The purpose of HIPAA, or the Health Insurance Portability And Accountability Act, is to keep patients’ health and personally identifiable data safe through standardized security provisions for data privacy. How does HIPAA relate to guest/public WiFi in healthcare buildings? What are the latest Privacy Rule requirements you should know to ensure HIPAA WiFi compliance and avoid penalties?
HIPAA Compliance: What Are the 3 HIPAA Rules
HIPAA, which was signed into law in 1996, is made up of 3 major components, or the 3 HIPAA rules.
- HIPAA Privacy Rule
This was last updated in 2002 to “set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.”
- Security Rule
This was finalized in 2003 to set “national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).” The types of information that qualify as ePHI are as follows:
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
It’s important to note that the Security Rule does not apply to protected health information (PHI) (or a patient’s individually identifiable health information) transmitted orally or in writing, which falls under under the Privacy Rule
- Breach Notification Rule
This rule requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
How HIPAA Impacts WiFi
So where does WiFi HIPAA compliance come in exactly? With the integration of internet technologies into healthcare systems for the purpose of digitizing and streamlining the creation, collection, storage, management, and transmission of ePHI, WiFi HIPAA compliance, in particular, is crucial to the continued protection of a patient’s right to data privacy and security when access to and use of said information is done through a wireless network. Whether you’re using a captive portal for guest WiFi login or building an SMS subscriber list to send alerts and reminders to patients, using guest WiFi as a direct means of communication is certainly convenient, but also presents challenges when it comes to data security.
HIPAA’s Security Rule is the most relevant to HIPAA WiFi compliance. There are four technical safeguards under the Security Rule which directly apply to the protection of ePHI:
- Access control
- Audit control
- Integrity control
- Transmission security
Transmission security is where WiFi HIPAA compliance comes in. Guidelines for transmission security specify that “A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network,” such as WiFi.
With a growing number of healthcare organizations migrating their data to the cloud, installing a WiFi network in healthcare buildings to serve the needs of guests, patients, and staff requires a security-first mindset to guarantee transmission security, as stipulated in the HIPAA guidelines. Choosing the right provider of a secure WiFi network should be a top priority.
HIPAA WiFi Compliance: What Entities Are Affected?
There are primarily two types of organization that must ensure HIPAA WiFi compliance:
These include all types of healthcare entities which transmit health information electronically, such as when doing transactions, which could include claims, referrals, or benefit eligibility inquiries; when collecting basic patient information; or when accessing patient histories, among others.
Business contracts and associates
These refer to organizations that perform certain activities on behalf of a healthcare provider and which involve the use of patient health data. Common examples include legal firms, accountants, and external consultants.
HIPAA IT Compliance Requirements
HIPAA IT compliance requirements, specifically for HIPAA WiFi compliance, are largely covered by the Security Rule Standard for Transmission Security. This standard for HIPAA tech safeguards requires a covered entity to: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” Under the Security Rule, an electronic open network must be adequately protected for secure transmission of ePHI.
The Transmission Security Standard has two implementation specifications: integrity controls and encryption.
HIPAA WiFi Compliance via Integrity Controls
To ensure integrity control for HIPAA WiFi compliance, a covered entity must “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
The use of network communication protocols, which ensure that the data sent is the same as the data received, is recommended as the primary method for protecting the integrity of ePHI during transmission. Data or message authentication codes may also be considered as alternative security measures.
HIPAA WiFi Compliance via Encryption
As a reasonable and appropriate safeguard and for HIPAA WiFi compliance, encryption methods must be used by a covered entity when transmitting ePHI over an open network, particularly over the internet.
Transmission Security Standard guidelines for encryption, as outlined on the Centers for Medicare & Medicaid Services’ (CMS) HIPAA Security Series, recommends that “A covered entity should discuss reasonable and appropriate security measures for the encryption of EPHI during transmission over electronic communications networks with its IT professionals, vendors, business associates, and trading partners.”
Best Practices for HIPAA Compliance
Let’s take a look at the best practices for HIPAA compliance when using a WiFi network.
Guidelines for Remote Use/Access of Ephi
According to WiFi HIPAA policy guidelines, remote access to ePHI through portable devices (such as USB flash drives) or offsite ePHI access or transport via laptops, PDAs, home computers, or other external systems or hardware not owned/managed by a HIPAA covered entity must only be allowed “when it is clearly determined necessary through the entity’s business case(s)” and provided that access complies with the applicable requirements of the HIPAA Privacy Rule.
The U.S. Department of Health & Human Services (HHS) has developed guidelines with respect to remote access to or use of EPHI. Covered entities should place significant emphasis and attention on their:
- Risk analysis and risk management strategies;
- Policies and procedures for safeguarding EPHI;
- Security awareness and training on the policies & procedures for safeguarding EPHI.
WiFi HIPAA Policy Guidelines for Mobile Devices
The HSS’ WiFi HIPAA policy guidelines list the following tips and information to help protect and secure patient health information when using mobile devices.
- Use a password or other user authentication.
- Install and enable encryption.
- Install and activate remote wiping and/or remote disabling.
- Disable and do not install or use file sharing applications.
- Install and enable a firewall.
- Install and enable security software.
- Keep your security software up to date.
- Research mobile applications (apps) before downloading.
- Maintain physical control of your mobile devices.
- Use adequate security to send or receive health information over public WiFi networks.
- Delete all stored health information before discarding or reusing the mobile device.
HIPAA Compliant Wireless Router
You can’t provide a great WiFi service without the right hardware; for HIPAA WiFi compliance, it’s even more important that you use the latest WiFi technology, such as a HIPAA compliant wireless router. Outdated kits, for example, can result in lower levels of data security that may severely impact your ability to be HIPAA compliant.
For instance, Beambox access points create a separate, isolated guest WiFi network. This secures guest traffic from the network used by the business or organization — but it goes even further than that. Beambox also features client isolation, which isolates traffic between individual guest devices. You don’t get much more secure than that.
HIPAA Compliant WiFi Software
The software used to control access to your WiFi network is just as important as the hardware, from a HIPAA perspective.
When patients use guest WiFi provided in a clinic or hospital waiting room, for example, the appropriate level of security required for HIPAA WiFi software compliance can be ensured by:
- Requesting explicit marketing opt-in during WiFi registration;
- Implementing SSL and traffic encryption for all logins; and
- Storing data securely in the cloud.
Choosing the Right WiFi System for HIPAA Compliance
To ensure HIPAA WiFi compliance, you must choose the right WiFi system and provider for your venue. There are several ways the team at Beambox ensures our guest WiFi systems remain HIPAA compliant:
- We comprehensively document Beambox services that need to be HIPAA compliant and can provide the details on demand;
- We can offer one-to-one guidance and training on how to ensure your Beambox system is managed securely;
- Our employees are regularly trained in HIPAA compliance to ensure they’re aware of all the requirements; and
- Our processes are independently audited for HIPAA compliance.
We can also provide a copy of our HIPAA Report on Compliance (HROC) and references from Beambox clients.
There’s no escaping the fact that you need a HIPAA compliant WiFi service if you operate within the healthcare industry in the US. However, you’ll need help implementing a HIPAA compliant WiFi system. Get in touch with us today to find out more about our HIPAA compliant WiFi solution. Accelerate your business growth — start your Beambox free trial today!
Get Started With Free WiFi Marketing
Beambox helps businesses like yours grow with data capture, marketing automation and reputation management.
Sign up for 30 days free