hipa and healthcare: does your intranet meet the requirements? · modern healthcare in the digital...
TRANSCRIPT
HIPAA and healthcare: does your intranet meet the requirements?
Datasheet
healthcare edition
Modern healthcare in the digital worldHealthcare in is making a transition further and further into the digital realm. In part, this means the use of collaboration software, such as intranets, to drive up organizational e�ciencies and engage sta� who are spread across disparate departments and locations. Intranets also provide powerful tools for knowledge sharing, which is vital to a field when access to the most up to date studies makes the di�erence in saving patients’ lives. With so much potential in digital tools for healthcare, it’s paramount that organizations protect sensitive information and comply with HIPAA requirements.
The Security Rule: a deeper dive
The Security Rule lays out specific requirements for organizations to secure Electronic Protected Health Information (EPHI). Those requirements fall under the categories of Administrative, Physical, and Technical. The Technical requirements of the Security Rule necessitate that organizations protect information in open networks through encryption and in closed networks through access controls, as well as preventing unauthorized changing or erasing of the data. In addition, healthcare providers need to closely vet any external organizations with whom they communicate, like vendors, to ensure those groups do not put patient data at risk. Aside from actually implementing these security practices, HIPAA requires organizations to closely document their compliance and make that information available to the U.S. Dept. of Health and Human Services (HHS).
What makes health information PHI?
HIPAA regulations intentionally set a low threshold for what’s considered PHI, and even the o�cial definition is somewhat nebulous. Anything can be considered PHI if it includes a person’s name, any geographical information smaller than a state (e.g. a town or street address), a phone or fax number, an email address, a photo of the patient or customer, vehicle identifiers such as license plate numbers, and nearly
anything else that can be used to discern someone’s identity. Examples of seemingly innocent comments that actually reveal PHI include:
“I just treated a 35 year old man in our
Jacksonville facility for Type II diabetes.
Perhaps I can help.”
“A colleague of mine has a patient named
Malcolm who is a good case study for this type
of treatment.”
“I have a patient who is 92 years old and is
therefore at a higher risk for Alzheimer’s.”
HIPAA and healthcare:Does your intranet meet the requirements?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, established national standards and guidelines for maintaining the privacy and security of individual health information and addressing issues of fraud and abuse in the healthcare system. HIPAA’s Privacy Rule and Security Rule are perhaps most relevant for companies using collaboration software. Organizations are required to secure all private health information from unauthorized access. Violating HIPAA carries both civil and criminal penalties, and it is very strictly enforced.
SESSION TIMEOUTS
After an intranet is left idle for a set period of time, the user should be automatically logged out to keep unauthorized users from accessing privileged data
A WEB SERVER RUNNING SECURE SOCKET LAYERS (SSL)
This establishes an encrypted link between a web server and a browser, keeping data secure as it travels among machines in an organization’s network
DATA ENCRYPTION
Data should be encrypted both at rest and in transit to ensure there is no point at which it’s unsecured
SECURE ACCESS CONTROLS
Employees should only have access to parts of the intranet for which they’re authorized and which are necessary for their jobs
Requirements forhealthcare intranetsHaving solid cybersecurity practices in place, and being able to document them, are key to HIPAA compliance. Because intranets have tools that help every area of an organization to run, they also need to comply with every rule specified in HIPAA. The features that intranets need in order to maintain that standard of security include:
SERVER MONITORING
The intranet provider should have sta� to monitor servers in the event that a breach does occur and take action before any damage is done
REGULAR SECURITY AUDITS
It’s the responsibility of the provider to frequently audit their security practices and update them as necessary
EDUCATED PERSONNEL
Any IT sta� at a healthcare organization, as well as the intranet provider’s personnel, should be aware of all HIPAA requirements and able to maintain compliance
(646) 564 5775
New York 21 W. 46th St. 16th FL, New York, NY 10036
San Francisco, 600 California St, 11th floor, San Francisco, CA 94109
Web: www.interact-intranet.com Twitter: @intranetexperts
Interact’s intelligent intranet is compliant with HIPAA, ISO 27001, and SOC Type II IT and security standards. For a full list of Interact’s security practices and how we carry them out, visit https://www.interact-intranet.com/product/cloud-features/intranet-cloud-security/.
healthcare edition