HIPAA, the Health Insurance Portability and Accountability Act, is the federal standard for protecting sensitive patient data. Any organization that deals with protected health information (PHI) must ensure that the appropriate physical, network, and process security measures are being followed.
Covered Entities and Business Associates
The HIPAA Compliance Rules apply to Covered Entities and Business Associates.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information. Covered Entities must also provide individuals with certain rights with respect to their health information.
If a Covered Entity engages a Business Associate to help it carry out its health care activities and functions, the Covered Entity must have a written Business Associate Agreement in place with the Business Associate. At a minimum, a Business Associate Agreement must cover 10 provisions.
In addition to these provisions, Business Associates are directly liable for compliance with certain provisions of the HIPAA Compliance Rules.
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual. The HIPAA Security Rule meanwhile, specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
If you are hosting your email with a HIPAA email hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services (HHS).
The physical and technical safeguards that are most relevant to your HIPAA compliant email provider are listed below.
SEE RELATED: The Complete Guide to HIPAA Compliance
Physical safeguards. This includes limited facility access and control, with authorized access in place. All Covered Entities and Business Associates must have policies in place about the use and access to workstations, servers and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
Technical safeguards. This revolves around the ability allow only authorized to access electronic protected health data. Access control includes using unique user IDs, password complexity requirements, automatic log off and encryption standards.
Audit reports. Tracking logs must be implemented to keep records of user access and activity. This is especially useful when trying to determine security violations.
Technical policies. These policies should cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered, destroyed, or improperly accessed. A disaster recovery plan is crucial to ensure that any hardware errors or failures can be quickly remedied.
Network security. This is the last technical safeguard required of HIPAA compliant email hosting providers. This concerns all methods of transmitting email over the internet.
An additional act was passed in 2009 called the HITECH Act. It buffers the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules.
The HITECH Act was compiled in response to digital health technology development and the increased use, storage and transmission of ePHI.