How to Keep Your Patients’ Protected Health Information (PHI) Safe
While the adoption and advancements of electronic technology in the healthcare and insurance industries have provided many benefits to patients and the healthcare industry, they also have increased the risk of improper uses and disclosure of individually identifiable electronic health information, known as protected health information (PHI).
In response, the U.S. government enacted Public Law 104-191, Health Insurance Portability and Accountability Act of 1996 (HIPAA). This law includes provisions to address waste, fraud and abuse in health insurance and healthcare delivery by establishing standards for the security of electronic health information transactions and privacy standards for PHI.
In the ensuing years, additional HIPAA rules have been enacted to implement, clarify and strengthen the standards:
- Privacy Rule
- Security Rule
- Enforcement Rule
- Breach Notification Rule
The goal of this blog is to highlight the HIPAA standards that apply to file transfers and how the right secure file transfer tool can be used to reach or maintain HIPAA compliance.
Understanding HIPAA Requirements for Secure File Transfer
HIPAA covers all aspects of protecting individual’s information by putting administrative, technical and physical safeguards in place. However, meeting the specified technical safeguards is the primary focus of electronic information systems or software that transfer files containing PHI.
What Technical Safeguards Are Required to Meet Compliance?
Part 164 – Security and Privacy, 164.312 Technical Safeguards identifies and outlines the standards that covered entities and business associates must meet when transmitting any individually identifiable health information in electronic form. The following sections describe the relevant standards.
(a)(1) Standard: Access Control
Implement technical policies and procedures that allow access only to those persons or software programs that have been granted access rights in accordance with HIPAA. Specifications include
- Unique user identification (Required)
- Emergency access procedure (Required)
- Automatic logoff (Addressable)
- Encryption and decryption (Addressable)
(b) Standard: Audit Controls
Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
(c)(1) Standard: Integrity
Implement policies and procedures to protect electronic PHI from improper alteration or destruction:
- Mechanism to authenticate electronic protected health information (Addressable)
(d) Standard: Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed.
(e)(1) Standard: Transmission Security
Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.
- Integrity controls (Addressable)
- Encryption (Addressable)
Access Controls and Authentication for HIPAA Compliance
Safeguarding the privacy of an individual’s medical records and other PHI data is the goal of HIPAA. The first step towards that goal is ensuring that only those applications and personnel that have been granted rights to access PHI can do so. Secure file transfer applications do this with built-in access controls and authentication measures.
- Role-based access control (RBAC) is a common principle. In RBAC, personnel are provided the just the amount of access needed to perform their job role. This helps keep information access and disclosure limited to a need-to-know basis as required by HIPAA.
- Authentication consists of measures that ensure the person accessing the data is who they claim to be. Utilizing multi-factor authentication (MFA) for logging in provides additional protection and requires more than just a password to confirm a user’s identity.
Importance of Encryption in Protecting PHI in File Transfer
As you can see by looking over the standards highlighted in this blog, encryption is also an important aspect of protecting PHI. Secure file transfer solutions that provide end-to-end encryption (E2EE) ensure PHI is safeguarded every step of the way:
- Encrypt files at the file level using an encryption standard such as OpenPGP, based on Pretty Good Privacy (PGP) software.
- Secure files in transit using secure protocols such as SFTP, FTPS and HTTPS.
- Keep data secure at rest by implementing security features such as AES 256-bit FIPS-compliant encryption and cryptographic key management.
Audit Logging to Track Activity on PHI
Finally, HIPAA requires that PHI is not accessed, altered or destroyed in any unauthorized manner. Therefore, secure file transfer tools must track and log all activity on PHI data and provide audit tools that enable recording and examination of the activity.
How Thru Keeps File Transfers HIPAA-Compliant
Since 2002, Thru has provided secure file sharing services in the cloud to enterprise-level businesses. Our cloud-native managed file transfer (MFT) service has several key features to help businesses strengthen their data security and remain compliant, including
- Encryption in transit and at rest
- Role-based access controls
- Multi-factor authentication
- Audit and logging
- Multi-level retention policies
Learn more about Thru and HIPAA-compliance for file transfers »