In 1996, President Bill Clinton signed the Health Insurance Portability And Accountability Act (HIPAA).
The law applies principally to US businesses and organisations, but does impact specific UK-based organisations, too (we’ll get onto that later, and how it differs to the GDPR).
The purpose of HIPAA is to keep patient medical and personally identifiable data safe by providing security provisions for data privacy.
The act contains five sections, but there’s one in particular that impacts the provision of WiFi to the public and patients in healthcare buildings: Title II.
Resource: HIPAA official website (Health Information Privacy U.S. Department of Health & Human Services)
HIPAA Title II and why it matters
Title II of HIPAA aims to standardise the processing of healthcare data transactions. To comply with the regulations, organisations must implement safe, secure electronic access to patient health data.
There are three rules that are particularly important in relation to WiFi:
- Privacy: a set of national standards that protect patient health and identifiable information.
- Security: sets standards for patient data security.
- Enforcement: establishes guidelines for violations of HIPAA.
In 2013, the rules were updated to increase the penalty for HIPPA violations to a maximum of 1.5 million dollars per incident.
This of course makes instances of non-compliance extremely costly, but they’re compounded by other factors. For instance, a data breach might also result in fines after an audit by the Office of Civil Rights (OCR) and there may even be criminal charges to face.
There’s no official certification for HIPAA compliance, but there are plenty of training programs and materials available.
Resource: Training Materials (Health Information Privacy U.S. Department of Health & Human Services)
How HIPAA impacts WiFi
There are four technical safeguards noted within the HIPAA standard:
- Access control
- Audit control
- Integrity control
- Transmission security
The one we’re particularly interested in for WiFi is transmission security. This guards against unauthorised access to protected health information transmitted over an electronic network and is fully adhered to by the Beambox solution.
Guests, patients and staff all depend on reliable WiFi connections, but to build a network for that audience, you need to understand how it must be governed by HIPAA.
At Beambox, everything we do is approached with a security-first mindset. We’re conscious of the fact that many healthcare organisations are moving to the cloud, which means patient history, prescription details and lab results are passing through networks.
This is why it is vital that HIPAA compliance is established with the help of a secure WiFi service like the one we provide.
How to provide WiFi that is HIPAA compliant
Let’s consider the two key elements of a HIPAA compliant WiFi network.
1. The Hardware
You can’t provide a great WiFi service without the right hardware. Outdated kit can result in lower levels of data security that severely impact your ability to be HIPAA compliant.
For instance, Beambox access points create a separate, isolated guest WiFi network. This secures guest traffic from the network used by the business or organisation, but it goes even further than that.
Beambox also features client isolation, which isolates traffic between individual guest devices. You don’t get much more secure than that.
2. The software
The software used to control access to your WiFi network is just as important as the hardware, from a HIPAA perspective.
For example, HIPAA compliance makes its presence felt the most when guest WiFi is provided in waiting rooms at dentists and doctors. Beambox achieves the necessary level of security required for HIPAA in such instances by:
- requesting explicit marketing opt-in during WiFi registration;
- implementing SSL and traffic encryption for all logins; and
- storing data securely in the cloud.
This is an area where HIPAA is largely similar to the GDPR’s rules.
Who does HIPAA apply to?
There are primarily two types of organisation that must abide by the HIPAA regulations.
- Healthcare providers. This is any healthcare provider which transmits health information electronically (e.g. via email). Transactions could include claims, referrals or benefit eligibility inquiries.
- Business contracts and associates. This is an organisation that performs certain activities on behalf of a healthcare provider that involves the use of personal health data. Common examples include legal firms, accountants and external consultants.
How Beambox remains HIPAA compliant
There are several ways the team at Beambox ensures our guest WiFi systems remain HIPAA compliant:
- we comprehensively document the Beambox services that need to be HIPAA compliant and can provide the details on demand;
- we can offer one-to-one guidance and training on how to ensure your Beambox system is managed securely;
- our employees are regularly trained in HIPAA compliance to ensure they’re aware of all the requirements; and
- our processes are independent audited for HIPAA compliance.
We can also provide a copy of our HIPAA Report on Compliance (HROC) and references from Beambox users who are of a similar size to yours.
I’m a UK business - do I need to be HIPAA compliant?
Although there’s no specific HIPAA guidelines to follow in the UK, if your business deals with US-based organisations in healthcare, it is a legal requirement to have sufficient data privacy provisions in place.
The differences between the GDPR and HIPAA
The General Data Protection Regulations (GDPR) was introduced in May 2018 and applies to any business that deals with data provided by EU citizens.
On the face of it, the GDPR is very similar to HIPAA, but there are some key differences:
- HIPAA is restricted to American citizens and is organisation-centric (the GDPR is consumer-centric, and therefore crosses international boundaries);
- there is no requirement for active consent from patients before storing their data under HIPAA;
- patients can’t force the ‘right to erase’ their data under HIPAA, unlike GDPR;
- HIPAA doesn’t explicitly stop healthcare organisations from allowing third parties to send marketing messages to patients without consent (although this is still rightly frowned upon);
- prosecutions for HIPAA violations only take place in the event of “significant harm” caused; and
- HIPAA guidelines are likely to be waived in the event of natural disasters (the GDPR doesn’t have such a provision currently).
Need more help?
There’s no escaping the fact that you need a HIPAA compliant WiFi service if you operate in healthcare in the US.
However, you’ll need help implementing one, which is why talking to the team at Beambox should be your first port of call. Get in touch today to find out more about our HIPAA compliant WiFi solution.
Reference: List of protected health information (PHI)
The 18 types of information that qualify as PHI include:
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes