BY JOSHUA S. KOONS
Are you HIPAA compliant? Do you need to
be? Not sure? HIPAA security rules apply to all
health plans, healthcare clearinghouses, and to
any healthcare provider who transmits protected
health information (PHI) in electronic form, or
electronic protected health information (ePHI).
As the healthcare industry makes every effort
to stay current with technology, more regulations
are put in place to protect our personal data. With
the passing of HITECH Act in 2009, the Office of
Civil Rights (OCR) is enforcing more HIPAA regulations
and handing out stiffer penalties than they
ever have before. In 2014, the OCR delivered over
$8 million in penalties to healthcare providers for
non-compliant use and storage of personal date.
The question is: How do you ensure that you
are staying compliant?
The best practice that we can recommend
is to work with a qualified IT firm with a focus
on cyber security. Today, your network not only
needs to be reliable, fast, resilient and secure
but, it also needs to be compliant. Work with a
company that has the tools to ensure your office
stays in compliance so that when you receive
notice from the OCR that your audit is coming,
you can rest easy.
In addition, be sure that you have A Business
Associate Agreements in place with all vendors
that have access to PHI. This ensures that all
vendors you working with are adhering to all
HIPAA regulations. Lastly, having a third party
security audit will not only show where you are
not compliant but, it will also show your proactive
approach to staying in complaints.
For some environments, this would be an ongoing
monitoring of the environment, also known as
managed security. For others, a security assessment
may be needed on a quarterly, semi-annual,
or annual basis depending upon the size and
complexity of the environment. Security assessments
are of great value but, at a very minimum
the OCR recommends a few areas to focus on.
The OCR has listed the most common errors
identified among data breaches in a reports filed
historically:
1. Risk analysis and management.
Do you have a plan that identifies all potential
risks for compromising electronic or printed
PHI? When was the last time you reviewed it to
ensure your policies and procedures address all
the technology used by staff, from photocopiers
to smart phones? Do you know how often PHI is
transmitted outside of the practice on a typical
day, and where it goes?
2. Security evaluation.
Not taking proper precautions to safeguard
PHI when moving to a new office, installing or
upgrading equipment or software, can put protected
data at risk. A security evaluation can help
identify problems before they occur.
3. Security and control of portable devices.
Lost or stolen laptops, storage devices like
memory sticks, and tablets containing unencrypted
data, are the single most frequent cause
of data breaches.
4. Proper disposal of data.
What happens with the patient data that no
longer needs to be stored on a device? Your process
for cleaning, purging and testing hard drives
before they are recycled or transferred to a third
party should be well documented.
5. Access control.
Take a walk through your office to see how
many work stations stay on all day, even when
unattended. If you can see the screen, PHI on
that computer may be visible to others.
6. Training.
Train new employees right away on policies
and procedures for appropriate and improper
uses of PHI, and the consequences of violating
them for the organization and the individual.
In the electronic age that we live in, businesses
are relying more and more on their data to be
electronic. The protection of that data and the
security of your network is critical to businesses
practices today.
Koons is director of business development with
Adirondack Technical Solutions.
Photo Courtesy Adirondack Technical Solutions