HIPAA was developed to protect the private healthcare information of patients in the healthcare system. It covers all types of info related to a patient’s diagnosis and treatment, in any form– written, verbal, or electronic. The Security Rule provides a framework for protecting electronic Protected Health Information (ePHI.)
As technology continues to evolve, patients’ health records have been slowly moving to digital format, and electronic health records (EHRs). Covered entities and their business associates must ensure that they have strong IT security measures in place to keep patients’ confidential data secure in all formats. HIPAA is a large part of that effort.
If you want to achieve HIPAA Compliance, assume that everything in the Security Rule is required. You should set a very high bar if you decide not to implement an Addressable item. If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision and hope it stands up to a HIPAA audit or data breach investigation.
For those who don’t understand the terms used in HIPAA, it’s important to contact an IT Managed Services provider like Veltec Networks to help you evaluate your IT infrastructure. When it comes to surviving a HIPAA audit or data breach investigation, you need an IT professional.
Like the specialists doctors refer patients to, and the tests that they order to see what is happening under a patient’s skin, your technology must be evaluated by someone with the proper skills and experience. With so much at stake, you can’t afford to take chances. An IT professional will look deep into your network to identify its strengths and weaknesses.
Are You Using Business-Class Software & Operating Systems?
When you turn on a computer, the first thing you encounter is the operating system, usually Windows or Macintosh. What you may not know is that there are different versions, some with little or no security built in to save costs and keep prices low.
Consumer versions of Windows and Macintosh do not protect the files stored on the device and do not allow you to securely connect to a network. You need to have a business-class version of the operating system and make sure it is properly set up to protect stored data and to securely join a network.
This means you should not be buying computers for your network from retail stores that offer low-cost consumer products. Purchase professional models with business-class security installed.
Are You Using Business-Class Email & Text Messaging?
Webmail services like G-mail, Hotmail, Yahoo!, and those provided by your Internet Service Provider (ISP) are not secure enough to send Protected Health Information (PHI.) These services don’t provide end-to-end e-mail security, and the vendors will not sign Business Associate Agreements.
For HIPAA compliance you need to use a secure email solution provided by a secure server you own; a secure Cloud email or encryption service from a vendor that will sign a Business Associate Agreement; or by using the secure communications tools included in your certified Electronic Health Record (EHR) system.
Faxes are okay between practices and pharmacies unless your system converts the fax into an e-mail, which cannot be sent to a webmail account. Texting patient information is also forbidden.
Are You Sure Your Network Is Secure?
There are two ways to set up a Windows network, a Workgroup or a Domain. A peer-to-peer Workgroup is a loosely connected group of workstations. A Domain is centrally managed and includes security features.
You cannot be compliant with many HIPAA requirements like Information System Activity Review, Unique User Identification, Audit Controls and Person or Entity Authentication in a Workgroup. You need a Domain.
You may need to purchase a server, convert your existing server into a Domain Controller, or create a secure network in the Cloud. A Workgroup is a deal-breaker if you have any protected data anywhere other than your certified EHR system unless you have another way to log access and retain logs for six years. Keep in mind all the old files you must retain.
Are Your Files & Data Encrypted?
While encryption is Addressable for HIPAA compliance, if you don’t have it and a device containing health information is lost or stolen, you must notify patients and report the loss to the federal government for an investigation.
If a lost or stolen device is encrypted, you don’t have to notify patients or the government. You can purchase encryption for almost every type of computer. You can even purchase laptops that automatically self-encrypt when you turn them off or close the lid.
- In 2012 a state health department had to pay a $1.7 million penalty for a lost unencrypted hard drive.
- A hospital had to pay a $ 1.5 million fine for a lost unencrypted laptop.
- In 2014 a health care provider paid $ 1.725 million for losing an unencrypted laptop.
Encryption costs a lot less than patient notification and fines.
Are You Enforcing Password Security and Automatic Logoff?
HIPAA compliance requires audit trails to identify which users accessed patient records. For this reason, individual users must log on and off by themselves, and not allow sharing of passwords or piggy-backing multiple users during a single session.
Automatic logoff is Addressable, but the alternative choices are expensive and very inconvenient. While you don’t have to use Automatic Logoff, the alternative is to NEVER (ever) allow a patient in the room with an unlocked computer.
There are ways to make logging back on more convenient, like fingerprint readers and proximity cards. Accept the fact that you need to have each user login and out, and that automatic logoff must be used. Like airport security and searches on the way into ball games and concerts, security is a new way of life.
Are You Using A Business-Grade Firewall?
Your network is connected to the Internet by a router or a firewall. A router directs traffic between two networks — your internal network and the Internet.
A firewall does the same but includes security features to block unauthorized traffic to achieve HIPAA compliance. A firewall can also filter internet traffic to prevent viruses and other malware from reaching your computers (another HIPAA compliance requirement.)
You need a business-grade firewall including the additional subscription-based features to properly protect your network. In 2013, a $ 400,000 fine was paid when a firewall stopped blocking unauthorized traffic, and 17,500 patient records were breached.
Why Do You Need Managed IT Services?
HIPAA compliance requires either full-time certified staff or a Managed Services arrangement with a professional IT service provider.
Managed Service Providers (MSPs) like Veltec offer remote services that continually monitor and maintain your network at a fraction of the cost of a full-time IT staff.
Networks that meet HIPAA compliance must be configured with security at multiple levels (firewall, PC’s, laptops, tablets, smartphones, and servers.) Then they must be monitored and managed to ensure that security is still working.
IT Managed Service Providers like Veltec use remote monitoring and management tools to continually monitor your network, identify problems before they can result in damage, and keep everything updated with security patches.
A Managed Services Provider like Veltec Networks can make HIPAA compliance easier and take the stress out of the equation. Don’t wait till you get audited. Contact the team at Veltec to learn about our Compliance and Managed IT Services for your healthcare business in or near San Jose, CA.