Is Your Medical Practice Following These HIPAA Security Guidelines?
Recently, the Memorial Healthcare System had to pay out $5.5 million to the U.S. Department of Health and Human Services over violations in their HIPAA practice and procedures.
Can you be sure that your medical practice is on point when it comes to your HIPAA security and compliance?
Without a consistent effort to maintain knowledge of the HIPAA security and legislation procedures, it’s difficult to know exactly how your company stands.
Good intentions only go so far, ensuring compliance takes time, expertise, and specialist knowledge. Why risk a breach in such an important aspect of your business?
We’ve brought together a list of a few common mistakes or procedures that you should be thinking about.
The Health Insurance Portability and Accountability Act is designed to protect EHRs (Electronic Health Records) that are so familiar now.
Medical practices are being encouraged to adopt these new technologies; medical health records, online patient booking, web appointments and patient prescriptions are now being incorporated.
But securing the data and patient information is a key concern that needs to be addressed.
HIPAA Compliant Websites
Perhaps the first port of call for any patient is the medical practice’s website.
When dealing with ePHI records, you should (as a minimum):
- Transport Encryption: Data should always be encrypted as it’s transmitted over the internet
- Backup: All data should be backed up and recoverable in the event of a loss
- Authorization: Data should only be accessible by authorized personnel using unique, audited access controls
- Integrity: Data should not be tampered with or altered in any way
- Storage Encryption: All data should be encrypted when it is stored or archived
- Disposal: Data should be permanently and irretrievably disposed of when no longer needed
- Omnibus/HITECH: Data should be located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or hosted in-house with secure servers, as per HIPAA security requirements).
Mobile devices are an increasing part of our ‘always on’ world, these can pose other risks to the medical practice thanks to their mobility.
Mobile devices include; Laptops, tablets, smartphones, and clinical devices/tools.
You should consider:
- Potential Risks: Loss or theft of a mobile device, leaving it on and open in an office where unauthorized people may access the data, lack of password or encryption and un-encrypted data
- How Likely: How many people have access to the device, does the device ever leave the practice environment, are there unauthorized staff members with access to the device
- Impact: Identify what the impact would be to you/your practice in the event of loss. How would the loss affect your practice reputation, or financially
- Identify: What you can do to minimize risk, loss, and damage, both in terms of physical damage and damage to the practice
- Implement: Include changes in your security procedures, this should incorporate encryption, password protection and authorized access only
While the HIPAA legislation does allow for medical records and information to be discussed via email and electronic communications, you should consider implementing regulations to ensure your compliance.
The privacy rule in the act doesn’t exclude unencrypted emails, but as with most legislation, blatant disregard of expected standards will only go one way.
Consider limiting information exchanged via electronic communications, ensuring procedures are in place for selecting the correct email address only and ensuring that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Acquiring New Technology
Old equipment must be disposed of in a secure way.
- The contents of a used hard drive even when deleted can usually be recovered with little specialist knowledge;
- Use a professional disposal company or specialist to ensure the safe destruction of any equipment, or making it ready for resale;
- Catalog all outgoing devices; what has gone, how, and where.
New equipment must be properly installed and protected.
- Catalog the incoming devices; what, from who and supplier;
- Ensure that all installed software is up-to-date;
- Anti-virus software should be installed and updated;
- Set passwords and/or encryption to log on to the device;
- Consider installing tracking software, such as Apple’s ‘Find My Phone’ – a number of software companies offer this type of service.
A full log of devices should be created and maintained, whether the device is in use, storage, on loan or disposed of. The upkeep of the log should be scheduled at least monthly.
Of course, acquiring all this knowledge can seem daunting, implementing the knowledge perhaps more so.
This is where specialist HIPAA security and compliance companies can help; we offer a range of services including our HIPAA Compliance in a single package.
Actually being HIPAA compliant is no longer enough, the law requires you to be prepared to prove it.
Our services include:
- Documentation – Complete set of HIPAA manuals and documentation
- Risk Assessment – Thorough risk assessment from our Microsoft certified engineers
- Staff Training – Regular privacy training
- Remediation – HIPAA trained and Microsoft certified IT experts can make recommendations, and implement those regulations
- HIPAA Emergency Response Team – Our experts can perform a forensic test to see if there has been any breach
- HIPAA Audit Response Team – In the event of an ONC or OCR audit, our team can be on site to assist
- Backup & Disaster Recovery – Encrypted, secure and HIPAA compliant
- IT Support Services – Professional and friendly, understanding what you need
- Availability – We have you covered 24/7, 365 days a year
To find out exactly what we can do for you, including guidance and professional advice, you should contact a member of our professional team today, or call us at 949-474-7774
We are the go-to company for ensuring your reputation and understanding of the HIPAA legislation. We make the process easy and pain-free, and as medical practitioners, you’ll no doubt appreciate that!