Compliance is now a deeply embedded aspect of corporate IT culture. Why? HIPAA requires that the privacy of health records be protected, wherever they reside or whenever they are moved. That means the impact of HIPAA can be felt by nearly every aspect of IT operations, including messaging, storage, virtualization and even networking, so long as electronic PHI (ePHI) records are stored within or transferred over them. In turn, IT must be able to produce evidence of the security of these systems for compliance audits.
Healthcare organizations must be able to demonstrate that they have standardized mechanisms for the security and confidentiality of all healthcare-related data. From an IT perspective, there are several general guidelines that entities must follow:
- Ensure the confidentiality, integrity and availability of all ePHI, including the protection of patient privacy by encrypting medical records.
- Protect against reasonably anticipated threats or hazards to the ePHI the entity creates, receives, maintains or transmits.
- Deliver visibility, control and detailed auditing of data transfer.
- Protect against reasonably anticipated uses or disclosures of ePHI, including preventing the loss of confidential medical records via removable devices.
- Ensure that the organization’s workforce complies with HIPAA and minimizes the threat of data being stolen for financial gain.
Review security measures as needed to ensure reasonable and appropriate protection of ePHI.
Many enterprise IT shops use Control Objectives for Information and related Technology (COBIT) as a reference framework for this work. COBIT is an open standard that defines requirements for the control and security of sensitive data. According to WhatIs.com’s definition for COBIT, the standard “consists of an executive summary, management guidelines, framework, control objectives, implementation tool set and audit guidelines. Extensive support is provided, including a list of critical success factors for measuring security program effectiveness and benchmarks for auditing purposes.”
The IT departments of all companies that handle PHI must be aware of the key requirements of HIPAA, including log management, backups and the security of electronic communications. IT departments also approach HIPAA compliance through PHI flow analysis, training, policy and procedure refinement, risk analysis and self-assessment.
The impact of HIPAA can also be felt on Web 2.0 technologies like blogs, wikis and social networking. Such platforms are introducing all-new compliance headaches, as gigabytes of data are generated through messaging and sharing. If it pertains to private health records, enterprise IT professionals must prepare for the inevitable visit by a HIPAA compliance auditor looking for log files and security holes. Increasingly, compliance officers are using event log management software to track key moments where data enters or exits an enterprise, like email systems or the addition or departure of employees with access to sensitive financial data.