Freelance tech writer Kayla Matthews discusses how to make sure your medtech product is HIPAA compliant.
Rendering competent and high-quality aid to those in need is the top priority in the health care sector. These days, data security and integrity comes in at a very close second. Keeping patients’ protected health information (PHI) safe is the very reason HIPAA (Health Information and Portability and Accountability Act) came into existence— and why it’s seen several updates since technology and security expectations have matured further.
One of these changes, known as the HITECH Act of 2009, strengthened HIPAA by removing exploitable loopholes for health care organizations and creating incentives for the health care community to transition to electronic health records (EHRs). Modern health care — including historical and recent patient records — must be mobile, secure and able to follow patients between doctors and facilities.
Working in health care means practicing due diligence and establishing a culture that respects HIPAA and the sovereignty and importance of accurate patient data. Expectations have become stricter over the years as the medical community has found new ways to collect and put patient data to work.
Discover what it takes to keep medical technology — medtech — compliant with HIPAA’s ever-evolving set of requirements.
Why Is HIPAA Compliance Essential in MedTech?
Compliance with HIPAA is not optional for medical service providers, known as Covered Entities. As health data has taken a central role in caregiving environments of all kinds, entities have had to reappraise the techniques they use to capture, store, transmit and communicate patient records.
Financial concerns are the first and probably most significant worry for healthcare providers. In 2018, Fresenius Medical Care North America was served a fine of $3.5 million by the Office for Civil Rights and the Department of Health and Human Services. FMCNA agreed to the terms, including the requirement to draw up a full-scope action plan to correct multiple HIPAA violations.
Financial losses are a huge part of why health care organizations must ensure strict adherence to HIPAA requirements. Compromised reputations are another.
FMCNA provides products and services to 170,000 patients and employs more than 60,000 individuals over multiple locations and facility types. A fine like this almost invariably leads to lost trust and lost business.
Now that we know why this is essential for health care entities, why are medtech and HIPAA vital for patients?
To start, protected health information is some of the most valuable data on the black market today — more so than financial data, including credit card numbers. PHI breaches can take longer to detect than the loss of financial data, but it’s no less useful to cybercriminals.
With PHI, hackers can order medical devices and prescriptions under someone else’s name, commit insurance fraud and carry out any number of other crimes that can set patients and caregiving facilities back considerably.
Consider some of the specific requirements that healthcare organizations must adhere to as they adopt medical technologies and seek new ways to improve patient outcomes.
1. Data Backups Must Be Complete and Encrypted
Under HIPAA, health care organizations must remain consistent about how, how often and for how long they back up patient data. These requirements fall under two categories — the health care organization’s Data Backup Plan and the required Retention Period.
HIPAA requires health care organizations to maintain full, retrievable and encrypted backups of all electronic patient health records. Additional details include:
- Encryption: Data at rest must be encrypted using 256-bit AES encryption.
- Redundancy: At least two or three separate storage locations.
- Data in transit: Data transferred using public networks must be 256-bit AES encrypted.
- Monitoring: Organizations must monitor data backups and backup plans for errors and backup failures.
Additionally, physical data repositories — like server rooms — must have robust access controls to ensure only qualified and authorized personnel may enter.
As far as retention periods go, things get slightly complicated. States have their own laws concerning how long providers must keep medical records. In Florida, it’s five years after the last contact with the patient. However, HIPAA does require that health care organizations keep HIPAA-related documentation safe and secure for six years, including:
- PHI disclosure authorizations
- PHI update and recording logs
- Risk analysis and assessment files
- Documentation concerning breach notifications
- Security reviews and system changes or audits
- Notices about the organization’s privacy practices
Health care providers managed by Medicare and Medicaid have further requirements, including retaining cost reports for five and 10 years, respectively.
2. Communication Channels Must Be Secured
Maintaining medical compliance under HIPAA extends to the communication methods used by Covered Entities as well. Modern communication channels, such as telephone, email, fax and text messaging, are all a little different when it comes to being HIPAA medical compliant.
HIPAA does not forbid the use of text messaging for transmitting PHI. If the Covered Entity has given the patient notices of the risks, and the patient has consented, health care providers may text PHI to that person and no other party. HIPAA requires audit controls for the creation and transmission of PHI, but this is difficult given the number of communication tools and operating systems in use.
In most situations, it’s best to use other methods. Whatever the communication tool used, Covered Entities must account for the following:
- Strong access controls for the devices sending and receiving texts
- End-to-end encryption — an addressable concern under HIPAA
- Loss prevention for easily misplaced or stolen devices
Faxing has long been a part of the medical community. In fact, something like 75% of all communication in the United States’ healthcare industry happens via fax. Electronic, cloud-based faxing systems provide the structured, secure and encrypted ecosystem necessary to exchange this type of information safely between parties.
Unlike traditional fax systems, where all records stay on-premises and remain at risk of theft, electronic faxes provide access security and auditability for Covered Entities. E-fax systems store all communication information — including the messages themselves, plus all accompanying historical data — offsite in a vendor’s secured secondary location.
Covered Entities must keep several essential protections in mind when communicating records, including:
- Strong passwords or biometric authentication
- Industry-standard, on-device encryption
- Comprehensive plans for removing PHI from devices before retiring them
- Physical and digital protection for Wi-Fi networks and IT infrastructure
- Firmware and software updates for all device types as soon as they become available
3. Health Care Entities Must Perform Comprehensive Risk Analyses
The failure to perform an organization-wide risk analysis is one of the top reasons why healthcare organizations get fined for violating HIPAA. Covered Entities should perform risk analyses regularly, including each time their digital infrastructure changes. Cancer Care Group, Lahey Hospital & Medical Center, Cardionet and Oregon Health & Science University have all shouldered fines between $750,000 and $2.7 million for oversights of this nature.
The methodology and results of the risk analysis will look a little different to varying organizations, but the mission and the reasons are always the same:
- Define how PHI flows throughout the organization: How does PHI enter the system? Where is it stored? How does it leave? Are there potential locations for leaks?
- Account for the entire PHI lifecycle: Which third parties come into contact with PHI? Other business partners? Recycling or shredding companies? Computer repair or management services?
- Know about your specific vulnerabilities: No two health care organizations are precisely alike. Weaknesses may include in-house negligence, incomplete employee training on phishing avoidance, low-quality passwords, physical threats to data storage locations like power failures and extreme weather, deliberate cyberattacks and more.
- Prioritize threats by likelihood and impact: All organizational vulnerabilities should receive a threat level of Low, Medium or High to ensure teams allocate funds appropriately, and the company can drill down on the training, hiring or procedural lapses resulting from data loss.
For a more detailed look at the risk analysis requirements under HIPAA, the government has a worksheet available for health care organizations that want to ensure they’ve left nothing out. The worksheet sees regular revisions as the industry and technologies change.
Compliant Medical Services Providers for a Healthier Future
Good public health should be a priority for any civilized society. These days, however, health goes hand-in-hand with cybersecurity. The three areas above are the most frequently cited in terms of organizational non-compliance. To fix this problem, organizations must ensure they promote ongoing learning and attention to details.
HIPAA and its changes over the years remind us how valuable health data can be — for patients and would-be data thieves alike.