HIPAA Compliance

Understanding HIPAA’s technical safeguard requirements

What is HIPAA compliance and why does it matter? HIPAA stands for: The Health Insurance Portability and Accountability Act. It is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and care providers. The law is complicated and adhering to it requires something more than installing HIPAA compliance software to meet its requirements.

One of the main aspects of the law is that it forces healthcare practices and professionals to keep and secure PHI (protected health information) from data breaches and other possible complications and problems. This makes HIPAA and other regulations associated with it something that’s extremely important to the risk and compliance field, especially when dealing with highly sensitive health data.

These are the three areas of HIPAA compliance:

  1. Administrative. Ensures patient data is correct and accessible to authorized parties.
  2. Physical. Preventing physical theft and loss of devices containing electronic PHI.
  3. Technical Safeguards. Technology-related measures to protect your networks and devices from data breaches and unauthorized access.

These three sections need to be addressed and completed for an organization to become HIPAA compliant, but probably the most important—and one of the hardest to take care of—are the technical safeguards, and they’re the ones that I’ll focus on. Finding the right solution to meet these stringent requirements is where Onspring comes into play. The technical safeguards, their related sub guards, and meeting the other various requirements are covered in Onspring—we give customers the tools needed to guard their information.

What Are The Technical Safeguards?

  • HIPAA Access Controls
  • HIPAA Audit Controls
  • HIPAA Data Integrity
  • HIPAA Authentication
  • HIPAA Transmission Security

HIPAA Technical Safeguards Requirements Explained

Take a closer look and breakdown of each of the technical safeguards required by HIPAA.

HIPAA Access Controls

The subsections are Unique User Identification, Emergency Access Procedure, Automatic Logoff, Encryption, and Decryption, and each piece of this is supported in Onspring. Customers can create unique users to utilize the platform in many different ways, allowing for fine-tuned restrictions on protected information.

Messaging, and other tools within Onspring, allow users to create emergency procedures for the protection of their data. Onspring also has some default logoff times, as well as encryption and decryption built into the platform in order to reach the last two standards for this section of HIPAA compliance.

HIPAA Audit Controls 

This feature gives users the ability to audit changes and the history of HIPAA protected data—this is an important section in the compliance area, specifically because of its value in maintaining data integrity. Onspring provides tools such as version history for data formats, as well as maintaining a history of the changes to specific sets of data, allowing for auditing with very little overhead. Based on triggers and workflows that can be added into the solution, data can be audited and maintained, and most importantly for auditing, can be restricted and monitored for changes—all necessary tools to streamline the auditing process.

HIPAA Data Integrity

This relates almost entirely to specific user controls and how they are implemented. Creating groups and users that have restricted access to the sensitive data in question, along with some of the data history functionality mentioned previously, helps ensure that all data within the Onspring platform follows this section of HIPAA compliance.

HIPAA Authentication

There is a need to have procedures in place that ensure and verify that the people who are receiving protected data are the “correct” people who are supposed to see the data. This is handled in Onspring within the messaging functionality, and again, specific user controls. Messaging within Onspring allows users to create the checks required for this part of the compliance. User-specific access allows customers to differentiate the data that each user sees based on their access setting, preventing any PHI from being viewed by people who are not supposed to have access.

HIPAA Transmission Security

This is a requirement that the data that flows from the platform in question is encrypted and unmodified when electronically transmitted. Within Onspring, all of the data, from the UI to the DB is encrypted, and this fulfills the first part of this HIPAA requirement. The second part is trickier—user controls and access restrictions that come out of the box allow complete control over the data in question, fulfilling the second part of this compliance requirement.

HIPAA is just one of the requirements that can be effectively managed in Onspring. You can control every aspect of your data, providing the necessary tools needed to take precautions that are required for compliance. Remember, the information shared above only covers the technical safeguard requirement sections of HIPAA—meeting the overall general compliance is more complicated and needs to involve your legal and compliance teams.

About the author

Beth Strobel GRC Subject Matter Expert at Onspring

Beth Strobel
Director at Onspring & Treasurer at Women in Security
15 years GRC experience