We’ve all been there. You go to a meeting and someone talks about HIPAA compliance. You leave, ready to conquer the HIPAA monster. But come Monday morning, HIPAA seems much harder to explain to your staff, and suddenly you wish you had an IT degree.
So let’s simplify things.
HIPAA is a series of safeguards to ensure protected health information (PHI) is actually protected. There are five HIPAA Technical Safeguards for transmitting electronic protected health information (e-PHI).
Let’s break them down, starting with the first and probably most important one.
Transmission Security
Also called encryption, this converts information into a code. You want the highest number when it comes to encryption (i.e. 256, 1024, 2048-bit), because the higher the level, the stronger the security.
Accomplished through: Encryption software in the marketplace today
Authentication
Verifies that the people seeking access to e-PHI are who they say they are.
Accomplished through:
- The federally-recognized DIRECT project. DIRECT verifies users and recipients through multiple forms of identification.
- Technology like biometrics, which can use fingerprints, face or iris recognition for verification purposes
Access Control
Ensures there is no unauthorized access of devices by a person other than an authorized, specifically-known user.
Accomplished through: Unique usernames, passwords; and an automatic log-off feature built in to the software
Audit Control
Produces an audit trail across hardware, software and/or procedural mechanisms.
Accomplished through: Software that produces a detailed audit report. Do not just take a vendor’s word for it. Ask him or her to produce an instant HIPAA audit trail report of your demo session. In the resulting report, you should see every activity that occurred during your demo, and who it was performed by.
Integrity
Ensures that electronically transmitted e-PHI is not improperly modified without detection, until e-PHI is disposed of.
Accomplished through: An off-site service that stores all e-PHI communications for six years—without the possibility of e-PHI modification.
Each safeguard can be met individually, or through cost-effective solutions that meet all technical safeguards in a comprehensive software package. Products are often labeled “HIPAA-Compliant,” but only satisfy one or two of these safeguards. Insist that your vendor demonstrate all five technical safeguards. Your practice depends on it.