HIPAA and healthcare: does your intranet meet the requirements?

Datasheet

healthcare edition

Modern healthcare in the digital worldHealthcare in is making a transition further and further into the digital realm. In part, this means the use of collaboration software, such as intranets, to drive up organizational e�ciencies and engage sta� who are spread across disparate departments and locations. Intranets also provide powerful tools for knowledge sharing, which is vital to a field when access to the most up to date studies makes the di�erence in saving patients’ lives. With so much potential in digital tools for healthcare, it’s paramount that organizations protect sensitive information and comply with HIPAA requirements.

The Security Rule: a deeper dive

The Security Rule lays out specific requirements for organizations to secure Electronic Protected Health Information (EPHI). Those requirements fall under the categories of Administrative, Physical, and Technical. The Technical requirements of the Security Rule necessitate that organizations protect information in open networks through encryption and in closed networks through access controls, as well as preventing unauthorized changing or erasing of the data. In addition, healthcare providers need to closely vet any external organizations with whom they communicate, like vendors, to ensure those groups do not put patient data at risk. Aside from actually implementing these security practices, HIPAA requires organizations to closely document their compliance and make that information available to the U.S. Dept. of Health and Human Services (HHS).

What makes health information PHI?

HIPAA regulations intentionally set a low threshold for what’s considered PHI, and even the o�cial definition is somewhat nebulous. Anything can be considered PHI if it includes a person’s name, any geographical information smaller than a state (e.g. a town or street address), a phone or fax number, an email address, a photo of the patient or customer, vehicle identifiers such as license plate numbers, and nearly

anything else that can be used to discern someone’s identity. Examples of seemingly innocent comments that actually reveal PHI include:

“I just treated a 35 year old man in our

Jacksonville facility for Type II diabetes.

Perhaps I can help.”

“A colleague of mine has a patient named

Malcolm who is a good case study for this type

of treatment.”

“I have a patient who is 92 years old and is

therefore at a higher risk for Alzheimer’s.”

HIPAA and healthcare:Does your intranet meet the requirements?

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, established national standards and guidelines for maintaining the privacy and security of individual health information and addressing issues of fraud and abuse in the healthcare system. HIPAA’s Privacy Rule and Security Rule are perhaps most relevant for companies using collaboration software. Organizations are required to secure all private health information from unauthorized access. Violating HIPAA carries both civil and criminal penalties, and it is very strictly enforced.

SESSION TIMEOUTS

After an intranet is left idle for a set period of time, the user should be automatically logged out to keep unauthorized users from accessing privileged data

A WEB SERVER RUNNING SECURE SOCKET LAYERS (SSL)

This establishes an encrypted link between a web server and a browser, keeping data secure as it travels among machines in an organization’s network

DATA ENCRYPTION

Data should be encrypted both at rest and in transit to ensure there is no point at which it’s unsecured

SECURE ACCESS CONTROLS

Employees should only have access to parts of the intranet for which they’re authorized and which are necessary for their jobs

Requirements forhealthcare intranetsHaving solid cybersecurity practices in place, and being able to document them, are key to HIPAA compliance. Because intranets have tools that help every area of an organization to run, they also need to comply with every rule specified in HIPAA. The features that intranets need in order to maintain that standard of security include:

SERVER MONITORING

The intranet provider should have sta� to monitor servers in the event that a breach does occur and take action before any damage is done

REGULAR SECURITY AUDITS

It’s the responsibility of the provider to frequently audit their security practices and update them as necessary

EDUCATED PERSONNEL

Any IT sta� at a healthcare organization, as well as the intranet provider’s personnel, should be aware of all HIPAA requirements and able to maintain compliance

(646) 564 5775

New York 21 W. 46th St. 16th FL, New York, NY 10036

San Francisco, 600 California St, 11th floor, San Francisco, CA 94109

Web: www.interact-intranet.com Twitter: @intranetexperts

Interact’s intelligent intranet is compliant with HIPAA, ISO 27001, and SOC Type II IT and security standards. For a full list of Interact’s security practices and how we carry them out, visit https://www.interact-intranet.com/product/cloud-features/intranet-cloud-security/.

healthcare edition