Data security is challenging enough when the goal is to prevent bad actors from gaining unauthorized access. But sometimes, other requirements make it even more challenging.
Such is the case with healthcare providers and the companies that serve their data needs. For them, data security is a complex blend of maintaining controls and meeting regulatory requirements.
What HIPAA says about security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national security standards for electronic healthcare transactions. Its overarching goal is to ensure that healthcare companies protect patient data when storing or sharing it electronically.
HIPAA focuses on what it calls protected health information (PHI). Its regulations define PHI to include standard personal information such as name, address, phone number, and social security number. Data created as a result of the care a patient receives, such as admission and discharge data and medical records numbers, is also included. Photos of a patient and biometric identifiers such as fingerprints or voiceprints are also considered PHI.
Organizations covered by the rules include not only the healthcare entities engaging with patients but also any “business associates” who play a role in managing PHI. HIPAA defines those associates to include a “subcontractor that creates, receives, maintains, or transmits” healthcare data on behalf of a covered business associate. It also covers anyone who provides “data transmission services” or “requires access on a routine basis” to the data.
To stay compliant, those handling PHI must satisfy some general security standards aimed at ensuring the confidentiality, integrity, and availability of PHI. The language of the law calls those covered by it to “protect against any reasonably anticipated threats or hazards” to the information’s security and against any “reasonably anticipated uses or disclosures” not permitted or required by the law.
Security training is another key HIPAA requirement. It says covered entities and the business associates that support them must take steps to ensure “its workforce” complies with the law’s provisions.
The US Department of Health and Human Services (HHS) explains that requiring security that addresses a “reasonably anticipated threat” was meant to make the law’s requirements scalable. Rather than requiring a “one-size-fits-all” security setup, it acknowledges that the threats faced — and the controls needed to address them — can vary from one organization to the next.
HHS says those covered by HIPAA should consider several factors, including their size, complexity, and capabilities when evaluating the degree of security that would be considered reasonable. Another key factor HHS asks covered entities to consider is the “probability and criticality of potential risks” to the electronic PHI it manages.
Basic steps toward HIPAA compliance
Data privacy and security have become standard in the business world. Companies that store data of any kind, regardless of their size or sector, know they must have safeguards in place to repel a constant barrage of attacks.
HIPAA security compliance, however, requires a few steps that may not be addressed by standard business data privacy and security processes. For example, HIPAA rules call for a risk analysis as part of data safeguards. They require that organizations conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
For the sake of efficiency and to keep costs down, many organizations skip a customized risk assessment and simply implement controls that align with their industry’s standards. That approach doesn’t satisfy HIPAA.
HIPAA also requires a “sanction policy.” It explains that organizations must apply “appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” When human error leads to a security breakdown, HIPAA says formal action must be taken against the employee responsible.
Documentation is another component HIPAA expects that standard data privacy and security procedures may not prioritize. HIPAA says documentation must show the policies and procedures that have been implemented to support data security. It also must be reviewed periodically, updated as needed, and made available to those responsible for implementation.
Keeping pace with evolving needs
Data security must be constantly evaluated and maintained for any organization. New threats appear daily, and new security patches are constantly being developed to neutralize them, so organizations that let their security grow stale put themselves at risk of costly consequences.
When regulatory compliance is also in play, staying current becomes even more critical.
HHS recently announced plans to update HIPAA’s security requirements. The announcement suggests certain security controls that have been considered optional will soon be mandatory. For organizations covered by the rules, assessing the impacts of a possible change is something that should be done as soon as possible.
HIPAA seeks to make healthcare more effective by ensuring the security of the electronic data that supports it. For organizations that operate in the healthcare space, that means implementing data security duties that go beyond the norm. Taking steps to understand HIPAA’s security requirements, put them in place, and ensure they are always up-to-date and effective is key to avoiding compliance issues.
— Lindsay Dymowski Constantino is the President of Centennial Pharmacy Services, a leading LTC-at-home pharmacy, and co-founder & president of the LTC@Home Pharmacy Companies, emphasizing the provision of long-term care pharmacy services in the home setting. With over 15 years of experience in the pharmacy field and a strong entrepreneurial spirit, Lindsay has a deep understanding of what drives successful pharmacies beyond medication dispensing—focusing on supporting organizational goals toward better health outcomes through patient-centric care. She is passionate about the future of pharmacy in healthcare, has been featured in national media such as U.S. News & World Report, and actively contributes to the field through national conference presentations, media appearances, continuing education programs, and board memberships dedicated to advancing the practice of pharmacy.
