All of your HIPAA & IT questions answered

It’s a jungle out there, trying to make sense of HIPAA and IT’s tumultuous relationship. To help unravel the ins and outs, we brought two top legal minds to Rock Health; Robert Brownstone of Fenwick & West who discussed security practices in IT, and Paul Smith of Hooper, Lundy & Bookman, who shared his HIPAA expertise. Here’s the breakdown.

When it comes to keeping information quiet, the mafia knows best

If you really want to keep something private, your best bet is to follow this little tidbit from Joseph Massino, longtime boss of the Bonanno crime family:
“You never talk in a club, you never talk in a car, you never talk on a cell phone, you never talk on a phone, and you never talk in your house. You go on a walk-talk – I don’t know anybody who was ever locked up or arrested for a walk-talk.”

While that advice might seem like it doesn’t directly relate to your web and mobile applications, the essence is relevant and worth following. Take special care to protect sensitive information. This can include, but is not limited to IP, strategic plans, customer lists and credit card numbers as well as any payroll or employee information. Taking protective steps is key.

Who are the individuals that you need to be protecting?

  • Customers/subscribers/users
  • Website visitors
  • Suppliers
  • Employees

Why do you need to protect this information? Wrongful acquisition of Personally Identifiable Information (PII) can lead to identity theft. Even though the focus of this information is for data that is leaked unintentionally, they can also be intentional disclosures that are either unintentionally or intentionally harmful.

Top 10 ways to prevent unintentional losses

10. Strong passwords
9. Extranets and other password protected sites
8. Discretion regarding web postings
7. Encryption
6. Guarding against human error
5. Proper disposal of information
4. Storage practices (store centrally)
3. Monitoring, testing and auditing
2. Cyber insurance

And the number one way to prevent unintentional losses?
1. Data storage contracts with third party hosts (the cloud)

HIPAA: The Basics

What is HIPAA?
HIPAA created mandatory standards for electronic payment-related transactions between health care providers and heath plans, and it protects the privacy and security of health information in the hands of “covered entities.”

What does HIPAA protect?
The HIPAA privacy regulation protects individually identifiable health information*, also known as protected health information (PHI), in the hands of covered entities and their contractors. De-identified information is not protected.
*Identifiable health information is only protected if a health provider generates it. If I decide to track my blood pressure using a website that charts my input, it is not covered under HIPAA laws because it is user-generated.

Thanks for keeping my information safe, but now I need it!
PHI can only be disclosed for one of the following reasons:

  • To the individual
  • For treatment, payment or health care operations
  • For governmental and other specified public interest purposes
  • Pursuant to individual “written authorization”

Business Associates, as related to HIPAA regulations, are contractors that help covered entities with payment or operations using protected health information. Before accessing PHI, the covered entities must obtain a confidentiality agreement from the Business Associates. This agreement must cover:

  • protecting the confidentiality and security of the information
  • restricting its use to the purposes of the contract
  • reporting breaches of privacy and security
  • returning or destroying the information at the end of the contract

HIPAA Bill of Rights
Patients can almost always access their health information. Wait, why almost always? If it is determined that it would be harmful to the patient or someone else, covered entities do not have to disclose an individual’s health information. So what rights does the individual have? Individuals have the right to request additional restrictions on the use of their health information. They have the right to amend their health information, unless the provider or heath plan determines it is accurate, and they have the right to request confidential communications from their health care providers and health plans.

Be careful!
The underlying theme of this workshop is to always play it safe. Protect yourself and your users.  Use encryptions and protect your encryption code. Don’t share information unless is necessary. And make sure you have contracts with your users, employees and health care providers.

To learn more and to help answer any burning questions you may now have:

When HIPAA applies to mobile applications

How to comply with HIPAA