The HIPAA privacy rule protects patient and employee health data. To protect that sensitive information, follow this quick primer.
Personally identifiable information, or PII, is any data that could identify an individual. That is, it can be information used to distinguish one person from another, including name, surname, address, credit card number, Social Security number, or Protected Health Information (PHI). This is all information that must be protected.
That last one, PHI, falls under the purview of the HIPAA Privacy Rule, or Health Insurance Portability and Accountability Act (HIPAA), which established national standards to protect individuals’ health and medical records and personal health information back in 1996. It has been a requirement of all organizations that handle PHI to enact safeguards that protect the privacy of that information, primarily from breaches and cyber-attacks. It holds companies that fail to protect such data accountable, and it gives patients more control over their health information such as the ability to find out how their information may be used.
If your organization handles PHI in the cloud, either on its own or via a third-party, then it must comply with the HIPAA privacy rule or face civil penalties. Several pieces of information count as PHI, including names, email addresses, telephone numbers, fax numbers, Social Security numbers, medical record numbers, health plan beneficiary numbers, license plate numbers, and even website URLs and photos. These could belong to patients or your company’s employees.
No matter the data type, here’s a quick primer on how to abide by the HIPAA privacy rule:
Know Who Handles the Data, and Where
The first thing to do to protect PHI is find out who handles your data—whether it’s your company, a third-party cloud provider, or multiple third parties. Make it absolutely clear who handles the data, including engineers and consultants, data centers and cloud hosting providers. Keep this information updated and available to authorized company employees.
Once you and your cloud hosting providers figure out where everything is (and what type of data is collected, stored and transferred), clearly define the responsibilities among each group. Firewall maintenance and other important security measures, technologies, and policies should be figured out well ahead of time in case of a breach.
Keep Shadow IT Under Control
Know which applications, devices, and practices employees are using to access PHI and company systems. Are they using unauthorized apps, smartphones, and laptops? If so, it pays to monitor how and where employees login to systems, and mitigate security risk by either restricting unauthorized devices implementing security controls over employees' devices with encryption, multi-factor authentication, and enforcing a strong password policy. Employees should be trained about the dangers of phishing emails (fraudulent messages that can steal valuable login info) and malware.
Limit the Amount of Data Stored
Delete needless data. In the event of a breach, the damage can be mitigated if there is less information to lose. Create policies that allow for the erasure of PHI information that’s no longer required. Keep track of the information stored with regular audits.
Finally, organizations can sidestep the HIPAA privacy rule almost entirely by investing in pseudonymization and encryption, a method of protecting data by rendering it into unreadable text, which is reversible with the right encryption keys. Cloud data protection solutions such as eperi Gateway give you sole access to the encryption keys. That way, your organization always has control and responsibility over patient and employee PHI protection, even if the data is stored and processed in SaaS applications.
Are Office 365 and Salesforce HIPAA Compliant?