About Information Security and Managing your ePHI
The internet continues to play a key role in simplifying business practices in all industries. The health care industry is no exception. Many health care organizations are finding it necessary to place Protected Heath Information (PHI) or electronic Protected Heath Information (ePHI) online. One extremely important factor that health care organizations need to consider is that PHI is covered under the HIPAA and HITECH acts which need to be handled very carefully.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to provide privacy standards for the protection of patients' medical records and other health information supplied to health plans, doctors, hospitals and other healthcare entities.
What is HITECH?
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extends HIPAA coverage by addressing third-party access to protected health information (PHI), increasing compliance obligations and strengthening enforcement penalties.
Why is it Important to Comply with HIPAA and HITECH?
HIPAA and HITECH compliance is imperative to preserve your ongoing business operations. Failure to successfully meet the standards may result in not only regulatory actions, such as fines, but also loss of business, damage to reputation and loss of public trust.
How to Protect Your PHI?
Organizations looking to transmit or store PHI on the Internet should take a multi-layered approach to their data protection. Here are some areas to address:
Servers - PHI should be hosted on dedicated servers with hardened operating systems
Security patches need to be kept up to date. Hard passwords should be used for all login
Firewalls - A Dedicated Firewall is required
Intrusion Detection Software should be run to log traffic to and from the servers
VPN is necessary in most cases, as it helps encrypt data transferred between two locations
Software - Software should be installed on the server to track changes to files and logwho made a change to and/or viewed PHI, from where and at what time
Storage - Since PHI and records of access to PHI need to be stored for a minimum of 6years; a backup retention strategy should be put in place that meets that requirement.Typically this will involve off-site archiving of backups. Encryption should be used on PHI and related data stored on portable media
If you need help with HIPAA and HITECH compliance make sure to find a trusted web host who has the right knowledge, experience, and security tools to continuously safeguard your PHI.