The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for how patient data is protected and stored in the US. Under HIPAA, organizations that store, process, or transfer protect health information (PHI) are required to implement specific administrative, technical, and physical safeguards. According to the Department of Health and Human Services (HHS), the HIPAA Privacy Rule defines standards around how organization maintain patient privacy. The HIPAA Security defines specific technical standards organizations must implement when managed PHI. Security teams must account for Security Rule requirements and update such as access control, and encryption.
Who Is Required to Comply with HIPAA?
Startups and software developers that receive protected health information (PHI) from a covered entity (CE) such as a health provider, hospital, or insurance company must comply with HIPAA requirements. Healthcare startups and software companies that work with healthcare organizations typically enter into business associate agreement (BAA) and operate a business associate (BA) of the healthcare organization. Overall software vendors selling into healthcare are expected to be HIPAA compliant.
Healthcare providers are considered a covered entities (CE) and must comply with HIPAA regulations. This means that doctors’ offices, hospitals, as well as telehealth platforms and software platforms that provide care to patients must meet HIPAA requirements.
Health plans, insurers, and clearing houses are also considered a covered entities (CE) and must comply with HIPAA regulations. These organizations manage PHI from a number of patients and are required to comply with HIPAA.
When managing PHI or building healthcare applications or solutions, teams may consider the following HIPAA guidelines and HIPAA compliance checklist:
Technical Safeguard Requirements
HIPAA requires that organizations encrypt PHI “at-rest” and “in-transit”. This means that PHI data must be stored on encrypted volumes/drives and should utilize SSL/TLS standards when delivering data across the internet or other networks.
In the cloud – This means that teams must configure individual cloud services to use encrypted volumes and enforce SSL for connections over the internet.
Access Control –
HIPAA requires that organizations must limit PHI access to only “minimal-necessary access”. This means that access control systems must be implemented to ensure that staff members do not have more access then what is required to perform their duties. Teams should implement role based access control for systems and applications containing PHI data.
In the cloud – Team may consider using cloud access control services such as AWS Identity Access Management (IAM) to set permissions and manage access control for production applications.
Audit Logging –
HIPAA requires teams to collect logs related to PHI access and modification. Teams should consider collecting all logs and events related to PHI from cloud infrastructure, operating system (OS), and application-level logs. Logs containing PHI identifiers are also considered PHI and accordingly should be encrypted and limited to only necessary access.
In the cloud – Teams should enable audit log creation/collection for each individual cloud service across your cloud and may aggregate logs in a solution such as Amazon CloudWatch.
Automatic Logoff –
HIPAA requires teams to have automatic logoff requirements in place for systems with PHI. This means that any workstations that store PHI should automatically logoff the user after a certain period of time. Any cloud platform user access should timeout after a certain period of time and SSH/VPN access to production systems should have a session timeout enabled.
In the cloud – Teams should enable automatic logoff for cloud services, applications, and systems containing PHI.
Detecting Unauthorized Access –
HIPAA requires organizations to set integrity controls and ensure that PHI data is not improperly modified or disposed of. Solutions around intrusion detection (IDS) and vulnerability scanning detect potentially malicious behavior and enable teams to limit unauthorized access to production services.
In the cloud – Teams should consider implementing cloud native security solutions such as Amazon GuardDuty for intrusion detection or other commercial solutions for these security standards.
Administrative Safeguard Requirements
Administrative policies and standard operating procedures are a key part of any HIPAA security program. Policies should outline actionable security standards based around the organization and its IT infrastructure. Teams handling PHI should define a set of administrative policies to cover topics including:
Risk Assessment –
HIPAA requires teams to perform a security risk assessment on an annual basis, at a minimum. Teams should create a process for handling risk assessment and overall risk analysis. For the risk assessment, teams may work with a 3rd party to perform a non-biased assessment of their HIPAA security controls. Security staff should review assessment findings and remediate potential compliance issues.
Security Roles –
HIPAA requires that teams define a HIPAA Security Officer and a HIPAA Privacy Officer. The Security Officer is typically responsible for setting technical security standards and ensuring that PHI data is properly secured, while the Privacy Officer is responsible for managing HIPAA administrative standards across the organization, such as conducting staff training and reviewing and maintaining policies. For small organizations these two roles may be assigned to the same individual.
Staff Training –
HIPAA requires teams to provide new employees with security training within 90 days of hiring. Additionally, staff security and awareness training must be conducted at least once a year. Training may be conducted internally or with the help of a 3rd party training solution. Training should cover topics such as defining what is considered PHI, how PHI must be protected, and accepted software and procedures for accessing PHI.
Incident Response Plan –
HIPAA requires teams to prepare an incident response plan in-case of a potential security breach. In this plan, organizations should set procedures for how staff/clients can report potential security incidents and set standards for how the security team reviews incidents, resolves issues, and breach notification.
