What it Means to Be HIPAA Compliant
Any company that that deals with patient health records or provides services to companies that work with patient health information must ensure that all of the required physical, network and process security measures are in place and followed according to the HIPAA Privacy and HIPAA Security Rules. The Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, Covered Entities must:
- Ensure the the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce
The HIPAA Security Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the HIPAA Privacy Rule’s prohibitions against improper uses and disclosures of PHI.
The Security Rule also promotes the two additional goals of maintaining the integrity and availability of ePHI. “Integrity” means that ePHI is not altered or destroyed in an unauthorized manner. “Availability” means that ePHI is accessible and usable on-demand by an authorized person. If you are hosting your data with a Data Center partner, they must have certain administrative, physical and technical safeguards ensuring HIPAA data security is in place, according to the U.S. Department of Health and Human Services.
How to Be HIPAA Compliant: Administrative Safeguards
Security Management Process
Identify and analyze potential risks to ePHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Designate a security official who is responsible for developing and implementing its security policies and procedures.
Information Access Management
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a Covered Entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
Workforce Training Management
Provide for appropriate authorization and supervision of workforce members who work with ePHI and train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Perform a periodic assessment of how well security policies and procedures meet the requirements of the Security Rule.
How to Be HIPAA Compliant: Physical Safeguards
Facility Access and Control
Limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security
Implement policies and procedures to specify proper use of and access to workstations and electronic media. A Covered Entity also must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (ePHI).
How to Be HIPAA Compliant: Technical Safeguards
Implement technical policies and procedures that allow only authorized persons to access ePHI.
Implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
Implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
More HIPAA Information
OnRamp works closely with each customer who deals with ePHI to ensure that, collectively, OnRamp and the customer are adequately maintaining the proper configurations, processes and procedures to protect ePHI according to the HIPAA Privacy and Security Rules.
If you are curious about your HIPAA compliance options, see our pages on HIPAA Colocation, HIPAA Compliant Cloud hosting, and HIPAA Disaster Recovery. We have also compiled a useful glossary of relevant terms on our HIPAA Glossary page. You can contact us anytime for individualized answers for all your HIPAA questions.