To achieve HIPAA Compliance, everything in the Security Rule must be complied with, including the way you handle electronic health information. The HIPAA Security Rule offers a framework to protect ePHI (Protected Health Information). HIPAA regulations mandate that any patient identifiers in written, verbal, or electronic form be protected. Does your healthcare organization in Utah comply?
The rule was enacted to be flexible in order to apply to all kinds and sizes of healthcare organizations. The rules fall under two categories: Required and Addressable. The Addressable category is sometimes confused as being optional. It’s not.
The US Department of Health & Human Services says:
“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
You should set a high bar if you don’t implement an item that’s Addressable. In this case, you must document your decision for HIPAA. However, there are many other considerations when it comes to information technology. You could still be in non-compliance when undergoing a data breach investigation or HIPAA audit if you’re not careful. You can’t take this chance.
Just like referring patients to specialists for evaluations to ensure their health, you should refer your IT network to a specialized and qualified Managed Service Provider who understands HIPAA compliance requirements for data storage and transfer.
If you don’t understand all the terms and regulations in the HIPAA Security Rule, or how they apply to electronic Protected Health Information, it’s advised that you contact a qualified IT service company. They are best suited to evaluate your processes and procedures to determine if your network is HIPAA compliant. Relying on an IT professional who understands what HHS is looking for could mean the difference between passing a HIPAA audit and ending up on the HHS Wall of Shame.
Set Up Business-Class Software & Operating Systems
In case you didn’t know, you shouldn’t be relying on consumer versions of Windows and Apple. Many don’t have the security built in that you need. The manufacturers do this to keep prices low.
Don’t buy computers for your healthcare business from retail stores that offer low-cost consumer products. To promote HIPAA compliance, ask your IT service company to provide computers and operating systems with the business-class security that you need. And ask them to set them up for you. Not only will you have the peace of mind that you’re doing everything that you can to protect ePHI, but your IT provider can usually get better prices on business-grade hardware and software than you can.
If you use consumer-based IT solutions, your files might not be secure. Nor will these products connect securely to your network. It’s essential that you use enterprise-based versions of operating systems. You must ensure that they are set up properly to protect your ePHI and are securely joined to your network.
Ensure That You Use Business-Class Email & Text Messaging
If you’re using webmail services like Gmail, Hotmail, Yahoo!, or those provided by your Internet Service Provider (ISP), you could be in breach of HIPAA regulations. These solutions aren’t secure enough for sending ePHI. That’s because they don’t provide end-to-end email security. Nor will they sign the Business Associate Agreements (BAA) that you require.
To ensure you comply with HIPAA regulations, you need to use either a:
Faxes are OK to use between practices and pharmacies unless your system converts the fax into an email, but they shouldn’t be sent to a webmail account. And texting isn’t secure or HIPAA compliant if you use a cellphone carrier’s system. You nor your staff should ever text ePHI or other patient information. And be sure that the answering service you use doesn’t send texts containing patient information.
Keep Your Network Secure & HIPAA Compliant
When setting up a Windows network, two different strategies are considered:
Can you guess which one you should use? Yes…The Domain-based network. This is required
to comply with HIPAA requirements like Unique User Identification, Person or Entity Authentication in a Workgroup, System Activity Reviews, and Audit Controls.
Your Managed IT Service Provider will provide a secure server or convert your existing one into a Domain Controller. They can also link you up to a secure IT system in the Cloud. Never use a Workgroup setup if you store or transmit ePHI outside your certified EHR system. And remember, you must log everything and retain these logs for 6 years. Your IT professional can ensure you do this as well.
Make Sure That Your Files & Data Are Encrypted
Although encryption is considered to be in the Addressable category under HIPAA, if you lose a laptop, or one is stolen, you’ll be in noncompliance unless the data and device are encrypted. In this scenario, it’s mandated that you report the loss to the federal government for investigation and contact all of the patients whose data was stored in the device.
If the device and data are encrypted, and they’re lost, you won’t have to report this to the authorities or your patients. Your IT provider can deploy Mobile Device Monitoring to wipe the data from a lost machine. And they can also direct you to laptops that automatically self-encrypt when you turn them off or close the lid.
It costs a lot less to encrypt a machine and data than it does to pay fines and penalties.
Ensure That You Enforce Password Security & Automatic Logoff
HIPAA regulations require audit trails to identify which users are accessing and have accessed patient health records. This means that you must enforce security controls like having users log on and off by themselves, prohibit the sharing of passwords, or stop piggybacking (where multiple employees use a computer during a single session).
Automatic Logoff is also in the Addressable category under HIPAA, but the alternatives are expensive and very inconvenient. While you don’t have to do this, you must NEVER leave an unlocked computer when a patient is in the room. The doctor or staff member must be in the room at all times when a computer is unlocked and a patient is present. Wouldn’t just be easier to have your IT provider set up Automatic Logoff?
If Automatic Logoff seems too annoying to you, remember that there are convenient ways to log on. Your Managed IT Provider can help you with this. They can make sure the computers you use have fingerprint readers or proximity cards.
Set Up A Business-Grade Firewall
To access the Internet, you need a router or firewall. A router and firewall both direct traffic between two networks–your internal network and the Internet. A firewall also comes with security features. But this doesn’t mean that you should run out and purchase just any firewall.
A business-grade firewall can block unauthorized access. It will also filter the traffic from the Internet to prevent viruses and malware from getting into your computers. This is required for HIPAA compliance.
A Managed IT Service provider can set this up properly, plus they can employ Remote Management and Monitoring that offers continual monitoring and maintenance of your network for security and reliability, and to apply updates and patches.
Why do you need a business-grade firewall including the additional subscription-based features to properly protect your network? In 2013, a $400,000 fine was paid when a firewall stopped blocking unauthorized traffic, and 17,500 patient records were breached. You can probably figure out that an enterprise-grade firewall costs a lot less than a fine and the cost to notify your patients about a breach.
To be HIPAA compliant today requires healthcare organizations to either employ a full-time certified IT staff or arrange for service from a qualified Managed IT Service provider with HIPAA expertise.
Managed Service Providers like Nexus IT offer everything we discussed and more for a fraction of the cost of employing a full-time IT staff (or the cost of fines, penalties and notifying patients about a data breach!).
When the $400,000 was assessed for the firewall that stopped blocking unauthorized traffic, the HIPAA enforcers noted that the problem had been going on for over 10 months. A properly implemented network with all the things we discussed above would have prevented this and alerted the IT Managed Service provider that there was a problem.
Nexus IT specializes in providing HIPAA-compliant IT services and solutions to healthcare companies in Northern Utah. Plus we provide a signed Business Associate Agreement which is also mandatory for HIPAA compliance.
Don’t wait until you get audited. By then it will be too late. Contact the team at Nexus IT to learn about our Compliance and Managed IT Services for your healthcare business in Park City, Provo or Salt Lake City, Utah.
In the meantime, stay up to date on what’s happening in the world of Business IT. Visit our Blog where we publish new articles all the time.