Disaster Recovery (DR) Plan –
HIPAA requires teams to setup backup and disaster recovery (DR) to ensure that PHI is available in case of data deletion or availability issues. Teams should setup and periodically test disaster recovery (DR) processes to ensure that data is backed up and can be properly restored in case of an incident.
Business Associates Agreements (BAA) –
HIPAA requires that teams have a business associates agreement (BAA) in place with all vendors that manage PHI. This means that organizations should sign a BAA with all cloud service providers (such as AWS, Azure), vendors and software solutions that may store, process, and/or transfer PHI. PHI should NOT be stored or processed by any vendor that has not entered into a BAA with the organization.
Physical Safeguard Requirements
Utilize HIPAA Secure Infrastructure
In order to build HIPAA compliant applications, PHI data must be stored on HIPAA compliant infrastructure. Cloud providers such as Amazon Web Services (AWS) will sign a business associates agreement and enable teams to build compliant solutions under the shared responsibility model. Organizations should consider a reputable infrastructure provider who will sign a BAA, and meet all necessary physical and technical safeguards when selecting a HIPAA compliant cloud or hosting provider.
Mobile Devices and Disposable Media Security
Mobile devices (including mobile phones, laptops, and USB drives) must be secured if they store PHI data. This means that workstations or portable devices store PHI, should be encrypted, have restricted control, and automatic logoff standards. When PHI is no longer needed on this hardware, these devices should be securely wiped or destroyed. Teams may consider limited mobile device exposure by exclusively storing PHI data in the cloud and securing access to this data overall.
Facility access to PHI must be restricted. For organizations operating in the public cloud, facility access restrictions are generally outlined in the provided business associates agreement (BAA). If PHI is stored on-premises or on local workstations, teams should address facility access requirements including – limiting employee access, implementing locked doors/areas, and conducting on-going building and facility maintenance.
Managing HIPAA in The Cloud
With the latest innovation in healthcare, more healthtech startups, software vendors, and healthcare organizations are building applications in public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. These services provide many services for quickly building solutions, but teams need to be aware of HIPAA requirements for the cloud.
Here is what you need to know about HIPAA and the cloud:
Cloud Platforms provide HIPAA eligible services –
HHS has provided guidance around cloud service providers, and has defined that cloud providers can store PHI for an entity, as long as a BAA is in place. Cloud service providers and SaaS solutions generally offer platforms with “HIPAA eligible services” defined under BAA. Cloud providers may cover some or all services under their BAA (For example see the AWS HIPAA Eligible Service List).
Organizations must be sure to only store/process/manage PHI in these covered services in order to maintain HIPAA compliance.
Teams are still responsible for administrative and technical requirements –
While cloud providers may provide customers with HIPAA eligible services, organizations are still responsible for implementing all security standards alongside these “eligible services”. It is the cloud customer’s responsibility to configure all necessary HIPAA security standards that go along with the cloud service.
For example – Amazon S3 is “HIPAA eligible” and S3 buckets may be used with PHI. With that said, teams must restrict access to these buckets (ensuring public access is disabled), enable encryption, and enable backup settings.
Teams can use a “HIPAA compliant” cloud and fall out of HIPAA compliance –
As you can see from the previous example, it is possible for teams to use “HIPAA compliant” cloud services and still not be HIPAA compliant. It is up to the organization to make sure that all administrative policies, procedures and technical standards are implemented and periodically reviewed to ensure that that the organization maintains compliance.
Meeting HIPAA with Dash ComplyOps
HIPAA compliance does not need to be overwhelming. Dash ComplyOps provides startups, healthcare organizations, and vendors with one solution for building and managing HIPAA security program in the cloud. Dash can help your team achieve HIPAA compliance in 3 easy steps:
1. Sign a Business Associates Agreement (BAA)
Teams sign a BAA with their cloud provider (AWS, Azure). This agreement outlines the how HIPAA security requirements are delineated between the cloud service provider and the cloud customer. The cloud provider generally manages many physical safeguard requirements, while your organization is responsible for administrative requirements and technical controls.
2. Build your HIPAA program and administrative standards
Dash provides your team with a custom set of HIPAA security policies, based around your organization and your technologies. These policies are mapped to required HIPAA standards and best practices around cloud services. Your team can customize policies by answering plan English questions and defining specific technologies used within the organization.
3. Maintain compliance with Dash Continuous Compliance Monitoring
After defining HIPAA policies, Dash helps your team enforce HIPAA technical controls and maintain compliance in your cloud. With Dash Continuous Compliance Monitoring, your team can monitor your cloud platform for any potential compliance issues and resolve cloud security issues before they become a HIPAA violation.
Request a demo today, to learn more about our platform!