HIPAA, HITECH And Medical Transcription, Part 4: Protecting ePHI - Technical Safeguards
164.312 Technical safeguards:
A CE must, in accordance with the general rule:
(a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have appropriately granted access rights.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
(c) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(e) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
For MT service providers utilizing the Internet, a proper understanding of and adequate compliance with the Technical Safeguards section of the HIPAA Security Rule is of vital importance. This section is actually quite straightforward and concise in terms of the basic requirements. Implementing those requirements, of course, may turn out to be somewhat more complicated.
Part A deals with maintaining control over who can access electronic protected health information (ePHI) which is placed in your keeping. In the case of remote/home-based employees or independent contractors, business associates will likely need to perform some time of security review in order to ensure that every workstation being used by every MT is protected with whatever hardware or software is necessary to allow only authorized individuals to access ePHI, whether that data resides on the local computer, remote file storage sites, transcription platforms, etc.
Part B is probably one reason why we're starting to hear dictation/transcription platform vendors say that the days of Microsoft Word and FTP sites for home-based transcriptionists is a thing of the past. I'm not prepared to go that far, but there's no question in my mind that this requirement will prove problematic for a lot of MT operations. Basically this is saying that a business associate must have some mechanism for tracking the life cycle of files containing ePHI from beginning to end. This would, I believe, include being able to track activity on individual MTs' home computers as it relates to ePHI, including:
- when audio and text files are accessed on a remote dictation/transcription platform;
- when audio or text files are downloaded from or uploaded to a remote file storage site or system;
- when text files are created/modified/accessed on the local PC.
Part C is closely related to Part B and requires that business associates implement policies and controls to ensure that the integrity of ePHI is maintained at all times.
Part D seems to me to overlap heavily with Part A, but focuses more specifically on user authentication. Again, this may prove to be a challenge for business associates utilizing remote personnel. The HIPAA requirements are quite vague here in terms of what technologies are acceptable to comply with this section. It's not clear to me whether or not simply using user logins and passwords would be adequate.
Part E addresses the need for securing ePHI that is being transmitted over networks, including the Internet. Encryption is the solution of choice under HITECH, and applies to data in motion as well as data at rest. It's important to understand the difference. Some "secure" FTP or other file transfer services use SSL encryption to provide a "HIPAA compliant" solution. Whether or not that was true before HITECH is debatable, but there's no debate now post-HITECH. SSL encryption only protects files while they are in transit; SSL does not protect data that is "at rest" on a remote server. Any system administrator, for instance, who can access that server either locally or remotely can technically access your files. To truly be HIPAA/HITECH compliant (and to avoid having to report breaches of "unsecured protected health information"), files containing ePHI should be protected by a mechanism that discretely encrypts individual files/folders, so that the information is secure even while residing on a remote server.
As is true of the Administrative and Physical Safeguards sections, keep in mind that simply having adequate policies and procedures in place is only part of the solution; proper documentation is a crucial component of compliance. As you move forward with a HIPAA compliance plan in a post-HITECH environment, remember the "Five D's":
- DETERMINE your specific requirements
- DESIGN appropriate policies and procedures
- DISSEMINATE information to all relevant personnel
- DAY-TO-DAY implementation of your policies and procedures.
- DOCUMENT all the above.
HIPAA/HITECH compliance is not impossible for small MT operators and independent contractors. But for many of us accustomed to flying below the radar in a minimalistic regulatory environment, business as usual is no longer good business.