Free up to 1MM monthly messages. No credit card required.
HIPAA, short for The Health Insurance Portability and Accountability Act of 1996, is a federal law established by the U.S. Department of Health and Human Services (HHS) to create a set of security standards and general requirements for the safety of protected health information (PHI) and electronic protected health information (ePHI).
Fines may reach $1.5 million or more for covered entities (those dealing with PHI and ePHI) who fail to comply with HIPAA.
Any Google search query containing “HIPAA” will likely return a plethora of professional HIPAA consultants in the business of helping companies navigate the large, dated, and difficult-to-interpret documents in order to obtain HIPAA compliance. It should be noted that any seal of “HIPAA certification” does not grant immunity from being inspected and audited by the HHS, as they do not recognize HIPAA certifications of any kind.
Real-time technology is revolutionizing every industry, enabling real-time interaction – such as chat, conferencing, or collaboration – as well as analytics, visualization, telemetry, geolocation tracking, and more.
We recognize real-time technology is especially important in the healthcare and safety industries, where every second can make the difference between life and death. Whether the use case is powering emergency vehicle tracking and management, real-time communication between doctors and patients, doctors and nurses, or even keeping staff and referring physicians connected despite belonging to completely different healthcare organizations – it is a legal requirement that any private health information be protected and streamed in a secure manner.
We take this very seriously, which is why we’re the only HIPAA-compliant real-time messaging provider; it is why we offer a complete suite of security features at no cost; and it is why every employee is mandated to pass a regular security and privacy training.
We’ve built a real-time programmable network so developers can focus on what they’d rather do – innovate their applications – without having to worry about about the ‘plumbing’ i.e. whether or not the infrastructure is secure, scalable, and reliable. With that, we’ve worked hard to ensure it is also HIPAA-compliant, so those needing to stream or store sensitive health information can safely use PubNub as their real-time infrastructure.
Businesses wishing to be compliant must observe the four HIPAA rules: Privacy, Security, Enforcement, and Breach Notification.
The Privacy Rule gives patients important rights regarding their PHI, and identifies proper use and disclosure of PHI for patient care and other purposes.
The Security Rule outlines the necessary physical, technical, and administrative safeguards for securing ePHI. As such, it is extremely relevant to data stream networks and will be the primary focus of this post.
The Enforcement Rule is, as the name implies, concerned with enforcing HIPAA. It deals with compliance, investigations, penalties for violations, and procedures for hearings.
The Breach Notification Rule requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
The Physical Safeguard standards of the Security Rule were developed to protect against physical vulnerabilities of a covered entity’s buildings and electronic IT equipment, such as susceptibility to natural or environmental disasters, and unauthorized intrusion. Some examples of physical safeguards include: proper disposal of electronic media containing ePHI – such as degaussing or causing irreparable physical damage – so that it is completely unusable and/or inaccessible; or, if the media is to be reused, then proper procedures for complete removal of ePHI from electronic media.
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Access Control is the first technical safeguard, requiring covered entities to implement procedures such that only granted users or programs can access ePHI.
A couple specifications of the Access Controls standard include: unique user identification, such that all users can be tracked and held accountable for any actions performed on ePHI; emergency access procedure for obtaining ePHI during an emergency; encryption and decryption of ePHI.
PubNub provides multiple layers of security for customers to ensure HIPAA compliance in their application:
What if one of your data stream endpoints containing ePHI data – e.g. an individual user’s smartphone – is compromised? PubNub enables you to immediately block any device as soon as you anticipate a security threat or detect unauthorized access. Furthermore, traffic can be separated into channels with different access levels, restricting channels requiring the highest levels of clearance to only a small subset of devices.
Lastly, the Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The standards of the Administrative Safeguards make up over half of the Security rule requirements, and partly include:
For a full list, please see the HIPAA Administrative Safeguards document.
The last standard is particularly relevant: every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations. Upon customer request, PubNub will enter into a Business Associate Agreement (BAA).
PubNub has been HIPAA-compliant since 2015, and is the only HIPAA-compliant real-time network. We have many customers in the healthcare industry, such as ZOLL and MedX who have chosen PubNub for their real-time needs.
Outside of HIPAA, PubNub has taken additional strategies to ensure compliance with other data privacy laws:
Since it was first enacted, HIPAA continues to be updated: it was strengthened with the HITECH Act in 2009, and later with the Omnibus Rule in 2013 (these increased penalties and protection requirements).
As we move and store more sensitive data (e.g. electronic health information), covered entities (e.g. healthcare businesses and organizations) need to ensure that they, as well as all of their business associates, are taking care of that data. Complying with the standards laid out in HIPAA and its subsequent amendments is critical to protecting health information and avoiding hefty fines.
Take a look at the top trends that are the most effective in attracting customers and reducing churn, and how you can incorporate...
Comparing the major game engines: Unity vs Unreal Engine vs Corona SDK vs GameMaker Studio, including the benefits and cons of...
Sockets (aka socket programming) enable programs to send and receive data, bi-directionally, at any given moment. This tutorial...