How SSO Makes Being HIPAA Compliant Easier

By David Olukoju

January 5, 2022

The HIPAA and HITECH acts help to protect PHI in the event of a breach. They are sets of regulations and laws that determine how Private Health Information (PHI) is disclosed and safeguarded. Entities providing services dealing with PHI on behalf of a separate covered entity are categorized as business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). For example, PHI is stored online, and an individual is entitled to view their medical information by the law. To access this information, they need to securely verify their identity through a business associate such as a login application.

Why is HIPAA Relevant Today?

Data privacy centers around the handling of information based on its relative importance. This information includes personally identifiable information (PII), which further includes PHI. PII includes information such as social security numbers, credit card numbers, full names, and addresses. A hierarchy of importance provides a correlation with security and the type of data; for example, a data breach at a hospital can put thousands of individuals’ PHI in the hands of people who might exploit the data. Even with data that is not as important, a breach can enable many bad things to happen: the HIPAA act was enacted to combat this by improving security when handling PHI and ensuring that affected individuals are aware of a data breach.

The Later HITECH Act

Thirteen years after the HIPAA act was enacted, its scope was extended through the Health Information Technology for Economic and Clinical Health (HITECH) act. The HITECH act focused more extensively on the relationship between health organizations and patients regarding health information technology. The HITECH act targets privacy and security due to a greater volume of data being handled than when HIPAA was first enacted. To increase compliance, HITECH provides incentives for the safe transfer of PHI to eligible professionals. It also increases the intensity of responses to breaches by requiring public notification of security breaches.

Effects of HITECH and HIPAA

As mentioned above, organizations that deal with PHI are categorized as business associates. For example, health insurance providers are considered business associates since they collect PHI electronically and perform work for a covered entity. According to the HITECH and HIPAA acts, business associates must take appropriate measures to safeguard PHI they deal with, wherein these measures are communicated to their covered entities for assurance. This assurance is mandated through the Privacy Rule, which states covered entities must receive proof that the business associate can be trusted with PHI.

According to the HIPAA Act Organizations Must:
– Describe the permitted and required uses of protected health information by the business associate
– Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
– Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Breaches are evaluated on behalf of the covered entities, so when a breach or violation occurs by the business associate, the covered entity is required to take steps to rectify the breach and disclose information about the breach.

How to Lessen the Chance for a Breach

Identity verification is necessary to access PHI online, and the verification is done through a business associate. However, business associates must abide by HIPAA and HITECH regulations as mentioned above. These regulations most effectively target the secure handling of data and data breaches. One such identity verification model that helps minimize the chance of a breach is Single Sign-On (SSO).

SSO is an authentication service that permits users to use one set of login credentials instead of multiple certificates. humanID‘s SSO works when the user enters their phone number. This information, paired with a valid SIM card, is used to authenticate the user. Upon authentication, this information is deleted, and each user is assigned a unique online identity known as a hash-led identifier. In terms of what a user would see, they would input their phone number and receive a code through SMS; upon entry, the user is granted access to a service. This method results in a lower implied cost of a data breach and quicker privacy law compliance.
The HIPAA act helps to safeguard the electronic transfer of PHI through regulations and laws. The HITECH act was later enacted due to the increasing volume of data and data transfers. This trend is likely to continue for the unforeseen future, so more prudent means will be necessary to access PHI, such as SSO. While using technology such as SSO helps minimize the risk for breaches, it is recommended that you have a plan ready in the event of a breach.