MEDTECH COMPANY HIPAA ALERT: IMPLEMENT THESE TECHNICAL SAFEGUARDS NOW!
HIPAA[1] is a complex healthcare privacy law that applies to many global technology companies which serve the U.S. healthcare industry. Tech companies that are deemed Business Associates under HIPAA should implement the following technical safeguards from the first day of operations:[2]
- ACCESS RESTRICTIONS. To ensure that only authorized personnel have access to electronic protected health information (ePHI):
- Assign unique user names and passwords to authorized users that are changed every ninety (90) days or less;
- Automatically terminate user access sessions after periods of inactivity;
- Only authorize access to ePHI to users that have a “need to know” and limit such access to the minimum ePHI necessary to perform their required activities;
- Terminate user access on termination or resignation of employment or engagement; and
- Modify user access on change of job duties as appropriate.
- AUTHENTICATION. Implement identity verification procedures to ensure that the person seeking access to ePHI is actually the authorized user.
- CYBERSECURITY. Implement technical security measures to prevent unauthorized access to, alteration and destruction of, ePHI, such as firewalls, anti-virus software, and anti-phishing software.
- TRANSMISSION SECURITY. Implement security measures to guard against unauthorized access to ePHI during transmission of ePHI, including encryption, as appropriate.
- AUDIT CONTROLS. Implement hardware and/or software mechanisms that log user activity in information systems that contain or use ePHI.
SLG has leveraged its extensive knowledge in the technology industry to support our clients’ compliance needs under HIPAA. For more information, please see our HIPAA For Tech Companies page.
[1] HIPAA is The Health Insurance Portability and Accountability Act of 1996, a U.S. healthcare privacy law, which has been implemented through various federal rules by the US Department of Health and Human Services (HHS) (the “HIPAA Rules”).
[2] See 45 C.F.R. 164.312.