HIPAA is a vast piece of legislation that was created to set the standards for privacy of individually identifiable health information. It was passed in 1996 and over time there has been some changes including the Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health Act (HITECH Act) and Genetic Information Nondiscrimination Act (GINA). These are generally referred to as HIPAA Compliance for simplicity. HIPAA includes many rules and policies that do not relate to IT or electronic medical records but I am going to focus on the technology and electronic transfer of information.
HIPPA compliance can be confusing because there are many grey areas especially in the technology areas. Below is a short list of the minimum security requirements for all healthcare businesses from the small practice to the large hospital.
Firewall – Your network must be protected from the public internet by a firewall that does deep packet inspection and intrusion prevention. In general this mean that your internet service router or home office firewall is NOT sufficient. You need to have a business class firewall and it will most likely have an annual maintenance to keep to up to date and secure.
- Desktop / laptop security – Most people today have A/V on their computers today many providers are moving to an endpoint security model instead of just protecting from viruses. Endpoint security is crucial to the protection of your data. It is a best practice to have a solution that protects you from multiple threats and is centrally managed so you can look at a single screen to see the health of all of your computers. This is because your employees may not tell you they infected your computer or even know.
- Backups – HIPAA requires secure backups and a recovery plan. You must be able to create exact copies of patient data even in a case of fire or natural disaster. This means you need to have a detailed backup plan and test your backups to make sure they are restorable. To read more on backup plans click https://futurelinkit.com/strong-password-best-practices/ .
- Encrypted Data – Any data that leaves your primary facility MUST be encrypted under HIPAA. But what does that mean? Do you have laptops that leave your facility with patient specific information on them? They MUST be encrypted. Read more https://futurelinkit.com/new-hipaa-rules-12-things-you-need-to-know/. Also a common problem is Backups if you are taking backups offsite to protect your data in case of fire or natural disaster most tape and external backup drives are not encrypted. Secure and Automated may be a solution for you , however, many of the national brands of offsite backup do not meet the retention requirements in HIPAA. If you do not know Future Link IT offers a HIPAA backup review.
What is NEW in HIPAA in 2013?
As you have probably seen on TV or heard on the radio many of the breaches of personal data are not from the health care provider but the service providers they use including billing services, insurance companies, Accounting Firms etc. Simply anyone that has access to patient information of any kind via paper or electronically must also comply to the HIPAA standards.
In order to protect yourself in the case of a loss or complaint you should have on file a written and signed Business Associate Contract. This agreement will notify your vendor that you expect them to maintain the same level of patient record security that you have worked so hard for. For more information on Business Associates or a sample agreement click below. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
How does this affect IT?
Do you have a Business Associate Contract with your IT provider? They have access to all of your patient records and backups. Do you use any Hosted services like hosted email or offsite backups? Do you have a Business Associate Contract with any of those services and do they meet the standards? Will they sign a Business Associate Contract?
For a limited time I am offering a FREE initial HIPAA assessment and review to Doctors’ offices or medical facilities or Business Associates with under 30 employees for more information call Chris Higgins at 224-523-8063.
For more information on HIPAA in general.
Future Link IT Sales and Project Manager