Compliance with HIPAA regulations

Jan 5, 2023

Data privacy and security – How icometrix ensures compliance with the HIPAA regulation

The need for data privacy and security

As cloud computing becomes more and more integrated into medical decision-making, privacy and security of a patient’s protected health information (PHI) become increasingly important. In particular, since healthcare data is increasingly being shared between healthcare providers (HCPs) and companies offering such cloud-based solutions (like our own icobrain portfolio), there was a need for a centralized set of principles to be adhered to with regard to PHI. Several such standards have been established, with the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR) being the leading data security regulations established in the USA and Europe respectively.

HIPAA and GDPR

HIPAA, established in 1996, is a United States federal law that protects the privacy of individuals' medical records and sets the standards for the privacy and security of sensitive patient data. It applies to any entity (individuals, medical care facilities, companies, …) which may access such data. The HIPAA Privacy, Security, and Breach Notification Rules establish important safeguards for when PHI is created, received, maintained, or transmitted by a HIPAA-covered entity or business associate. This includes limitations on the uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals' rights with respect to their health information. To be HIPAA compliant, covered entities must take several steps to protect the confidentiality, integrity, and availability of PHI. These steps are divided into several categories, each of which relates to different aspects of the protection of PHI. 

The major HIPAA rules include:

1. The Privacy Rule: This rule establishes the standards for the protection of personal health information, including the rights of individuals to access and control their own health information.

2. The Security Rule: This rule sets standards for the secure transmission of personal health information, including the use of encryption and other safeguards to protect data.

3. The Breach Notification Rule: This rule requires healthcare organizations to notify individuals if their personal health information has been breached.

4. The Enforcement Rule: This rule outlines the enforcement mechanisms and penalties for HIPAA violations.

5. The Omnibus Rule: This rule strengthens and updates the HIPAA regulations to reflect changes in technology and the healthcare industry.

Overall, these rules work together to protect the privacy and security of personal health information and to hold healthcare organizations accountable for their handling of such information. It is important to note that being HIPAA compliant is a continuous process that requires ongoing attention and effort to maintain compliance. Covered entities must regularly review and update their policies and procedures to ensure that they remain compliant with HIPAA requirements and are adequately protecting personal health information.

Like HIPAA, the European Union’s GDPR legislation addresses how patient data and information is to be handled and describes standards that must be met to be GDPR compliant. But unlike HIPAA which only oversees healthcare organizations and their business associations, the GDPR oversees all organizations handling personally identifiable information (PII). Nonetheless, HIPAA and GDPR are both designed to protect the privacy and security of individuals and their personal information, but their scope differs slightly, and they apply to different types of organizations (and regions).

HIPAA and cloud services

The strict set of HIPAA rules also covers the use of cloud services in the handling of personal health information. HIPAA allows covered entities to use cloud services to store and process personal health information if certain requirements are met.

One key requirement under HIPAA is that covered entities must enter into a written agreement with the cloud service provider, known as a Business Associate Agreement (BAA), that sets forth the obligations of both parties with respect to the protection of personal health information. The BAA must include specific provisions related to the handling of personal health information, such as the requirement that the cloud service provider will implement appropriate safeguards to protect the information.

In addition to the BAA, covered entities must also take certain steps to ensure security like conducting a thorough risk assessment to identify potential vulnerabilities and threats, implementing strong encryption and other security measures, and regularly monitoring the security of the cloud environment.

Overall, while HIPAA allows for the use of cloud services for the storage and processing of personal health information, it is important for covered entities to carefully follow the requirements of the law to ensure that the information is protected.

icometrix approach to PHI safety

Besides HIPAA and GDPR compliance, icometrix is also ISO27001 certified. ISO27001 is a broad standard for information security management designed to be applicable to organizations of any size and industry. While HIPAA and ISO27001 have many overlapping aspects, there are also some differences since ISO27001 creates a framework within an organization to establish processes and control measures that ensure compliance with all stakeholders’ interests in relation to information security, including privacy regulations. Since HIPAA is a regulation, compliance is mandatory. ISO27001 is an industry-standard for which certification can be obtained after an independent audit. icometrix has such a certification

At icometrix, we consider all patient data as confidential and sensitive information, and such data is handled accordingly. Appropriate technical and organizational measures are in place to protect patient data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

• Local data servers within each region of service to handle the data of the given region (i.e., a server located in the US for all US patient data, and a server located in the EU for all EU data). 

• Pseudonymization of all patient data within the hospital IT network before transfer. This is achieved through our proprietary icobridge software.

• Encryption (256-bit keys) of all data on any computer and servers containing confidential data, and before transferring of such data using a Transport Layer Security (TLS).

• Use of an automated backup system to avoid loss of data.

• Adequate protection against viruses and malware.

• Implementation of an access control system to ensure that access to patient data is restricted based on the concept of need-to-know only.

• Continuous monitoring of the IT infrastructure, including capacity monitoring, availability monitoring, logfile monitoring, clock synchronization, and vulnerability testing.

• Prevention of unauthorized physical access. Patient data are processed in a secure zone within the office. 

Compliance with HIPAA guidelines does not only rely on adequate IT measures, but also on the personnel handling such data. All personnel at icometrix receives training on these relevant aspects related to HIPAA on a regular basis.