Cyber risk management is a growing issue, and keeping ePHI secure from the threat of data breaches is critical for all organizations that collect, store, and use that information. For this reason, Formstack partnered with healthcare information security expert George Bailey to discuss HIPAA security standards and best practices for HIPAA compliant data collection. Here are some of the top questions George helped us answer.
1. What are some of the most common security issues that healthcare organizations encounter?
Here are three common security issues faced by healthcare organizations of all sizes:
- Regardless of the size of the organization, outdated software is a very common issue. Making sure software is updated as quickly as possible will help reduce risk—from your operating system, to third-party apps like Acrobat and Flash Player, to your web browser.
- In many cases, computer networks aren’t segmented or isolated appropriately. For example, servers that host an EHR should be segmented and secured at a higher level than any other servers in the network.
- Many organizations fail to enforce strong authentication systems. Password requirements aren’t what they need to be—with modern technology, passwords aren’t as secure until they hit the 12-14 character mark. This may not be necessary for all users within your system, but it should apply to anyone with administrative access.
2. Are there guidelines for determining if data being collected in a form falls under the HIPAA Security Rule?
There are 18 identifiers that constitute PHI in conjunction with a patient’s name. Some of these 18 components might not seem identifying, but if you collect this information from a patient as a healthcare provider and a covered entity, you have an obligation to treat it as PHI. There are other statistical factors that must be factored in—for example, a name and a prescription might not be enough to identify or re-identify a patient in a community with a large population, but in a rural community with a low population, the two data points could easily be used to re-identify a patient.
3. If employees on the network routinely leave their computers unlocked, is that considered a HIPAA violation?
Leaving your computer unlocked is not considered a HIPAA violation in itself. However, if unauthorized personnel were to use that workstation and view PHI without having a business need to do so, that would be considered a HIPAA violation. Locking your work station is definitely a best practice and a cost-effective way to mitigate that risk.
4. Is HIPAA compliance similar to FERPA when it comes to higher education?
FERPA is the equivalent to HIPAA for higher education. FERPA is a confidentiality framework, whereas HIPAA applies to privacy, confidentiality, and access. There are many similarities that connect FERPA and HIPAA. Whether your institution is subject to both of these regulations or not, it’s important to understand the rights of students and patients, and who is (or is not) entitled to their information.
Check out this blog post for more details on the similarities and differences between FERPA and HIPAA compliance!
5. What is the difference between a Formstack HIPAA account and a regular Formstack account?
There are several factors that differentiate a Formstack HIPAA account from a regular Formstack account:
- Signed BAA: Formstack signs a BAA with HIPAA customers, making us liable for the data if a breach ever occurred.
- Encrypted Submissions: Form submissions that include PHI must be encrypted to meet HIPAA compliance standards. This includes TLS encryption (TLS 1.0, 1.1, and 1.2).
- Dedicated Security Team: We have a security team that would handle a breach if it were to occur, and the team monitors HIPAA accounts heavily to mitigate all risks.
- Priority Support: HIPAA accounts receive a dedicated onboarding specialist and priority support, so you aren’t waiting nearly as long to have your questions answered or your issues resolved.
- Audit Logging: Formstack is able to provide a detailed account activity log in the event of a security breach to help identify which user(s) accessed or exported sensitive data.
6. In the absence of a BAA, does the responsibility of a breach fall on the healthcare provider that compiles the data?
Yes. We sign a BAA taking on the liability for the data if there is ever a breach, but if a BAA is not signed, the healthcare provider is liable for any data breach.
7. Can you put safeguards onto existing Formstack forms, or do you have to re-create a form using Formstack’s HIPAA compliant product?
The Formstack platform is not HIPAA compliant out of the box—collecting PHI on a standard Formstack account is a violation of our Terms of Service. Users are able to convert current Formstack accounts to a HIPAA compliant account, or they can start using the HIPAA compliant product from scratch on a new account.
8. How are some of Formstack’s HIPAA customers using the platform?
A few use cases include patient registration, patient experience, and call centers that handle medical ordering (e.g., pharmaceutical, telemedicine, and home healthcare). In general, if your healthcare organization is using clunky, paper-based processes, Formstack can help you stay HIPAA compliant while adding security and efficiency with workflow and automation.
9. Where can we learn how to use Formstack to send ePHI into our EHR system?
Formstack has a HIPAA compliant API and is getting ready to launch HIPAA compliant webhooks so your team can route data to any key systems you have in place. To learn more about sending ePHI into your EHR system before signing up for a Formstack HIPAA account, contact firstname.lastname@example.org. If you’re already using a Formstack HIPAA account, contact your priority support representative.
10. What makes Formstack different than other HIPAA compliant form builders?
The two biggest reasons people choose Formstack over other form builders are our robust system and our priority support. Our system is so easy to learn that most users can pick up on it within 30 minutes without any coding experience. This is because the forms are all drag and drop.
Formstack HIPAA customers have access to priority support, including their own onboarding specialist and someone to address their support questions. Most questions are answered within two hours if the support specialist can respond via email, or within 24 hours if a phone call is needed.
To learn more about Formstack’s HIPAA compliant platform, integrations, and offerings, click the link below!