HIPAA security rules address the standards that must be applied as safeguards to protect data in REST and transit. This applies to all humans and systems that have access to confidential patient data. The system must implement Role Based Access Control (RBAC) which helps to define different levels of access to different entities who are accessing the ePHI like humans (researcher, patient, doctor) or systems (smart devices, mobile, tablets).

Technical SafeGuard

Technical safeguard focuses on the technology used to protect ePHI and provides access to data. The data in REST and transmit must be encrypted to NIST standards once it travels beyond the organization’s internal infrastructure. This focuses on following parameters.

Physical Safeguard

Physical safeguard focuses on physical access to ePHI irrespective of location. ePHI could be stored on remote location or on-premise data center of HIPAA covered entity. In any case, the physical location where ePHI is stored must be secured and prevent unauthorized access

Administrative Safeguards

Administrative safeguard focuses on procedures and policies which bridge privacy rules and security rules together.

HIPAA Privacy Rule

HIPAA Privacy rules focus on how ePHI should be used and disclosed. The rule demands that all required safeguard is implemented to protect a patient's personal information. The rule gives authority to patients; right of information, right to obtain a copy of information, and share the information.

As per privacy rule, covered entities must respond to patient requests within 30 days.

It is advisable to,

1. Provide training to employees
2. Ensure appropriate actions are taken to maintain the integrity of ePHI
3. Written permission is must from patients, when their health information is used for any purpose like marketing, research etc.

HIPAA Breach Notification Rule

HIPAA breach notification rule requires covered entities to notify patients when there is a breach of their ePHI. It should also be further notified to the Department of Health and Human Services (Only if breach affects more than 500 patients).

Notification notice should include:

1. Type of ePHI involved
2. If known, share unauthorized person’s details who accessed the ePHI
3. Is ePHI viewed or acquired?
4. Reason of breach and risk mitigation plan

HIPAA Omnibus Rule

HIPAA omnibus rule addresses areas that have been omitted in previous HIPAA updates.

It clears definitions, clarifies procedures and policies that are implemented for HIPAA compliance checklist to cover business associates and subcontractors.

It amends HIPPA regulation on following key areas:

1. Final amendments including penalty structure as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act
2. Updating the harm threshold and including the rule on breach notification for Unsecured Protected Health Information under the HITECH Act
3. Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to forbid the disclosure of genetic information for underwriting purposes
4. Preventing the use of ePHI and personal identifiers for marketing purposes

HIPAA Enforcement Rule

HIPAA Enforcement Rule covers Investigation on breach of ePHI and the penalties on the entities who are responsible for breach of ePHI. As per HIPAA compliance checklist, following are penalties

?      A violation attributable to ignorance can attract a fine of $100 – $50,000

?      A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000

?      A violation due to intentional negligence which is corrected within thirty days will attract a fine of between $10,000 and $50,000

?      A violation due to intentional negligence which is not corrected within thirty days will attract the maximum fine of $50,000

HIPAA Risk Assessment Guidance

Following are guidelines for risk assessment.

1. Identify the PHI which solution creates, receives, transmits and stores
2. Identify threats to the integrity of PHI – human threats including those which are both intentional and unintentional
3. Identify the measures in place to protect against threats to the integrity of PHI, and the likelihood of a “reasonably anticipated” breach occurrence
4. Determine impact of breach and define potential occurrence of a risk level based on the average of the assigned likelihood and impact levels
5. The rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years

Thus, to comply any healthcare solution for HIPAA, following requirements should be taken care and integrated in the solution:

• Ensure Safeguards to protect PHI on physical and virtual data storage and transfer
• Limit the usage and access of information with proper access controls
• Have proper Agreements to cover functions and activities. BAA to ensure that service providers use and pass the PHI with proper access and follow the defined safeguard
• Define the training change processes, approval processes for access controls and management processes
• Setup training program for employees on PHI protection awareness, security and process explanation

During this difficult time of Covid19, utmost care should be taken about patient’s data by following strict HIPAA compliance in cloud where patient’s diagnosis and important data is stored.

About the Author

Chandani Patel is AWS Certified Solution Architect, AWS Business & Technical Professional, Technical Lead on several domains – Cloud Solutions, IoT Solutions, ML&Data Science at VOLANSYS. She is Cloud Solution Architect with expertise in designing, developing, and architecting cloud solutions for public clouds (Azure, AWS, Google & Bluemix), private clouds & hybrid clouds.