HIPAA Security Rules
Four different rules make up the HIPAA (Health Insurance Portability and Accountability Act) rules which are administered by the US Department of Health and Human Services.
Firstly, HIPAA eCommerce platforms must adhere to the HIPAA Security Rule when implementing hardware, which comprises three subsections: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. Each of these subsections has its own requirements. Hiring a HIPAA consultant is the first step to making sure you follow HIPAA standards.
Get a free quote or demo for your HIPAA-compliant project.
Safeguard Electronic Protected Health Information
The most common concern regarding ePHI (electronic protected health information) data systems is addressing Technical Safeguards, which can be broken into Access Control, Audit Controls, Integrity Controls, and Transmission Security.
- Access Control is about controlling who can access the information; in other words, ensuring only authorized users can access electronic protected health information, and keeping unauthorized users out. A HIPAA eCommerce application can essentially lock down the capabilities of interacting with the system if an unauthorized person tries to access it.
- Audit Controls mean recording and monitoring all activity in information systems that contain or use ePHI. In simple terms, it means keeping a log of each time the system is accessed, with information about the account used, the time, any changes made, and other activity.
- Integrity Controls relate to ensuring that electronic protected health information is kept accurate and complete, and is not improperly altered or destroyed. Implementing policies, procedures, and electronic measures is a must.
- Transmission Security regards the technical security measures that safeguard data being transmitted over an electronic network, usually via encryption. Tools such as SSL (secure sockets layer) or TLS (transport layer security) make sure the application is sending data securely and encrypting data even at rest, or while being stored.
HIPAA Audit Logs
HIPAA logging requirements necessitate extensive information system audit logs, including when the data was available, who accessed it, and when it was accessed. HIPAA audit logs also track all changes made to the data, helping keep track of who is responsible for changes and making any internal privacy breach—or user input—easier to solve.
Keeping HIPAA audit logs can be relatively challenging to do manually. As such, the eCommerce application itself needs to log interactions with the data, ensure that the data is encrypted correctly during transmission, and protect data at rest. Audit controls will be in the hands of a select few employees.
Upgrade to Follow the HIPAA Security Rule
The eCommerce platform must be configured and validated to be compliant. Clarity's eCommerce platform tailored for medical and healthcare practices uses highly regarded and secure measures to perform periodic auditing and reviewing. The software also provides the necessary protection protocols to pass HIPAA eCommerce compliance.