The security and privacy of patients records is the topmost priority for any company working with healthcare data. As the world is moving towards digitalization, it is equally important to store the data and process the data in a secure environment.

Every industry has its own security standards to follow, the same is applicable to the health care industry, the environment that store/process EHR(Electronic Health Records) has to follow the standards of HIPPA.

WHAT IS HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions. HIPAA reflects a move away from cumbersome paper records and an increased emphasis on the security and privacy of health data.

What are the HIPAA Rules?

HIPAA regulation is made up of a number of different HIPAA Rules. The most important Rules that you should be aware of include:

 HIPAA Privacy Rule

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

What Information is Protected

Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI)

HIPAA Security Rule

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.

What Information is Protected

The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to the enforcement process, including the rules governing investigations by the Department, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

HIPAA Compliance Checklist

Technical Safeguards

Implementation SpecificationFurther Information
Access controlThis not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
Activity logs and audit controlsThe audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
Automatic log-off of PCs and devicesThis function logs authorized personnel off of the device they are using to access or communicate ePHI after a predefined period of time. This prevents unauthorized access of ePHI should the device be left unattended.

Physical Safeguard:

Implementation SpecificationFurther Information
Policies for the use/positioning of workstationsPolicies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.

Policies and procedures for mobile devicesIf users are allowed to access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
Facility access controls must be implementedControls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.

Administrative Safeguards

Implementation SpecificationFurther Information
Security management processImplement policies and procedures to prevent, detect, contain, and correct security violations.
Conducting risk assessmentsThe main task is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
Developing a contingency planIn the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
Restricting third-party accessIt is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.

One has to follow all the rules in the checklist to say that their infra is HIPPA compliant to store/process EHR’s. Let’s not say that everyone will have their own infra and manage themselves, here is our quick HIPPA compliant solution that one can create in Azure cloud

HIPAA ARCHITECTURE

IDENTITY

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. All users for the solution were created in Azure Active Directory, including users accessing the SQL Database.

Azure Role-based Access Control (RBAC) enables precisely focused access management for Azure.

Azure Key Vault

Data stored in Key Vault includes: Data Storage Access key, Connection strings, Service API keys, Web service endpoints.

Key Vault access policies are defined with minimum required permissions to keys and secrets.

DATA STORAGE

Storage Accounts

  • Data in motion is transferred using TLS/SSL only.
  • Anonymous access is not allowed for containers.
  • Alert rules are configured for tracking anonymous activity.
  • HTTPS is required for accessing storage account resources.
  • Authentication request data is logged and monitored.
  • Data in Blob storage is encrypted at rest.

SQL Database and Server

  • Access to SQL Database and SQL Server is configured according to the principle of least privilege.
  • Only required IP addresses are allowed access through the SQL firewall.