This week we discuss HIPAA data. We talk about data types, retention periods, and how to choose the right hosting setup for websites hosting PHI.
WordPress Simple History Plugin for User Logs – https://wordpress.org/plugins/simple-history/
Federal HIPAA requirements – https://www.hipaajournal.com/hipaa-retention-requirements/
State HIPAA medical record requirements – https://www.healthit.gov/sites/default/files/appa7-1.pdf
Transcript:
Adam
Hello and welcome to the HIPAA Vault Show, where we discuss all things HIPA compliance and WordPress. My name is Adam Zeineddine, your co host. And I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals. I’m also joined by the compliance manager at HIPAA Vault, Henri Alfonso. So last week we talked about developing HIPAA compliant websites.
This week we’re going to talk a little bit more about websites, but in specific, a topic that often gets overlooked data retention. So we talk a lot about data encryption, data in transit, but data retention often gets glossed over. So what’s the distinction to be made between HIPAA medical records and HIPAA Records?
Henri
A HIPAA record is basically any document, file or material that contain Phi that is used or transmitted by covered energy in a business agreement, or who is subject to HIPAA regulations, billing records, insurance claims, treatment plans. Medical records, like you said, is Phi or HIPAA data for the client that is used for a doctor’s office, a hospital clinic. HIPAA medical records are progress notes, treatment summaries, medical bills, laboratory test results. Those are HIPAA medical records that contain medical and health information of individual. So for HIPAA medical record, like mental health records that contain information about individuals, mental health, diagnosis, treatment. Example of a HIPAA record will be human resource records of employees who work for a covered entity or a business associate has access to Phi, background checks, training records, disciplinary records, et cetera.
Adam
Okay, and where would logs fall into this? Would they be in the HIPAA medical record category or the more broad HIPAA, it’ll be HIPAA.
Gil
More broad. Yeah, more broad. And the way we would know that, Adam, is the general principle we’re following is if the logs had or the question is, do the logs contain the patient’s name and something to do with his medical record? If the answer is no, then it’s the other category, the six year category.
Adam
Okay. And when it comes to logs, what kind of logs need to be maintained?
Henri
For WordPress sites, I believe like number one would be access logs. Who’s accessing what? Who has access to what? Usually best practice starts from least privilege. You don’t want to give everyone access to everything. You should have a limited set of people who can access things that can manage or maintain the website. But I believe access should be number one on the list because from access you can branch out to okay, how do we limit the access? Do we implement two factor authentication? Do we lock it down by region? Only these people from this part of the world can access. So there’s a whole bunch of security configurations you can do just by starting off with access.
Gil
Yeah, maybe a second category to go with what would be like an audit trail of who updated the website, who went in there and added data to the website, either to the database or updated a page you want to know who’s touching, especially the database, right? You want to know who was in there last. Now what Henri said is access log, right? Somebody accessed the WordPress backend, but even further than that, who logged into the database itself and maybe added some data or removed data? Maybe they deleted data. You want to know, well, who did that? Why did they do it? At what time they do it, who did it, what time and what did they delete?
Adam
Makes sense with WordPress as a plugin for everything. So what kind of plugins available in the WordPress market for user logs?
Gil
One that we’ve talked about in the past is simple history, I think.
Henri
Keeps track of everything, comments, widgets, plugins, who updated their profile, who removed users. It’s rated pretty good. 333, five stars, 200,000 installations. So it’s pretty up there.
Adam
Any other considerations when it comes to data retention and HIPAA logs?
Gil
I do have a few comments on the cost to do all of this because you’re talking about keeping logs for many years and so even a smaller site that doesn’t have a ton of activity, after years and years, it can add up and then they have to pay for that. Right. None of the storage is going to be free. So you want to be able to be conscientious of what kind of storage. There’s cold storage, warm storage, and hot storage and hopefully whatever provider you’re with is HIPA compliant. The cloud service provider will be conscientious of that and will be using the best storage that matches the need so that you’re not really overpaying. If they put everything in hot storage and most expensive, I mean, they’re meeting the HIPAA requirement, that’s good.
Gil
But you’re also paying a hefty bill, so you’re going to want to ask about that. Hey, where do you put my logs? Where do you put my data? I’d like to know what kind of storage you use. I want to keep my cost down.
Adam
Makes sense. Logs being cold storage, because they’re not necessarily something that a user of the website is going to need to pull very fast. It’s more of an audit thing, right?
Gil
Exactly. If you get audited and they ask you for records, oh, let’s see, a record from four years ago, you can go into cold storage and pull it out. Now there will be a cost associated with that’s not free. Whenever you tap into cold storage, the providers always have some kind of a fee attached to that retrieval. But that’s okay, you need it then, so you have to pay for it. But the idea is that most of the time, 98% of the time you don’t need it. So it’s just left in cold storage. That’s what cold means. It’s not being touched, it’s not being moved, and therefore the price is very low. As soon as you go in and start touching it and reviewing it now you have costs, associated transactional costs. So that’s important to be aware of.
Gil
Now, for WordPress sites, this is not a huge consideration, but there are some WordPress sites that can be quite popular and very active, and then it would be. But some of the customers that we manage have very large portals with tons of users, maybe 100,000 users, and they’re uploading medical PDFs and lots of records, and they have a ton of transactions, so that would grow very rapidly within months. They’d have many terabytes of data. So that would be an architecture designed from the beginning where you want to really carefully think about it. It can’t really happen after the fact. Once all the code is written, everything’s in place, it’s very hard to reroute the traffic. You need to do this from the beginning and consider what documents go where, what kind of storage. Or they go into one bucket of storage.
Gil
After a month, they can go to another bucket, and then finally they can go to the cold bucket where it’s the cheapest. So the data can be migrated from one more expensive bucket to a medium expensive bucket. So there’s finally the cheapest one. And that’s not a bad design. That could work pretty well depending on the needs.
Henri
And just make sure when transporting or storing, proper precautions are followed. Encryption. Who has access to that cold storage? Are there logs in place? You don’t want anyone just being able to access that cold storage or that hard drive you threw in the closet somewhere, making sure at least those procedures are in place as well.
Adam
If you have any questions, feel free to reach out to us at podcast@hipaavault.com, or you can also reach us through Twitter at @hipaahosting. Thanks for stopping by!