Avoiding IT HIPAA Hazards

Rob Humphreys, product manager, eFax Corporate

With the passage of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations’ senior management: “are we or aren't we HIPAA Compliant .” It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with fifteen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule.

Reaching definitive answers to specific HIPAA compliance issues can be difficult, made all the more confusing by updates to the law since its initial passage. HIPAA contains few absolute measures that must be implemented to achieve compliance. And once you have deployed the technology solutions, implemented the policies and trained your personnel, there is still no certification or stamp of approval from an authorized compliance agency available for reassurance.

While not just an IT problem, IT teams have nonetheless been called on to do the heavy lifting necessary to ensure HIPAA compliance. Their efforts are often undertaken with little understanding of what's actually required in order to achieve HIPAA compliance and frequently result in processes that are lacking in small but important ways. From my conversations with customers regarding their compliance needs and solutions, I hear several recurring incorrect assumptions that can lead to problems.

Here are some of the most common erroneous HIPAA assumptions that I've encountered. If any of these sound familiar, you may need to take a closer look at your organization's compliance program.

Our vendor’s service is HIPAA compliant, so my system is compliant
I frequently encounter IT managers who firmly believe that deploying a software package touted as “HIPAA compliant” is all that’s required to achieve compliance. Compliance with HIPAA requirements is not transferable; while your vendor’s status is important, your organization should implement its own comprehensive HIPAA compliance program. You’ll want to make sure that your processes are HIPAA compliant, then select vendors that fit your organization’s security framework.

My vendor signed a BAA, so I’m covered
With so much ambiguity within HIPAA, it’s easy to have a disconnect with vendors’ interpretation of compliance. Vendor selection should be guided by established protocols in your overall HIPAA compliance program. When entering into a relationship with a vendor, it’s like the old adage says: trust, but verify. Even if a vendor willingly offers to sign a Business Associate Agreement (BAA), you should always perform due diligence to ensure their product or service is a match for your organization.

We don’t use cloud services because they are insecure
This assumption is no more true than concluding that on-site solutions are always secure. Cloud services offer a number of advantages – cost savings, increased efficiency, lower infrastructure overhead – over their traditional counterparts, and many offer HIPAA compliant services tailored to the needs of healthcare customers.

Our corporate policies restrict user access to PHI, so we are in compliance
While policies and procedures are key to any HIPAA compliance program, these elements are nothing without rigorous monitoring and ongoing enforcement. Your organization should always be on the lookout for security breaches, both technological and procedural, to ensure Protected Health Information (PHI) is secure. As additional reinforcement, consider conducting routine training sessions with employees regarding policies and procedures covering access and use of PHI.

We use an in-house fax server so our transmissions are secure behind our firewall
Fax servers can help ensure the security of PHI during transmission, but often fall short in protecting the same data while stored on your network. Fax servers often hand-off PHI data to email or file servers that may be vulnerable to unauthorized access from within your network. As an additional layer of security, consider solutions that offer “at rest” encryption of PHI while stored within your systems.

Our EHR system has a well-documented audit trail, so a document sharing policy would be redundant
An audit trail is great, but it only covers data while it lives within your EHR system. What happens once a record is printed? Consider implementing a clear, comprehensive document sharing policy that addresses handling of PHI both within and outside of your EHR system. Think of the document sharing policy as a complement to your EHR audit trail, not a redundancy.

Our email provider offers TLS encryption, so we’re secure in sending email attachments
TLS encryption is a great tool to help secure emails in transit, but only works if both sides of the email transaction are configured properly. Many consumer email providers aren’t equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesn’t support TLS, emails with PHI could be transmitted with no encryption at all. You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.

There are no absolute assurances when it comes to HIPAA compliance, but by making yourself aware of these seven hazards, you will be more prepared to provide greater consideration to the compliance of your data and document management processes.

About the author
Rob Humphreys is Product Manager with eFax Corporate, a division of j2 Global, Inc., a global provider of business cloud and digital media services. eFax Corporate is the world’s leading online fax provider and helps thousands of companies in highly-regulated industries, including healthcare, transmit and manage sensitive documents efficiently and securely.