Back to Blog

HIPAA Compliance Best Practices


The trend toward virtual R&D in the pharmaceutical industry means patient information must be increasingly accessible. With many of the key researchers and team members no longer located in the same building (and sometimes not even part of the same company), it is increasingly difficult to make sure patient privacy is protected.

Not only is patient privacy important to maintain patient trust, which plays a major role in finding volunteers for clinical trials, it’s legally mandated by The Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The HIPAA Regulations Health Professionals Need To Know

There are several key provisions in HIPAA that companies that deal with protected health information (PHI) need to be well-versed in. These key provisions impact not only “covered entities,” which provide treatment, payment and operations in healthcare, but also business associates and anyone with access to patient information.

The HIPAA Privacy Rule: The HIPAA Privacy Rule protects the privacy of individually identifiable health information.

The HIPAA Security Rule: The HIPAA Security Rule sets the national standards for the security of electronic protected health information. This is especially important as more healthcare facilities work to transition to digital-only filing systems and records.

HIPAA Breach Notification Rule: Any company that deals with protected health information is required by the HIPAA Breach Notification Rule to provide notification following a breach of unsecured protected health information.

Patient Safety Rule: The Patient Safety Rule requires confidentiality of patient data, protecting identifiable information being used to analyze patient safety events and improve patient safety.

Maintaining Security Standards Set Out in HIPAA Regulations

How can companies that are increasingly mobile, digital and remote ensure that all of the HIPAA regulations are upheld?

One solution is to find a secure cloud storage system, which allows for remote access to files from any location; however, all storage systems are not created equal. There are several features in particular that companies dealing with protected health information must look for when choosing a storage solution.

Physical Security: Even cloud service providers store their data in a physical data center somewhere. That physical location needs to be compliant with HIPAA regulations, meaning it needs to limit facility access and control.

Digital Protection: Tools like multi-factor authorization and permission-based user roles should be in place to limit access to only those personnel that need it. Files should be highly encrypted during transfer, when they are most vulnerable.

Audit logs should be available to track each instance of access per individual, access date and time, and actions taken with regards to the files (upload, download, print, etc.). When used in combination with permission-based user roles, audit logs can help ensure protected health information isn’t inappropriately altered or destroyed.

Security Protocols: Companies affected by HIPAA regulations should also create specific plans of action in case a data breach occurs. The plan should include how such a breach will be identified and how the necessary notifications will take place.

What have been your biggest HIPAA compliance challenges? Leave a comment below.

New Call-to-action