My Father’s Guide to HIPAA Compliance

This article is about compliancy and the regulations surrounding the protection of Protected Health Information (PHI).

Nearing my 50’s I feel that my generation was perfectly set at the crossroads of yesterday and today, allowing me to witness firsthand how quickly the world changes. Growing up in the 1970’s provided for some interesting perspectives compared to how we understand the laws of today. Smoking was considered cool -  at any age. Drinking and driving was basically invented during this time.  This was even more special for me as my father owned a plane.  Seatbelts? Not in the back compartment of that wood paneled station wagon, facing backwards out the window as we tried to distract the car behind us. I remember being 8 years old and leaving in a boat to go fishing in the morning only to return late at night without a question as to where I was. School was something that you just needed to pass so that your mother wouldn’t have to bother your father with the news of your bad grades after his long day of work.  I won’t even get into the discipline side of things...oh the memories.

Don’t get me wrong, laws were in place back then, but my father taught me from a young age that “perception is 9/10th's of the law… and you’re only guilty if you get caught”.

HIPAA compliancy is kind of like a Rubik’s cube (another reference to my generation). It makes sense if you understand all the rules, but unfortunately, only a few nerds had this level of time, resources, and training invested. Most healthcare professionals understand the importance PHI and their intentions would never be to purposely place this information at risk. The challenge is that these professionals earn their living by providing the services that they spent eight years in school for. Their level of success is directly tied to billable hours, or how much time is spent offering healthcare services.  School did not prepare them to be IT or legal experts, yet HIPAA regulations pertaining to PHI treat them that way.  The fines associated with a data breach carry the power to cripple their business.

The risk doesn’t stop at the practice, HIPAA Compliancy is a requirement for all Covered Entities – including Business Associates.  If you are an IT service provider, it doesn’t really matter if you are healthcare specific or not. Having at least one healthcare customer with PHI, and hosting/managing that data, as a Business Associate, it makes you just as “at risk” for non-compliance penalties.

In the ‘70’s, Nerds wrote instruction books to help the average person conquer the Rubik’s cube and lucky for you, my network of PHI protection nerds are providing the following instructions* to help you solve the HIPAA PHI compliancy puzzle:

PHI Protection under the laws of HIPAA covers 3 main areas.

1. Confidentiality – PHI under your care needs to be saved in a non-readable format and there must not be any visible association to a specific individual (or patient).
2. Integrity – The data must remain in the same format that it was originally saved – it has to be tamperproof.  Also, access to this data must be limited to only those qualified to view.
3. Availability – PHI can’t be lost and it needs to be recoverable and usable within a reasonable period of time.

Basic guidelines for data protection under HIPAA

• PHI protection is NOT optional - All Covered Entities, including medical practices and BAs, must securely maintain retrievable exact copies of electronic protected health information.
• PHI must be recoverable – The key here is that you must be able to fully "restore” any loss of data.  Without the ability to restore, data protection is rather useless.
• PHI must have a copy stored offsite -  There is some flexibility here with regards to what “offsite” is, but you need to have a copy of your critical data in a separate location than your practice.
• PHI must be protected frequently -  In these days even losing a day’s worth of data would be considered significant.
• PHI must be encrypted - PHI needs to be encrypted while at rest and also during transmission to prevent outside access.  Make certain that the data is encrypted with an industry accepted encryption algorithm. AES is the industry standard.
• PHI recovery must be documented - HIPAA requires written procedures related to your PHI backup and recovery plan. Showing your intent and taking the time to document the protection of your PHI could protect you from penalties.
• PHI recovery must be tested – You must be able to demonstrate that you tested your ability to restore lost PHI.

* These steps alone put you on the correct path for HIPAA compliance, but of course do not guarantee that you are compliant in all areas regarding PHI.  These recommendations are not legal advice, and qualified counsel should always be consulted regarding legal issues specific to your practice.

There are several ways that your data can become compromised as disaster presents itself in many forms. It is best to identify these risks before they happen, speculate on what could happen, and build a plan for dealing with them. Being HIPAA compliant is necessary, and while it’s great to avoid audits and penalties, protecting your PHI serves the greatest interest of keeping the doors open. With or without regulations, every business (that wants to stay in business) should invest in putting together a quality data protection plan. Even the loss of every-day business data like accounting information can be devastating.  Nobody can afford down time or a bad reputation in the age of instant information.

As much of a puzzle HIPAA compliancy can be, working with experts in this field, I’ve learned that HIPAA regulations can actually be more forgiving than AquanNet was to mullets and big hair. If you can prove intent, you can avoid penalty.

Therefore take the time to document your procedures, then build a PHI/data recovery plan and maintain proof that you frequently test against this plan. Nobody wants to lose or risk the integrity of their PHI and you definitely do not want to be fined up to hundreds of thousands of dollars in penalties.

Flash forward to today.  The world is in a different kind of chaos. This is the age of helicopter parents where the kids rule and would simply dispose of us if it weren’t for the fact that they needed us to supply them with food, do their homework assignments, pay their bills and drive them places. Laws are certainly stricter, and society as a whole is much more litigious, but one piece of my dad’s advice strangely, still stands…

"you’re only guilty if you get caught"... without a plan.

A NovaStor webinar on HIPAA Compliance and Backup can be viewed here.