HIPAA Compliance

Control access to e-PHI data and stay HIPAA compliant

Using the AC controllers

What is HIPAA?

The Health Insurance Portability and Accountability Act, (HIPAA), is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.

Healthcare entities have been directed to store patient medical information, referred to in the Act as Protected Health Information (PHI), in an electronic format to improve communications between entities, reduce errors and cut costs.

Regulations require that access to electronic Protected Health Information (e-PHI) is restricted to only those people who have been authorized for that purpose.

The government imposes strict penalties for entities when a data breach has occurred and no attempt was made to implement access control to medical records.

What do I need to do?

In basic terms you need to ensure that all electronically stored patient data and other sensitive documents are only accessible to those who need it and that this access is logged.

This keeps your e-PHI secure and keeps you compliant with HIPAA.
You can see a list of the HIPAA requirements below.

How can I do it?

The MediPriv AC units make this simple. Using the setup guide you can install your medi-priv AC unit within your network and keep all e-PHI data secure.

Anyone who requires access to these documents, and is authorized to do so, will be able to access the data using their personal account.

Risks of a data Breach

When medical records are stored in the form of electronic protected health information (e-PHI) then the risks of unauthorized access are high, with access through a number of different pathways.

Information stored electronically is accessed through a computer network and the computer network can give a path of access to any non-authorized person if the path of access is not protected.

When e-PHI has limited access control then it can be easily circumvented by a non-authorized person with technical skills.

Theft of an authorized persons credentials, which permits a non-authorized person to have access to e-PHI.

Discovery of a network path to e-PHI that does not have access control.

Computer hacking has become an epidemic and healthcare entities are extremely vulnerable to theft of patient medical information.

HIPAA summary

Below are a list of requirements which must be met to stay HIPAA compliant:

  • Authorized users are permitted to have access only to that specific e-PHI for which they are authorized.
  • Authorized users must be obliged to use strong passwords to access e-PHI.
  • Authorized user passwords must be forced to change frequently.
  • Any authorized user who has not interacted with e-PHI for a period of time must be ‘logged off’.
  • Emergency access to e-PHI must be provided, with the system manager alerted each time that the emergency access is used.
  • All accesses to e-PHI must be logged in an encrypted format and the log maintained for an extended period. The log will be required in the event of an e-PHI data breach to provide support for forensic experts who will identify the source of the data breach.