The necessity and importance to protect individual privacy has always been a priority of health care providers and public health practitioners. Federal, state, and local laws were in place to protect the privacy of this sensitive data; however, these laws proved inconsistent and inadequate, and were narrowly applied to protect select health data and particular custodians of that data. The unsuitability of these laws coupled with advancements in technology that caused a shift in recording medical records from paper to electronic format heightened the likelihood for individuals to access, use, and disclose sensitive personal health data. In response to the potential privacy infringements, the federal government enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
A primary goal of HIPAA is to protect the privacy and security of an individual’s protected health information (PHI) and his or her demographic information. PHI is individually identifiable health information that is transmitted by, or maintained in, an electronic media form or in any other form or medium (e.g., files, voicemails, emails, facsimile, and verbal communications). Examples of PHI include, but are not limited to information concerning the individual’s:    • Name
• Date of medical treatment
• Medical record number
• Social security number and
• Telephone number
Information can qualify as PHI even without the individual’s name, as long as a review of the information is reasonably sufficient to identify the individual. Also, PHI relates to the past, present, or future physical or mental health of an individual.
HIPAA regulates how covered entities and business associates use and disclose PHI and has established various administrative, physical and technical safeguards that serve to maintain the privacy and security of individually identifiable health information while preserving the community’s need to use the information. To ensure the confidentiality, integrity, and availability of PHI, covered entities and business associates must be well-versed in HIPAA requirements and employ protocol to protect PHI such as:    • Adopting and implementing internal privacy policies and procedures governing the use and disclosure of PHI
• Conducting educational training sessions with employees to explain the privacy policies and procedures, and emphasizing the necessity to comply as an essential function within the covered entity
• Designating individuals responsible for implementing privacy policies and procedures
• Enacting appropriate and necessary administrative, physical, and technical safeguards to protect the privacy of PHI
• Establishing contractual privacy requirements with business associates performing functions delineated in HIPAA
• Notifying individuals concerning their privacy rights and the manner in which their PHI is used or disclosed by the covered entity
• Protecting against any reasonably anticipated threats or hazards to the security or integrity of the PHI. See 45 CFR §§ 164.306 and 64.504 (Jan. 25, 2013)
If a covered entity or business associate violates an individual’s privacy rights with regard to his or her PHI, a complaint can be filed with the Office for Civil Rights. Consequently, it is imperative to comply with HIPAA, as the penalties and fines for such violations can be quite hefty.
Sherlock Cloud is a multi-tenant, scalable, managed, private Cloud platform that was built according to NIST 800-53 requirements to comprehensively address the administrative, physical and technical safeguards required by HIPAA. It is a niche and unique offering within the UC, and the Sherlock team has expanded its expertise to now offer its solutions within the AWS Cloud. Partners are now able to choose managed compliant services operating on premise at SDSC, in the AWS Cloud, or a combination of the two.
Example Sherlock Controls to help meet HIPAA Requirements
• Providing both two-factor and strong single-factor authentication
• Isolating development and production environments
• Providing a Virtual Private Network (VPN) solution for accessing systems used for development/management
• Conducting audits of the HIPAA environment to ensure compliance
• Maintaining software, hardware, and applications to HIPAA security levels
• Managing, configuring, and integrating all software in accordance to sound change management practices
• Conducting security awareness and privacy training sessions
• Implementing security controls consistent with HIPAA guidance
• Using data solely for the purposes of fulfilling its responsibilities pursuant to contract term