Medical practices are tasked with the responsibility of protecting patient privacy and information. To properly do this, they must be HIPAA compliant. HIPAA sets the standard for this compliance by defining requirements companies must follow. Some of the requirements include:
- Policies and Procedures
- Network Security
- Physical Access to Data
Our IT specialists can help put together a comprehensive plan that will walk medical practices through becoming compliant. This would include creation of policies and procedures, identify gaps in your current technical environment, annual reassessments to ensure you are remaining compliant, portal to hold all HIPAA regulation information.
Ensuring data is encrypted whenever possible, this would include- data at rest on laptops, servers, backup devices, and anywhere else data may be stored.
- Desktops - ensure BitLocker is on and data is being encrypted
- Servers - ensure BitLocker is on and data is being encrypted
- Backup Solutions - ensure that both onsite and offsite data is encrypted
- Applications - ensure all communication is run across secure/encrypted connections
Policies and Procedures
Policies and procedures must be created and used to identify who is responsible for certain aspects of HIPAA compliance.
- Policies identify how the company deals with various aspects required by HIPAA.
- Example: Policy for access to ePHI data.
- Procedures are how those policies are enforced.
- Example: Procedure for securing ePHI data. This would include securing the data, limiting access to the data, safeguards to ensure data is secure.
Another examples of policy and procedures would be policy for termination of employees and the procedures which enforce the policy so terminated employees’ access is quickly removed.
Network Security includes monitoring and logging, creating group policy, restricting access to EPHI data by implementing security permission.
- Monitoring and logging: logging of users trying to authenticate against computer systems and alerts which trigger whenever there is failed attempts or a high rate of unsuccessful logins.
- Group Policy: can be used when Active Directory is implemented to restrict what can be installed on a computer, screensaver settings, user access, and limit devices that can be plugged into the computer.
- Restricting Access: can be accomplished by setting up network shares and applying permissions to them based on least privilege access (meaning you have access only to what you need to accomplish your job).
Physical Access to Data
- Involves making sure files are in a secured locked place where users can’t see them, desktop screens cannot be seen by unauthorized individuals, and tracking of who is coming on and off the premises.
- Desktops need to be locked if user isn’t at their desk
- Access to printed files or paper versions of PHI must be kept locked up
- Sign in sheet to identify all visitors
- Screen shading so visitors can see screen information
Kansas City Managed IT can also provide the onsite tools needed to enforce compliancy. As you are going through the process, we can help provide the tools needed to develop a plan showing that you are showing good faith in efforts to become compliant. Lastly, we help get a HIPAA Seal of Compliance Verification. This is the industry standard of medical practices to demonstrate compliance. There is no officially regulated HIPAA compliancy.
Lack of compliance or showing of good faith efforts could lead to significant fines.
HIPAA (Health Insurance Portability and Accountability Act of 1996)- An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes