and sophisticated. The threats to data security are ever-present for healthcare providers and their business associates. Any institution that stores or transmits patient data needs to know how to keep data transfers HIPAA compliant.
What is HIPAA?
This Act acknowledges the importance of technology in improving the quality of patient care while mitigating the risks to sensitive patient information. It applies to companies that fall in several categories:
- Healthcare providers i.e. doctors, hospitals, clinics, nursing homes and pharmacies that store and transfer patient information
- Health insurance companies and government health care programs
- Billing services that work with healthcare providers
- Any business that a healthcare provider engages to help deliver services i.e. law firms, IT providers and other consultants.
What does HIPAA Require of File Transfers?
HIPAA provides a number of safeguards that dictate how ePHI should be stored, accessed and transmitted. These safeguards have all the measures you need to take to ensure that your file transfers are HIPAA compliant:
Access Control Safeguards
You are required to have a system that only allows specific individuals and programs to have access rights to sensitive data. Such a system is created by:
- Assigning unique identifiers to individuals accessing the system in order to track their activities
- Having a contingency plan that ensures uninterrupted access to ePHI in case of emergencies
- Logging off users automatically after a period of inactivity
- Encrypting ePHIs to prevent unauthorized access
You should have mechanisms of recording user activity in systems that contain ePHI. There should be a logging system that creates an audit trail for you to review and determine who accessed the patient data. Any suspicious activity will be quickly identified through the activity logs.
ePHI must be protected from unwarranted alteration and destruction. Your file transfer process should have necessary protective measures that ensure data is received as it was sent without any alteration.
You should first identify which risks are present in your system. The measures you take should be relevant to your entity. You should consider that human error can compromise the integrity of ePHI.
Your system should be able to verify that a person seeking to access data is who he claims to be. This can be done through access tokens, pins, biometric access or passwords.
ePHI that is transmitted over networks must be safeguarded. You should ensure that the information is not altered in transit and that it is secured. A simple way of achieving this is by using secure file sharing options.
Google Drive, Dropbox, and WeTransfer are all examples of commercial solutions that can be used. They offer a degree of security while transmitting files. It is important to note that none of these solutions are HIPAA compliant as a standalone measure. However, when used in HIPAA compliant ways, they are a perfect addition to any entity.
In order to be HIPAA compliant, entities must commit to 5 safeguards. These are access control, system audits, data integrity, authentication and secure transmission. While observing each of these safeguards, an entity will automatically secure ePHI. Entities must acknowledge the role played by human error, and mitigate it. None of these measures will be effective without staff that are knowledgeable on how to store and transmit ePHI in a secure manner.