Digital storage of electronic protected health information is a treacherous path for a small company to walk. The health insurance portability and accountability act enforces a number of requirements on the security controls required for the storage of such sensitive data. Unfortunately, the language used in not crystal clear, and I have been able to find no description of actual technical systems used to comply with these controls.
These controls are required in order to ensure the confidentiality, integrity, and availability of all electronic protected health information [that a] covered entity creates, receives, maintains, or transmits 45 CFR § 164.306(a)(1).
I will outline these requirements here. In a future post I will explain the technical systems I propose implementing in order to comply with these requirements in a low-cost manner.
HIPAA requires the following technical safeguards to be implemented:
- Unique user identification and authentication. Each person accessing ePHI must have their own set of credentials, no shared accounts, no password sharing.
- Emergency access procedure. A means by which ePHI can be accessed during an emergency. The type of emergency is left ambiguous here, I believe organization-specific risk assessment should be performed to determine what types of emergencies may impact the way ePHI is accessed, who should be accessing it during those times, and how he or she would do that.
- Automatic log-off. After a certain amount of time spent idle, the user must re-authenticate in order to continue accessing ePHI.
- Encryption and decryption. ePHI must be encrypted at rest, no specification beyond that are given other than stating that they must be reasonable and appropriate.
- Integrity audit controls. A technical system which logs changes to and deletion of ePHI for the system.
- Transmission Security. Any transmission of ePHI must be done through an encrypted protocol or tunnel.
- A data backup and disaster recovery plan. Technical system to provide backups in the event of accidental deletion of files or catastrophe. When implementing this it is important to be sure that is does not violate the requirements above.
Physical security controls are required both for the data center and the workstations accessing this data, but that is outside of the scope of this post. These are the technical requirements necessary in order to store ePHI. In addition to this, an organization will need to develop a library of policies, procedures, and standards related to HIPAA, and perform a risk assessment.
It is worth noting that I am not a lawyer; a company should consult with a lawyer before attempting a something a daunting as this.