HIPAA, short for The Health Insurance Portability and Accountability Act of 1996, is a federal law established by the U.S. Department of Health and Human Services (HHS) to create a set of security standards and general requirements for the safety of protected health information (PHI) and electronic protected health information (ePHI).
Fines may reach $1.5 million or more for covered entities (those dealing with PHI and ePHI) who fail to comply with HIPAA.
Any Google search query containing “HIPAA” will likely return a plethora of professional HIPAA consultants in the business of helping companies navigate the large, dated, and difficult-to-interpret documents in order to obtain HIPAA compliance. It should be noted that any seal of “HIPAA certification” does not grant immunity from being inspected and audited by the HHS, as they do not recognize HIPAA certifications of any kind.
Why we care about HIPAA at PubNub
Realtime technology is revolutionizing every industry, enabling realtime interaction – such as chat, conferencing, or collaboration – as well as analytics, visualization, telemetry, geolocation tracking, and more.
We recognize realtime technology is especially important in the healthcare and safety industries, where every second can make the difference between life and death. Whether the use case is powering emergency vehicle tracking and management, realtime communication between doctors and patients, doctors and nurses, or even keeping staff and referring physicians connected despite belonging to completely different healthcare organizations – it is a legal requirement that any private health information be protected and streamed in a secure manner.
We take this very seriously, which is why we’re the only HIPAA-compliant realtime messaging provider; it is why we offer a complete suite of security features at no cost; and it is why every employee is mandated to pass a regular security and privacy training.
We’ve built a realtime programmable network so developers can focus on what they’d rather do – innovate their applications – without having to worry about about the ‘plumbing’ i.e. whether or not the infrastructure is secure, scalable, and reliable. With that, we’ve worked hard to ensure it is also HIPAA-compliant, so those needing to stream or store sensitive health information can safely use PubNub as their realtime infrastructure.
What does it take to be HIPAA-compliant?
Businesses wishing to be compliant must observe the four HIPAA rules: Privacy, Security, Enforcement, and Breach Notification.
The Privacy Rule gives patients important rights regarding their PHI, and identifies proper use and disclosure of PHI for patient care and other purposes.
The Security Rule outlines the necessary physical, technical, and administrative safeguards for securing ePHI. As such, it is extremely relevant to data stream networks and will be the primary focus of this post.
The Enforcement Rule is, as the name implies, concerned with enforcing HIPAA. It deals with compliance, investigations, penalties for violations, and procedures for hearings.
The Breach Notification Rule requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
The Security Rule: Physical, Technical, and Administrative Safeguards
The Physical Safeguard standards of the Security Rule were developed to protect against physical vulnerabilities of a covered entity’s buildings and electronic IT equipment, such as susceptibility to natural or environmental disasters, and unauthorized intrusion. Some examples of physical safeguards include: proper disposal of electronic media containing ePHI – such as degaussing or causing irreparable physical damage – so that it is completely unusable and/or inaccessible; or, if the media is to be reused, then proper procedures for complete removal of ePHI from electronic media.
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Access Control is the first technical safeguard, requiring covered entities to implement procedures such that only granted users or programs can access ePHI.
A couple specifications of the Access Controls standard include: unique user identification, such that all users can be tracked and held accountable for any actions performed on ePHI; emergency access procedure for obtaining ePHI during an emergency; encryption and decryption of ePHI.
PubNub provides multiple layers of security for customers to ensure HIPAA compliance in their application:
- Attack Prevention: No inbound open ports are required as all connections to PubNub are outbound from the client. Additionally, PubNub has intelligent data center routing in place to thwart any regional attacks
- Encryption: Point-to-point network TLS encryption and end-to-end message 256-bit AES encryption
- Authorization: Granular read and write access control with optional TTLs and the ability to revoke permissions
What if one of your data stream endpoints containing ePHI data – e.g. an individual user’s smartphone – is compromised? PubNub enables you to immediately block any device as soon as you anticipate a security threat or detect unauthorized access. Furthermore, traffic can be separated into channels with different access levels, restricting channels requiring the highest levels of clearance to only a small subset of devices.
Lastly, the Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The standards of the Administrative Safeguards make up over half of the Security rule requirements, and partly include:
- Security Management Process
- Identifying, measuring, and reducing security risks
- Applying appropriate sanctions on workforce members for failing to comply
- Regularly reviewing information system activity (audit logs, access reports, etc.)
- Information Access Management & Workforce Security
- Ensuring all employees have appropriate access to ePHI, and to prevent those employees who do not have access from obtaining access to ePHI
- Security Awareness and Training
- Employees must be trained on adhering to and enforcing security of ePHI
- Security Incident Procedures
- Addressing any attempted or successful unauthorized “access, use, disclosure, modification, or destruction of information or interference with system operations in an information system”
- Contingency Plan
- Establish plans for recovering access to ePHI after an emergency or other occurrence
- Business Associate Contracts and Other Arrangements
- Requirements for agreements permitting business associates to create, receive, maintain, or transmit ePHI on behalf of covered entities
For a full list, please see the HIPAA Administrative Safeguards document.
The last standard is particularly relevant: every covered entity must have a written agreement with each of its business associates, or else it is not compliant with HIPAA regulations. Upon customer request, PubNub will enter into a Business Associate Agreement (BAA).
Beyond HIPAA Compliance
PubNub has been HIPAA-compliant since 2015, and is the only HIPAA-compliant realtime network. We have many customers in the healthcare industry, such as Pager and Physician Attendant, who have chosen PubNub for their realtime needs.
Outside of HIPAA, PubNub has taken additional strategies to ensure compliance with other data privacy laws:
- E.U. Only Data Storage: PubNub provides an option for any keyset to persist its data only in (at least two) E.U. Hosted data centers. Without this setting, by default, the customer’s data is persisted and replicated to multi-regional (multinational) data centers.
- Model Clauses: By request from any PubNub customer on a large scale plan, PubNub will enter into standard contractual clauses as provided by Articles 25 and 26 of the EU Data Privacy Directive 95/46/EC (known as “Model Clauses”) to allow for lawful transfer of personal data from the EU to the United States. PubNub has secured reciprocal Model Clauses agreements from all its hosting providers.
- EU-US Privacy Shield: PubNub has self-certified its participation in the EU-US Privacy Shield.
Since it was first enacted, HIPAA continues to be updated: it was strengthened with the HITECH Act in 2009, and later with the Omnibus Rule in 2013 (these increased penalties and protection requirements).
As we move and store more sensitive data (e.g. electronic health information), covered entities (e.g. healthcare businesses and organizations) need to ensure that they, as well as all of their business associates, are taking care of that data. Complying with the standards laid out in HIPAA and its subsequent amendments is critical to protecting health information and avoiding hefty fines.