HIPAA technical safeguards: how to stay compliant in a fast-moving, post-COVID world

Year after year, Wings of Hope, a St. Louis-based aviation nonprofit and long-term client of ours, flies hundreds of patients to transformative medical care completely free of charge. Over the past six decades, it has gone from one plane delivering supplies to a drought-stricken region in northwest Kenya to operating a full-fledged medical air transport service in 29 states in the US, completing some 150 humanitarian projects in 47 countries across the globe, and earning two Nobel Peace Prize nominations.

Running a medical transport system, however, also means that the organization has to go over medical records and have the right physical, network, and process security measures in place to safeguard protected health information while in storage, transit or being accessed. “We have to ascertain that we can serve our patients safely and effectively. That’s why each potential patient must submit their medical information to our medical staff for review. This information is subject to HIPAA compliance rules and must be stored securely,” explains Mark Cutler, IT Support Volunteer at Wings of Hope.

But what are the safeguards under the HIPAA? What’s the difference between the various types of safeguards? And how can HIPAA-covered entities address technical safeguards that are often the most difficult to comprehend and implement?

Tackling HIPAA diligence: a crash course on the key concepts

The Health Insurance Portability and Accountability Act, HIPAA for short, was passed by the US Congress and signed into law by President Bill Clinton in 1996. Fun fact: its primary objective had little to do with protecting health information. The original bill, also known as Public Law 104-191, was created to help more Americans get health insurance coverage and prevent employees from losing their health insurance between jobs. Plus, to fight waste, fraud, and abuse in health insurance and healthcare delivery.

However, policymakers understood that advances in digital technology had started eating away at the privacy of personal information in the healthcare space. This is how the HIPAA Privacy Rule came to be in December 2000, followed by the HIPAA Security Rule in February 2003, to set national standards for the protection of individually identifiable health information and to protect the confidentiality, integrity, and availability of electronic protected health information, or e-PHI, respectively.

“Today, providers are using clinical applications such as computerized physician order entry systems, electronic health records, and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications,” explains the US Department of Health and Human Services (HHS). “While this means that the medical workforce can be more mobile and efficient, the rise in the adoption rate of these technologies increases the potential security risks.”

To make sure these vulnerabilities are patched, the HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Asking the tough question: are you a HIPAA-covered entity?

Yes, if you’re in the business of transmitting protected health information for transactions for which the Department of Health and Human Services has adopted standards, HIPAA Journal advises. Meaning health plans as well as healthcare providers and clearinghouses who handle healthcare claims and status, payment and remittance advice, benefits coordination, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.

Business associates of HIPAA-covered entities essentially count as HIPAA-covered entities themselves as long as they provide service to such organizations which requires them to have access to, store, use, or transmit protected health information. Think: third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

The three safeguards of the HIPAA Security Rule: administrative, physical, and  technical safeguards, explained

Administrative safeguards include “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” In other words: the protocols and workflows covered entities must have in place to keep PHI safe rather than actual physical or technical requirements, points out the American Medical Association.

Physical safeguards, by contrast, cover access to both the physical structures of a covered entity and its electronic equipment, be they buildings, equipment, or information systems. In this regard, covered entities’ duties are two-fold. First, they must limit physical access to their facilities without limiting authorized access. Second, they must set out rules for the proper use of workstations and devices, as well as for the transfer, removal, disposal, and re-use of electronic media, to ensure protection of electronic protected health information.

The HIPAA technical safeguards are related to the technology, plus relevant policies and procedures that covered entities should implement to protect e-PHI and control access to it, such as audit controls, user verification, and automatic log-off. They also make it clear that encryption is key in fending off unauthorized use and disclosure and must be applied if, having completed a risk assessment, an entity deems it a suitable safeguard in its risk management of the confidentiality, integrity, and availability of electronic protected health information.

A breakdown of technical security controls: from audit to access control standards

Technical safeguards of HIPAA’s Security Rule are based on four pillars.

