Why e-PHI Lies at the Heart of Any Good HIPAA Strategy

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is revolutionizing more than just the way doctor's appointments work. As care givers become increasingly reliant on technology, HIPAA's impacts are being felt across the IT industry like never before.

It doesn't matter whether companies help admin departments manage hospitals using the cloud or provide electronic health record, or EHR, software: all firms that deal with health data must evolve in response to the law.

For those outside the healthcare space, data privacy governance can seem incredibly dense. Those in the know, however, understand that for modern IT vendors, protected health information, or PHI, is key to HIPAA compliance. 

What Are PHI and e-PHI?
The U.S. Department of Health and Human Services defines PHI, or protected health information, as certain information that is individually identifiable. There are 18 separate kinds of identifiers that might make information fall under this classification, such as someone's name, phone number, insurance policy records, treatment status or biometric markers. e-PHI is any PHI that gets transmitted, stored, created or received using electronic means. 

What Risks Do IT Providers Have to Think About?
In their role as intermediaries between healthcare stakeholders and technology, IT vendors commonly participate in e-PHI-based activities governed by HIPAA. For instance, a firm that provides managed servers might routinely handle, transmit, store and modify personally identifiable information belonging to thousands of patients on a daily basis. 

Combatting HIPAA deficiencies effectively is all about understanding the risks in question. Each application or deployment demands custom risk assessments and sound security management processes.

Vendors also need to consider the fact that users, such as student doctors, interns and other staff, might not always make smart security choices. Because these individuals are heavily focused on their caregiving mission, they're not always up to speed on accepted IT industry best practices. 

Another relevant risk factor is that in the healthcare landscape, vendor systems commonly interact with third-party IT products. For instance, imagine that your company provided small clinics with hosted SAAS applications; you would probably also have to support interfaces for diagnostic instruments, wearable medical devices, office machinery and a host of other hardware with potential security vulnerabilities.

How Can Better e-PHI Practices Help IT Providers Improve Their Stances?
HIPAA rules dictate that actions involving PHI must adhere to specific guidelines designed to uphold patient privacy. Care givers found guilty of violating the law may have to pay millions of dollars annually in fines. In other words, vendors that want to keep their clientele happy need to help them comply with HIPAA.

Focusing on e-PHI is essential for companies that want to help their clients avoid the adverse publicity and fiscal disasters associated with security breaches and information mishandling. Remember that the whole purpose of HIPAA is to protect patients' data.

It's far easier to deploy security mechanisms that actually make sense when you map out the associated hazards on a case-by-case basis.

Partnering with already-compliant IT vendors can work wonders for companies that want to serve the healthcare industry. HIPAA actually lays out acceptable solutions to many common security quandaries, such as using encryption for data transmissions. The problem is that without prior experience, it can be hard to decipher the rules and come up with an effective governance plan.

As with other regulatory frameworks, the road to effective HIPAA security can be long and rocky. Identifying the best ways to handle e-PHI from the start may just make it easier to reach the end of the journey.

What’s Hot on Infosecurity Magazine?