Does Your Court or Agency Need HIPAA Compliance?

(Hint: The Answer is Probably YES)

1 month ago

Photo of Blog Author Kimberly Knight Kimberly Knight

HIPAA is for more than Healthcare.

Download a sample BA agreement

Before I began researching this blog, I only associated HIPAA (the Health Insurance Portability and Accountability Act) with a healthcare setting. We here at eCourtDate sometimes compare ourselves to medical offices who send patient appointment reminders, but we do not work with medical providers- we work with justice providers. So why would we offer HIPAA compliance to our customers?

To understand the answer here, we first need to look at how PII is defined, and what HIPAA compliance is and what it does for compliant web products.

PII, or Personally Identifiable Information is defined as "information that can used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual."

HIPAA Compliance, in terms of web applications and digital tools for medical providers and their business partners, is a government mandated level of security protocol that ensures the highest degree of data protection for the personal information of patients. There is a lot more to it, but for our purposes, this is the nitty-gritty.

Because the guidelines include information that can be combined with other information to identify someone, virtually anything can become personally identifiable information. Further, because HIPAA guidelines are enforceable to business partners, Court Systems, Probationary Agencies, and other Justice Agencies could face penalties if not compliant in the event of a breech.

Justice Agencies Should Think About Being HIPAA Compliant

While the justice agencies we serve do not cater to ‘patients’, there are a number of reasons they may handle a client’s health data- or PII (personally identifiable information). Pretrial and probation documents could include drug testing results and records. DNA and blood test results could be used in criminal and family court. Personal injury related medical documents can be used in a number of court instances from traffic, to criminal, to domestic and family. Courts do handle medically sensitive data regularly. Not to mention driver's license numbers, birthdays, phone numbers, SSNs, and payments information are all also included as PII and are handled regularly by courts and other justice agencies. The DOE includes criminal history in their write up about HIPAA, and notes that PII can be considered more or less sensitive "to the degree of harm, embarrassment, or inconvenience it will cause an individual or organization if that information is lost, compromised, or disclosed."

Additionally, there have been a myriad of cases arguing that the personally identifiable information of all parties of court cases, especially witnesses and victims, be they civil, criminal, or other should be kept private- at least digitally. While certain aspects of court cases are a matter of public record in all jurisdictions, many jurisdictions are also resistant to making those public records digitally accessible to the public.

I am not going to get into privacy rights vs. freedom of information rights in this blog, because this can quickly become a hot issue. I may have worked in restaurants through school, but this is one kitchen this writer knows enough to stay out of. What I think everyone can agree on, is that courts need to be able to protect the private data of their clients from unwanted incursions and to have ultimate choice in what data is disclosed, and also when, how, and to whom.

So, if you are going to use any digital system that exists online and houses any information regarding court cases and the people involved in them, you need to be certain that it is secure. And according to HIPAA, this also includes the systems of all of your business partners as well. They all need to be secure.

This brings us right back to what HIPAA compliance is, and what it gets you as an entity that protects the PII of the public you serve.

HIPAA Demystified

We already established that HIPPA dictates the level of security protocol in dealing with personally identifiable information. Section II of HIPAA, specifically, gives us The Privacy Rule and The Security Rule. The Privacy Rule serves to establish national standards for the protection of PII. The Security Rule provides standards for storing or processing PII electronically. This Security Rule provides 18 specific technical, physical, and administrative steps or guidelines for protecting personal data and PII. In 2009, four additional guidelines were put in place with the HITECH Act, and in 2013 the Omnibus Rule further detailed the definitions and requirements involving breach notifications, encryption, and risk analysis.

Compliance with all of the 18 guidelines of the original HIPAA Compliance Checklist, the additional 4 requirements of the Security Rule of the HITECH Act as well as the Omnibus Rule involves an extensive commitment to data protection. It requires a granular level of security implementation throughout the web application itself as well as within and throughout the organization running it.

Web applications, like eCourtDate, that offer HIPPA Compliance have committed to your data’s security in every area of their organization and of their application itself.

eCourtDate's Committment to Security

According to HIPAA, "an encrypted and secure text messaging platform is required to meet the standards of HIPAA." eCourtDate is actively doing more than checking off line items on a list. We have an established ongoing commitment to security processes, encryption, and risk analysis. Our security system is fully built-in as part of our DNA, so to speak. We were designed using a multi-tenancy architecture where each account has a dedicated and private infrastructure and databases without public access. eCourtDate uses government-grade encryption and multi-level and granular access controls to ensure privacy. We use CloudFlare cloud-based protection service to prevent and mitigate any potential DDoS attack. Perhaps one of the most important for HIPAA is ensuring data is secure while in-transit and at-rest- and we do, with TLS 1.3 HTTPS enforced end-to-end and AES-256 bit encryption. There is more information about our security can be found on our Security page.

Summary

In closing, courts and other justice agencies should be able to choose how, when, and to whom the PII that they handle, including items of public record, are released. In the digital world, however, there is inherent risk involved with keeping this information available online. While security and privacy is always a high priority, HIPAA Compliance provides an assurance that the highest level of protection is being maintained at all times through adherence to the checklists and specific requirements laid out in the Act and its amendments.

View the Checklist and HITECH Requirements

Administrative
Security Management Process Contingency Plan
Assigned Security Responsibility Evaluation
Workforce Security Business Associate Contracts
Information Access Management Security Awareness/ Training
Security Incident Procedures
Physical
Facility Access Controls Workstation Use
Workstation Security Device and Media Controls
Technical
Access Control Audit Controls
Integrity Person/ Entity Authentication
Transmission Security

HITECH Requirements

  • 1. For all health data that is generated, received, stored, or transferred, the organization must be certain that the data is private, is of high integrity, and is highly available.
  • 2. Since data could be compromised by a threat that can often be seen beforehand, organizations should be able to recognize anything problematic and set up appropriate defenses.
  • 3. The HIPAA compliant organization should set up protections so that unauthorized disclosure and use of information is less likely to occur.
  • 4. The staff should be trained on compliance with general information, along with their role in avoiding violations and keeping information private and secure.