Safeguard Actions Needed for HIPAA-Compliant File Storage

Maybe you’ve read about all the data breaches recently experienced by healthcare organizations across the country. Or perhaps you’ve seen the statistics on costly cyber attacks in the medical industry. Regardless of what incites you to take action, it’s clear that ensuring the security of your facility’s data assets is a non-negotiable. So, what’s your next move? Understand what you need to do in order to enforce HIPAA-compliant file sharing.

This is the only way to make sure your patients’ protected health information is as secure as possible -- and to keep your organization from suffering huge penalties as a result of regulatory violations. Noncompliance with HIPAA regulations can lead to costly fines, criminal charges and/or civil action lawsuits.

In this article, you’ll get a breakdown of the various categories of safeguards needed to comply with HIPAA law, according to the HIPAA Journal. For additional information on how these safeguards should be applied to your file sharing processes, be sure to get your free copy of our HIPAA Readiness Statement.

Understanding the Action Points of “Required Safeguards” Versus “Addressable Safeguards”

The following labels each action point as either “required” or “addressable, safeguards” so it’s important to identify the difference between these two classifications. Basically, required safeguards are mandatory. With addressable safeguards, however, there is some flexibility. If it is not reasonable to implement an addressable safeguard exactly as it is laid out, you have the option to use an appropriate alternative or forgo the safeguard altogether, depending on factors such as risk analysis, risk mitigation strategy and other security measures already in place (all of which must be thoroughly documented).

That said, as long as “addressable” safeguards are easily implemented by your file sharing provider, it may be wise to simply view them as if they were “required”.

Technical Safeguards

These safeguards pertain to the technology used to access and protect patient information. As stated by the HIPAA Journal, “The only stipulation is that ePHI [electronic Protected Health Information] – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.” Other than that, each organization has the freedom to implement whatever solutions are most appropriate to accomplish the following technical safeguards:

Implement a means of access control (required)

• Assign a centrally controlled, unique username and PIN code for each user
• Establish procedures to govern the release or disclosure of ePHI during an emergency
  

Introduce a mechanism to authenticate ePHI (addressable)

• Confirm whether ePHI has been altered or destroyed in an unauthorized manner
  

Implement tools for encryption and decryption (addressable)

• Encrypt messages when they are sent beyond an internal firewalled server
• Decrypt those messages when they are received

Introduce activity audit controls (required)

• Register attempted access to ePHI
• Record what is done with the accessed data

Facilitate automatic logoff (addressable)

• Log authorized personnel off any device used to access or communicate ePHI after a predefined period of time
• Prevent unauthorized access of ePHI should a device be left unattended

Physical Safeguards

These safeguards articulate how physical access to patient information must be managed and protected from unauthorized users.

Facility access controls must be implemented (addressable)

• Introduce procedures to record any person who has physical access to the location where ePHI is stored
• Include safeguards to prevent unauthorized physical access, tampering and theft

Policies relating to workstation use (required)

• Restrict the use of workstations that have access to ePHI
• Specify the protective surrounding of a workstation (so that the screen cannot be seen from an unrestricted area)
• Govern how functions are to be performed on the workstations

Policies and procedures for mobile devices (required)

• Devise and implement policies to govern how ePHI is removed from mobile devices before they are re-used
  

Inventory of hardware (addressable)

• Maintain an inventory of all hardware and a record of the movements of each item
• Make a retrievable exact copy of ePHI before any equipment is moved

Administrative Safeguards

These safeguards bring HIPAA’s privacy and security rules together and govern the conduct of the workforce.

Conducting risk assessments (required)

• Identify every area in which ePHI is being used
• Determine all of the ways in which breaches of ePHI could occur
  

Introducing a risk management policy (required)

• Repeat risk assessment at regular intervals
• Introduce measures to reduce the risks to an appropriate level
• Introduce a sanctions policy for employees who fail to comply with HIPAA regulations
  

Training employees to be secure (addressable)

• Introduce training schedules to raise awareness of the policies and procedures governing access to ePHI as well as identification of malicious software attacks and malware
• Document all training
  

Developing a contingency plan (required)

• Enable the continuation of critical business processes and protect the integrity of ePHI whenever the organization operates in emergency mode
  

Testing of contingency plan (addressable)

• Assess the relative criticality of specific applications
• Ensure accessible backups of ePHI and procedures to restore lost data in the event of an emergency
  

Restricting third-party access (required)

• Make sure that ePHI is not accessed by unauthorized parent organizations and subcontractors
• Make sure that Business Associate Agreements are signed with business partners who will have access to ePHI
  

Reporting security incidents (addressable)

• Make all employees aware of how and when to report an incident so that action can be taken to prevent a breach whenever possible

Checking the HIPAA-Compliant Boxes

In order to ensure that your healthcare organization is meeting these technical, physical and administrative safeguards, it’s critical to find a file sharing provider that drills down on HIPAA compliance via the necessary features. Any provider can promise the ability to store and share information easily, but not all of them put a heavy emphasis on securing protected health information in accordance with the outlined HIPAA regulations.

You can’t afford to risk a costly security breach or a compliance violation by opting for the wrong kind of file sharing solution. Choose a provider that will place primary importance on top-notch security and regulatory compliance.

Access the HIPAA Readiness Statement for free to find out whether your FTP site is HIPAA compliant and to learn what features you need to have in the areas of Access Control, Audit Control, Integrity, Person or Entity Authentication and Transmission Security.