It wasn't long ago when doctors, hospitals, chiropractors and other healthcare providers used traditional paper files to store patent information. When a doctor needed to access an existing patient's information, he or she would simply find the file in a file cabinet. It wasn't the most efficient method, but it worked nonetheless. Thanks to the advent of modern technology, though, there's now an easier and more efficient way to store data, with these same healthcare providers using computer systems instead of paper files.
But the use of computer systems to store patient information poses certain privacy risks that need to be addressed. If you keep up with the news, you've probably heard of recent cyber attacks involving major healthcare insurance providers like Anthem, Inc. and Premera. These two attacks alone resulted in the disclosure of millions of patients' information, attesting to the growing problem of lax cybersecurity in the healthcare industry.
Of course, the Health Insurance Portability and Accountability Act aims to reduce unauthorized access of Protected Health Information (PHI) by forcing healthcare providers to follow certain Rules. While HIPAA doesn't specifically state guidelines for storing PHI data, it's still covered – and covered entities must abide by the Rules or face penalties handed down by the Department of Health and Human Services.
HIPAA's Security Rule provides broad guidance for healthcare facilities and covered entities to protect their patient's Electronic health information. You can read through some of our previous blog posts for more details on the Security Rule, but it basically states that all covered entities must implement appropriate and meaningful safeguards to protect EPHI from unauthorized use or access. This may include the use of encryption, two-way authentication, firewalls, etc.
It's also important to note that cloud storage providers used by healthcare agencies and other covered entities are viewed as Business Associates in the eyes of the HHS and HIPAA. Why is this important? Well, that means any covered entity whom uses such cloud services must have a Business Associates Agreement (BAA) in place, specifying what type of data will be used and how it will used.
Addressing these issues with your company's data storage will not only ensure you are compliant with HIPAA, but it will also protect your patient's sensitive information, and that alone should be worth the investment of your time and resources.