Most people have heard of the Health Insurance Portability and Accountability Act (HIPAA), so it’s not surprising that companies dealing with digital health information will have to be HIPAA compliant. To do so, any protected health information (PHI) must be kept confidential, secure, and available when being stored or transmitted. HIPAA also requires healthcare providers to implement safeguards protecting PHI against cyber threats, security breaches, and other improper use of health data.
However, with the increasingly complex and interactive elements common in today’s websites and the quickly growing stores of unstructured data from collaboration apps and other SaaS platforms, understanding how regulatory bodies such as HIPAA affect your organization is a vital first step in making sure your website and digital channels comply with archiving and preservation regulations.
What is the HIPAA Security Rule?
Under the HIPAA Security Rule, organizations must:
- Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
HIPAA Risk Analysis Requirements
HIPAA also requires covered entities to perform risk analysis as part of their security management processes. Under HIPAA, risk analysis may include, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI
- Implement appropriate security measures to address the risks identified in the risk analysis
- Document the chosen security measures and, where required, the rationale for adopting those measures
- Maintain continuous, reasonable, and appropriate security protections
- Include risk analysis as part of the ongoing process, so that records are reviewed to track access to PHI and detect security incidents; risk analysis should also periodically evaluate the effectiveness of security measures put in place, as well as potential risks to PHI.
HIPAA Technical Safeguard Requirements
HIPAA also requires technical safeguards, including:
- Access Control, which requires a covered entity to implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls, which require a covered entity to implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls, which require a covered entity to implement policies, procedures, and electronic measures to ensure that e-PHI is not improperly altered or destroyed.
- Transmission Security, which requires a covered entity to implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Enterprise Information Archiving and HIPAA
All but two HIPAA enforcement actions in 2021 were the result of HIPAA Right of Access violations. The Right of Access standard gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set. When a request is received from an individual or their personal representative, the records must be provided within 30 days. As of December 2021, 25 penalties for HIPAA Right of Access violations were issued totaling $1,564,650. The fines range from $3,500 to $200,000.
The remaining two cases involved data breaches that caused HIPAA violations. In one, Rochester, NY-based Excellus Health Plan suffered a data breach of nearly 10 million records. According to HIPAA Journal, HIPAA’s Office of Civil Rights (OCR) “uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.”
Having an Enterprise Information Archiving (EIA) solution in place makes HIPAA compliance much easier to manage, saving time, reducing costs, and mitigating risk. And because fines for failing to comply with HIPAA can be significant — up to $50,000 per violation and $1.5 million per year, with some HIPAA violations including prison terms of up to 10 years – an EIA solution is worth it.
To learn more about how EIA can help with your compliance needs download our latest guide: Enterprise Information Archiving in the Digital Age: A Guide to Satisfying Regulatory Bodies Like FINRA, HIPAA, FDA & More