If you work in healthcare or know someone who works in healthcare, then you have likely heard of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA governs how electronic protected health information (ePHI) is stored, transmitted, and accessed. HIPAA covers much more than these three aspects, but these three are the focus of this multipart LinkedIn posting series.
If you utilize a cloud hosted EHR or EMR you may decide this series isn’t for you. Besides, your software provider told you they are HIPAA compliant and even gave you a signed Business Associate Agreement (BAA). This series will surprise you so keep reading.
Hiding place number 1: Email (email is on the internet and internet is forever and inherently insecure)
Answer these questions honestly! Do you have a signed BAA with your email provider? Do you send or receive ePHI via email? Do you utilize fax or scan to email that contains ePHI? Do you receive email on your phone, tablet, PC, or other devices? Do you have signed authorizations by patients that allows transmission of ePHI? If you send ePHI via email are you using encryption methods to secure the data and audit access?
HIPAA requires that ePHI be secured at rest and in transmission. What does this mean? It means that unauthorized persons should not be able to access ePHI while on any of your devices. Access to ePHI must also be auditable and regularly audited by use of internal control systems i.e. an active HIPAA Compliance Officer.
Example: You regularly send encrypted emails containing ePHI. You have your phone and laptop setup to send, receive and store email. You have a downloaded copy of Microsoft’s BAA on file and your IT department enforces encryption on your laptop and phone. Over the weekend you left your phone and laptop in your car. In the morning, you go out to your car and find your windshield smashed and your laptop and phone missing. What do you do to ensure HIPAA compliance? Nothing, you have already met all the requirements of the encryption safe harbor. What happens if you regularly send ePHI through email, but haven’t met all the requirements above? You must report: www.hhs.gov