Handling HIPAA: Keeping Patient Information Safe
As patients, we expect healthcare providers to keep our personal information safe and secure. We also expect them to make healthcare as accessible as possible. Providers have responded to demand by offering mobile apps, paperless transfer of medical records, online bill payment, and email-based services. Providing these digital healthcare services requires that patient information flow between the entities that make these services possible. Translation is one such example—healthcare providers and insurers are legally required to provide language access in the provision of services without compromising the security of sensitive patient data.
As early as 1996, the US Department of Health and Human Services recognized that “advances in electronic technology could erode the privacy of health information” and began to put measures in place to protect individually identifiable health information. The result, HIPAA, is well known, but has numerous elements that can quickly become confusing.
In 2000, the addition of the Privacy Rule established a consistent set of standards for how Protected Health Information (PHI) could be used and distributed. This rule applies to all health plans, healthcare clearinghouses, and healthcare providers (“covered entities”) transmitting information electronically. Oftentimes, covered entities need to contract with third-party partners (“business associates”) to provide digital services. While these business associates are covered by the HIPAA Privacy Rule by extension, the covered entities are ultimately responsible for establishing contracts that specify how business associates can use or disclose PHI.
The Security Rule, which came into existence in 2003, establishes the standard for “administrative, physical and technical safeguards" surrounding the electronic exchange of PHI. It is designed to be flexible so that covered entities can continue to expand their use of technology in ensuring efficiency and quality of care. While it lays out general provisions for how electronic PHI (e-PHI) should be handled, the Security Rule leaves more room for each covered entity to decide what is most appropriate for their organization. As such, the rules surrounding how this applies to business associates remain fairly ambiguous.
Covered entities must be vigilant in ensuring they consistently use appropriate security measures, assessing all potential risks and limiting both physical and electronic access that might compromise the safety of e-PHI. How can they be sure, however, that business associates (and in turn the contractors they hire) remain equally vigilant? Given the importance of cyber security, “trust but verify” must become the creed.
How Can I Ensure Information is Safe in the Hands of a Third Party?
Risk Analysis:
Think about where you may have vulnerabilities in the containment or flow of e-PHI. Who interacts with it? What are the potential risks and threats to your informational systems that could result in errors or unauthorized access to e-PHI?
Vulnerabilities in the Translation Process
In order to meet regulatory requirements for language access, providers often need to translate patient-specific medical or insurance information. These files may include names, contact details, social security numbers, and birthdays—all of which can be easily linked to an individual. Yet the translation process is often overlooked as a potential source of vulnerabilities.
If you work with an outside provider, ask yourself these questions:
- Do you send your files via unsecured email that could be hacked?
- Are your files encrypted or protected?
- Do you know how many vendors have access to the files during the process?
- Is the PHI in your files redacted or de-identified, or is it visible to all vendors who access them?
How TransPerfect Can Help
TransPerfect’s Information Rights Management (IRM) platform, TransCEND, can help eradicate these vulnerabilities. IRM technology uses permissions management and high-level encryption technology to keep your sensitive data safe from security threats. Permissions management gives you full control over—and visibility into—who is accessing your data, while encryption ensures that your data can never be hacked, intercepted, or misused by unauthorized individuals.
TransPerfect’s TransCEND platform allows you to:
- Maintain encryption of all files throughout the translation process, or just for file-passing purposes
- Prevent users from copy/pasting, screenshotting, screen sharing, printing, and editing your files
- Track exactly which users accessed your files, when, and for how long
- Redact identifying details so that only pertinent content can be viewed by vendors
With TransCEND, you can be absolutely sure your customers’ PHI is 100% safe and secure throughout the translation process.