How Leading Healthcare Organizations Keep Their Data HIPAA Compliant
By Larry Alton

As an organization within the healthcare industry, your business faces a number of distinct challenges with data, privacy, and security. In particular, you have to think through what it means to keep your data HIPAA compliant, all while ensuring your processes are efficient and cost-effective.

Understanding the HIPAA Security Rule

 Toward the end of the 20th century, the Health Insurance Portability and Accountability Act of 1996, better known by its acronym, HIPAA, was put into law. It required the U.S. Department of Health and Human Services (HHS) to develop some regulations protecting both the privacy and the security of certain health information. In response, the HHS published the HIPAA Privacy Rule and the HIPAA Security Rule.

 The HIPAA Privacy Rule establishes national standards for protecting certain health information. The HIPAA Security Rule consists of a set of security standards that protect health information that’s held or transferred in electronic form.

“A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care,” HHS.gov explains. “Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ [electronic private health information].”

 Recommendations for Keeping Data Protected

 Today’s patients are acutely aware of the security risks that exist online and are hesitant to work with organizations that don’t protect their data. Thus keeping data protected isn’t just a legal compliance issue – it’s also a practical matter. Here are some ways leading healthcare organizations ensure their data remains safe in a hostile cyber environment:

 1. They Only Use HIPAA-Compliant Cloud Storage Services

 While HIPAA doesn’t list specific methods or tools for securing data, encryption is highly encouraged as an industry best practice. And while there are numerous cloud storage solutions that offer encryption, it’s important to consider ones that are rated as HIPAA-compliant.

Five of the best HIPAA-compliant cloud storage solutions are Dropbox (Business), Box, Google Drive, Microsoft OneDrive, and Carbonite.

 2. They’re Proactive With Data at Rest

 “Data at rest” is the term given to information that lies inactive in a company’s data warehouse. Think of it like all the files that are stored in the system, but don’t get touched.

“A somewhat gray area in HIPAA, it is up to your IT department to decide if encrypting ‘data at rest’ is warranted through the use of easily implemented options like TDE (Transparent Data Encryption) or EFS (Encrypting File System),” Intelligent Video Solutions explains.

It’s generally considered a good idea to encrypt all data – whether it’s in motion or at rest. The cost and effort to do so simply isn’t significant enough to risk leaving data vulnerable and exposed.

 3. They Follow Proper Email Protocol

 Email is where healthcare organizations often get themselves in trouble. (And the penalty for breaking HIPAA laws with email can be as much as $100,000 for a single violation.) Leading organizations don’t mess around with email. They understand the distinction between an email platform being HIPAA capable and HIPAA compliant and rely on encryption to lower risk across the board.

As security analyst George Mateaki writes, “Encryption is a way to make data unreadable at rest and during transmission. Emails including PHI shouldn’t be transmitted unless the email is encrypted using a third-party program or encryption with 3DES, AES, or similar algorithms. If the PHI is in the body text, the message must be encrypted. If it’s part of an attachment, the attachment can be encrypted instead.”

Healthcare organizations that are uncertain of their email protocol should meet with a security advisor to discuss options. There’s too much at risk to ignore this important piece of the puzzle.

 Adding it All Up

 The cyber landscape is a scary place right now. Hackers and cybercriminals are feasting on vulnerable businesses and love nothing more than compromising healthcare organizations that are under-protected and over-exposed. But with the right understanding of HIPAA laws and a willingness to adopt the latest security best practices and innovations, these same organizations can protect their best interests and fend off dangerous threats.