1. Access controls
   Covered entities must grant users rights and privileges to access and perform job functions using information systems, applications, programs, or files. At the same time, users should only access the minimum necessary information needed to perform such functions.
2. Audit controls
   This standard requires covered entities to implement hardware, software, and relevant protocols to log and monitor access and other activity in information systems that contain or use e-PHI. Translation: they must be able to track and report on who accessed what data and when.
3. Integrity controls
   A primary goal of the Security Rule, this standard aims to ensure that e-PHI is not improperly altered or destroyed. Data integrity can be compromised by technical or non-technical sources, by accident or on purpose, with or without human intervention, jeopardizing clinical quality and patient safety.
4. Transmission security
   Under the fourth standard of the HIPAA technical safeguards, covered entities must review and apply technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

HIPAA technical safeguards compliance: easier said than done?

Handling e-PHI is both high stakes and high risk. In the black market, stolen health credentials can go for $1,000 each. To put this number in context: credit card numbers, including CVV, are a steal (pun intended) for $5, let alone social security numbers, which you can buy for just $1. No wonder that the number of healthcare data breaches has skyrocketed over the past few years, fueled, among other things, by the coronavirus pandemic.

In a 2020 joint advisory, for example, the cybersecurity analysts of the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services warned of a new wave of cybercrime attacks against hospitals and healthcare providers through TrickBot and BazarLoader malware as well as of ransomware attacks, data theft, and the disruption of healthcare services in their wake.

In fact, the HHS has issued a factsheet about ransomware attack prevention and recovery as early as 2016, citing a 300% increase in daily ransomware attacks within a single year. Yet, according to Forbes, the healthcare industry continues to rank among the most vulnerable industries to cyberattackers and, a recent IBM study has found, tops the list of sectors with the highest average breach costs at a staggering $7.13 million.

HIPAA encryption standards: better too safe than sorry

To avoid data breaches, healthcare institutions and business associates must find ways to keep abreast of technological advancements – both in their industry and the cybercrime landscape. And move beyond regulatory compliance, if needed.

Case in point: HIPAA encryption requirements. Under the transmission security standard, encryption falls into the category of “addressable” implementation specifications. Not required, however, doesn’t mean “not needed” by a long shot.

According to HIPAA Journal, “One of the reasons why the HIPAA encryption requirements are vague and open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology advances. What may be considered appropriate encryption standards one day, may be inappropriate another.” HIPAA encryption requirements are technology-neutral, not ignorant, by design. Covered entities, however, should be neither.

As per HHS recommendations, they should assess how and how often they transmit e-PHI, and, based on the HIPAA risk analysis, if encryption is needed to protect e-PHI in transit and what encryption methods would be best to protect the transmission.

Tresorit’s secure file storage and sharing solution is in full compliance with HIPAA requirements, allowing health care professionals to access files anywhere and collaborate in and outside of their organizations, while keeping protected health information safe and sensitive patient records secure. Replacing risky email attachments and file transfer methods is nothing short of a game-changer for patient safety and quality of care.

“Tresorit lets us share documents with people outside of our user group and the organization through secure Share Links. Creating Share Links are much easier for us than using a separate system for sending secure emails. I just set up a secure Share Link and send it in a regular email. Easy as that,” says Seth Breeden, COO of ACPN.

Short for America's Choice Provider Network, Nevada-based health care savings provider ACPN covers 50 states, as well as Canada, the Dominican Republic, Guam, Mexico, and Puerto Rico. It has been joined by more than 1,700 payers so far, and over 28 million American and 750,000 international patients have access to their services.
With growth at this rate, however, there was another thing the company saw a rapid rise of: data. Seth explains: “We currently work with 300,000 different service providers, which means a ton of documentation that takes up tons of storage. It’s great that we can access all our documents through Tresorit from anywhere without having to store them locally.”