Today’s patients are no longer just patients. They are increasingly savvy consumers of healthcare. As they shop around for the best quality and value in providers and services, they often turn to technology to help. But not just any technology will do.
Take chat, for instance. Chatbots that help you shop for a dress or schedule an appointment at the car dealership don’t expect to handle sensitive health information. They aren’t HIPAA compliant, because they don’t need to be. As a tool that touches protected information, healthcare chats must have built-in protections to keep data secure.
HIPAA compliance can be a confusing subject, even for people working in the healthcare space. What does HIPAA compliance mean from a technology standpoint? Consider this your unofficial HIPAA primer.
HIPAA: An Introduction
Some violations of HIPAA privacy laws are easy enough to spot: A nurse leaves a patient’s chart open where another patient can see it or a receptionist secretly looks up her boyfriend’s medication history. But in healthcare technologies, a lot of HIPAA compliance goes on behind the scenes – and behind the screen.
In addition to complying with the HIPAA Privacy Rule, electronic personal health information (or ePHI) must also fulfill the HIPAA Security Rule. The rule applies to any company that touches ePHI, including electronic health records companies, healthcare chatbot systems, appointment scheduling services and cloud providers for health systems. Such entities must have a “business associate” contract spelling out what safeguards the entity has in place to protect that information from hacks, data breaches and other security lapses.
Because digital technology is complex (and constantly evolving), that’s harder than it sounds. It’s not enough for a patient database to prove it’s safe and secure, for instance. The servers that house the data, the systems that transmit data, even the programming languages used to create those systems all must demonstrate compliance as well.
Technical Safeguards for Data Security
1. Access control.These controls guarantee that only authorized users have the right to access protected data. Users must have a unique user identification and procedures must be in place to gain emergency access to the data. The standard also recommends ePHI should be encrypted, and that users are automatically logged off after a period of inactivity.
2. Audit controls. This standard requires entities that deal with protected information to implement hardware, software or procedures that allow them to record and examine activity within their information systems. Such reports are valuable for determining whether security violations occurred.
3. Integrity. This standard requires organizations that handle ePHI to include mechanisms to show that the data have not been improperly altered or deleted.
4. Person or entity authorization. Organizations must implement procedures to ensure that a person is who he or she claims to be before being allowed to access protected information.
5. Transmission security. Entities that handle ePHI must have security measures that guard data when it is being transmitted over an electronic communications network. If protected data is sent by email or over the Internet, those networks must be locked tight.
Avoiding HIPAA Violations
Any organization that handles PHI needs to abide by HIPAA technical safeguards. HIPAA violations are serious for 3 very important reasons:
1. The data protected by HIPAA laws is sensitive material. You can sell a person’s Social Security number or driver’s license for a lot of money on the black market – and being the victim of identity theft can cost time, money and affect a person’s reputation. It’s a nightmare for the identity theft victim – and a PR nightmare for the company that allowed the breach to happen.
2. The penalties associated with misuse of ePHI can be steep. In fact, HIPAA violations can be subject to criminal as well as civil charges.
3. Healthcare consumers demand security. People of all ages are increasingly concerned about the ways in which their personal data are being used and protected – or not protected.
Loyal: A Commitment to Data Protection
Programmers have a lot to think about when designing a HIPAA-compliant database or chatbot. Fortunately, tech experts can do the heavy lifting so that healthcare systems – and their patients – can be assured their personal information is in good hands.
At Loyal, we take privacy and data security seriously:
We constructed our security program using the HITRUST Common Security Framework (HITRUST CSF®). This certifiable framework provides organizations with a comprehensive approach to regulatory compliance and risk management.
SOC2 report.We’re actively developing a Service and Organization Controls (SOC2) report, which details our reporting and audit controls in five key areas: Security, Availability, Processing Integrity, Confidentiality and Privacy.
Data protection is critical for anyone working in digital health technologies. We’re committed to helping you get it right. Learn more about data security at Loyal