Technology plays an indispensable role in data management. There are very few companies still lugging around physical files containing employee and client information. Even so, technology adds vulnerabilities that did not exist before. People can now access files remotely. HIPAA technical safeguards, which are part of HIPAA's Security Rule, have emerged to prevent data misuse and ensure that companies properly manage protected health information (PHI).
The Five Technical Safeguards
As defined in the HIPAA Administrative Simplification Regulation Text, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” To adhere to this safeguard, covered entities must follow the following technical safeguards to ensure HIPAA compliance.
One of the easiest ways to prevent HIPAA violations is to focus on who has access to what information. This control prevents unauthorized access to PHI. Data can get compromised if people fail to lock their work stations when they leave. Organizations can add an extra layer of protection by ensuring employees who have access to PHI have separate logins. This step makes it much easier to track the digital crumbs a specific user leaves behind and see where unsafe behaviors and vulnerabilities lie.
Access control will only be successful if all employees understand company policies on compliance. So, employee training is essential. Proper training is the best way to ensure employees understand why safeguarding information is essential and how small mistakes can lead to big problems.
While access control ensures the leaving of breadcrumbs, audit controls become responsible for tracking them. There are several ways to accomplish this. One of the most common is to record activity related to the access and use of files that contain electronic PHI. It is important not to wait until a complaint surfaces to examine this information. Proactive organizations assign the task of auditing session activities to their IT teams, managers, team leads, or even auditors who specialize in this area.
Good audit control mechanisms entail more than just collecting data. It should also be possible to generate reports when requested. This data may include how many people accessed a particular file and when. It might also look at the session activity of one specific employee who may have come under suspicion for noncompliance. When noncompliance is intentional, audit reports help to protect organizations by showing that the violations were the action of one employee versus a company wide issue or lax policies.
Audit controls may help covered entities and investigators to uncover patterns that lead them to vulnerabilities. Sometimes this is unintentional. For example, a new employee may not fully understand or follow all the technical recommendations in the company policy.
The HHS defines data integrity as the characteristic of data that has not experienced “improper alteration or destruction.” HHS identifies patient safety issues as one of its primary concerns in these instances. Missing or altered information could cause someone to receive an incorrect diagnosis, treatment, or medication.
Professionals are most likely to suspect malicious behavior on the part of someone else, such as a hacker or medical staff member. However, data can become corrupted on its own. A glitch in the system or an error while saving the file can create unauthorized and unintentional changes.
One of the best ways to maintain data integrity is to store all your PHI data off-site for at least six years. The data should be stored in their original formats and should not be modifiable. Any new data may warrant the creation of a new file.
Person or Entity Authentication
To comply with access control, audit control, and integrity, covered entities need to invest in authentication features. There are several ways to tackle this step. The most common methods might include emailing, calling, using an app or website, or visiting the organization in person.
Authentication is just as important for patients as employees. As discussed earlier, individual logins make it easy to track session activities. When it comes to authentication, the assumption is that a person who should not have access to certain information would not have access to a password to get into the system.
When people call, email, or visit in person, presenting evidence is essential here as well. Identifying information may include a government-issued ID with a name and a photo, Social Security number, or other personal information. Some insurance companies, for instance, may ask for date of birth or street address.
One of the most difficult aspects of protecting PHI is when it is in motion. Moving data between parties—even when those parties are both authorized—creates vulnerabilities. One party may not secure the data as well as the other. They may also have weaknesses in the networks that provide them with a connection. Transmission weaknesses can make it easier for cyber criminals to intercept and steal data without ever needing to hack a company.
HHS recommends the use of two main tools to protect data during transmission. The first is integrity controls, and the second is encryption. Integrity controls help to ensure that the same data sent is the same data received. Organizations can achieve this by updating their network communications protocols. Message authentication codes are also effective.
Encryption is a little more complicated. It involves changing data from its original form to something unauthorized persons cannot understand. Organizations must also accomplish this without corrupting the integrity of the data. Thankfully, there are several types of data encryption tools available for covered entities to use.
One important thing to note is that for the encryption tools to work as intended, both the sender and receiver must have access to the same or compatible software. It is best to stick to one tool for use throughout the organization.
Why Technical Safeguards Are Important
There are two main reasons the safeguarding of PHI is so important. The first is ethics and the second is the law. From an ethical standpoint, patients have a right to their privacy. Unauthorized access violates this and may lead to very sensitive information getting into the wrong hands. Data corruption may negatively impact patient lives and change your customers' trust in your company.
When it comes to the legal aspect, the HIPAA Privacy Rule makes it mandatory for companies that handle PHI to better protect this data. Companies and their employees who violate HIPAA can get sued. Fines can climb as high as $250,000. Note also that there are three types of organizations that fall under this:
- Healthcare clearinghouses
- Health plan providers
- Healthcare providers
According to HHS, the Privacy Rule does not detail what specific actions covered entities should take to protect data. It requires that companies make data security a priority. Even so, most of the five technical safeguards highlighted above follow the HHS recommendations.
How to Meet Technical Safeguard Standards
Most professionals have a general understanding of HIPAA technical safeguards, even without a background in tech. Proper implementation, on the other hand, requires strong technical knowhow. For this, companies need to choose partners that bring the skills they need to the table.
At PubNub, we build APIs for clients that not only improve interconnectivity but prioritize data safety. We offer a fully customizable product to ensure we meet the needs of your company and your clients or patients. Use our contact form to get more information about how we can help to safeguard your clients' PHI.