September 23 – if you’re tasked with securing personal health information (PHI), this date should mean something to you. It’s when patient rights are broadened and fines become steeper as the HIPAA Omnibus Final Rule goes into effect.
The impact of this new ruling is widespread, with compliance obligations extending well beyond traditional health care organizations. If the technology partners and service providers that organizations rely on to keep business running smoothly have access to clients’ PHI, they too are now required to meet HIPAA compliance requirements.
That’s good news for health care organizations, as this creates a web of liability and can provide much-needed peace of mind that confidential data is protected as it flows within and across organizations. If a provider handles data transmission services for an organization with PHI or “maintains” PHI on their behalf, the entity is considered a “business associate” and they are subject to HIPAA regulations. This means that file transfer vendors and data storage providers are considered to be a part of your complete HIPAA compliant ecosystem, and are on the hook to keep customer data safe.
The expansion of PHI responsibility is well timed, as the Omnibus Rule also allows patients to request electronic medical records in electronic form. The big question is: how are healthcare organizations making that happen? While physicians and staff all seem to be armed with the latest computing devices, many file-sharing mechanisms are stuck in the dinosaur age. Email, USB sticks, and FTP servers may technically count as “electronic form,” but they present serious security and accountability risks that could lead to compliance violations.
And the U.S. Department of Health and Human Services (HHS) means business. The Breach Notification rule has shifted from its “innocent until proven guilty” mentality. Now, any unauthorized disclosure of PHI is presumed to be a breach until proven otherwise through a risk assessment. And starting as early as next year, organizations could be audited, with violations carrying a hefty price tag of up to $1.5 million per incident.
Therefore, it’s critical for organizations to have a secure system in place for getting electronic records into the hands of patients, as well as to manage the volumes of PHI that circulate throughout the organization. But relying on the Omnibus Rule to safeguard a partnership with a file transfer vendor is not enough. If data is breached, even if it’s the fault of the third-party vendor, all eyes are on the healthcare provider – as it’s their customers’ PHI and reputation at stake.
Here are 9 things to consider for securely transfering PHI under the HIPAA Final Rule on Privacy and Security:
1. Be diligent about data storage: While cloud providers that store PHI are now considered “business associates” under the Omnibus Rule, you want to find out where your information will be housed, who’s managing the data centers and who else has access. Do they subcontract back-end services to other vendors? Ask to see the SLAs and if necessary, business associate agreements (BAA) between your vendor and their service provider.
2. Validate file-sharing activities: To know if patients receive requested records, you need information at your fingertips about the complete lifecycle of a file, including who sent and accessed files, when, and the status of each download. This visibility is also required to determine if PHI has been compromised during a risk assessment.
3. No file size restrictions: Set file size limitations in line with your own security policies, rather than being restricted by the functionality (or lack thereof) of your file sharing solution. The ability to easily send data-intensive files is a must, or employees will seek out unsecure workarounds, such as free, consumer-based application Dropbox.
4. File transfer on the go: According to an IDC Healthcare Insights Study, clinicians use an average of 6.4 different mobile devices in a day, highlighting the need for file transfer security across all smartphones, tablets and devices, not just the ones installed in an examination room.
5. Say goodbye to lost data: Studies show that most of us will lose a smartphone at least once this year. Require built-in remote wiping functionality that allows IT to select desired users and/or device profiles and erase all content, providing around-the-clock protection wherever devices may go.
6. Enhanced encryption: While HIPAA does not explicitly require data encryption, it’s a must-have for end-to-end security. Look for three things: encryption both in transit and at rest; encryption that is at least 128-bit; and a unique encryption key that is not stored on the server. That means even if the server is compromised, your data is not.
7. Authorized users only: To prevent individuals from sharing usernames and passwords, support automated user authentication through integration with Active Directory or LDAP.
8. No user boundaries: To support effective communications with patients and other external constituents, it should be easy for authorized employees to invite outside users to download files, without requiring those outside the organization to install or configure software.
9. Simplicity: Having top-notch security doesn’t mean you have to sacrifice ease-of-use. It’s important to allow employees to work in the most productive manner. Unsecure, consumer-grade cloud options are just a few finger swipes away for every user, so you need to provide a compliant solution that is every bit as convenient and attractive.
Now is the time to assess your electronic file transfer methods to make sure that PHI gets into the right hands – and only the right hands – from September 23 forward.