In an effort to educate our clients about the role technology plays in HIPAA compliance, we submitted the following article that was published in the August 2018 edition of the “NCMGMA News” (North Carolina Medical Group Management Association). We’re posting it here on our site in case you missed it.
HIPAA Compliance and Information Technology
The HIPAA Security Rule, in force since April 21, 2005, established three safeguards:
- Administrative policies and procedures designed to clearly show how the entity will comply with the act.
- Physical measures that control access to data storage areas.
- Technical methods securing “protected health Information” (PHI) that, when transmitted electronically over open networks, is known as ePHI.
The first two safeguards take time and effort but most healthcare providers have staff who can read the manuals, apply the guidelines and develop a compliant infrastructure.
The technical safeguard provision is entirely different!
HIPAA IT skills are not easily mastered. It requires the ability to understand the rules and regulations, envision a network (along with the ePHI flowing through it), and spot vulnerabilities. This must usually be done with a limited budget and with a minimum disruption of provider efficiency.
Deciding how to protect your information is a critical decision. The financial penalties resulting from data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation makes an investment in the protection of PHI extraordinarily cost-effective.
If you decide to handle HIPAA technical issues by hiring an in-house IT professional or contract with a Managed Services Provider (MSP) who specializes in healthcare, how do you make the right decision?
Most importantly, your applicant must present a plan that addresses four issues
- The protection of the entire volume of PHI and ePHI you process. This includes:
- Patient names, pictures, biometric data, addresses, contact numbers, insurance information, and any identifying numbers or data.
- Health insurance plan beneficiary numbers.
- Vehicle identifiers and serial numbers including license plates.
- Device identifiers and serial numbers.
- Web URLs and Internet protocol (IP) addresses.\The ability to defend against known and anticipated threats. Failure to use current generation OS software and protection and tardiness in the implementation of published fixes and patches makes you 40 times more likely to be hacked.
- Compliance by other “Covered entities,” “business associates” and third-party service providers who might access your PHI. This includes items sometimes overlooked such as x-rays, physician appointment schedules, dictated notes, conversations, and information placed in patient portals.
- Security network components that are affordable and operationally feasible. The following diagrams identify these components.2
2Prevention Data Breaches Diagram used with permission of the HIPAA Journal 2017
There are specific HIPAA standards for servers, hosted environments, cloud utilization VPN architecture, workstations, and network components. Your staff or MSP must provide evidence that the components they intend to deploy meet these specifications.
The technical defense you deploy must compensate for common human failings by using:
- Password best practices. Passwords cannot be used by a group, must not be assigned to a position and must be changed every 90 days. Passwords must be sophisticated using letters, symbols, differing case and numbers.
- Screen protectors that limit a third party’s ability to view a protected screen. These are commercially available.
- Automatic controls that close a computer when it is left unattended.
- Auditing techniques that ensure business associate networks are compliant. Remember you remain responsible for ePHI even when it leaves your network for another.
- Restricted use of mobile devices such as flash drives that are not encrypted or are left in unprotected locations.
- Technology that locks misplaced mobile devices.
- Tracking that identifies attempted hacks and determines if data has been compromised.
- An automatic restoration protocol that frequently backs up data so that if you are successfully attacked, it will disable the threat and immediately return your network to its last safe status.
- Disposal procedures that ensure that any device to be disposed of is wiped completely before release from the protected environment.
While I hope this synopsis is helpful, I highly recommend you look at the 2017 edition of the HIPAA Journal’s “HIPAA Compliance Guide.” It provides a detailed analysis of the points made here.
Armed with “Compliance Guide” expertise, explain your goals to your IT staff or Managed Service Provider and leave the driving to them.
Please contact us for any questions about this article or how the right IT services can ensure you remain HIPAA Compliant.
Hits Tech is a Managed IT Services partner that provides a wide range of IT support solutions to healthcare organizations throughout North Carolina. Our purpose is to support, guide, and innovate, bringing new ideas and a fresh perspective to the way your practice approaches technology.
By Sandra Loftin
We also strive to share important and relevant news and information with area healthcare professionals. Take a look at some of our recent articles, and you’ll see what we mean. We know you’ll find something of interest to read through! Here are a few examples to get started:
Your Business Email Is Highly Targeted For Attacks
There’s a new report out, authored by ProofPoint, and its findings for business are grim. It’s no secret that businesses of all shapes and sizes are coming under increasing fire from hackers around the world. Now we have hard data that shows us exactly how big an increase we’re seeing.
2017 was “The Year of Ransomware.” It saw an incredible number of ransomware attacks and infections, paired with a tremendous number of innovations. Although 2018 hasn’t seen quite the same level of ransomware activity, it’s still a major threat with one company coming under attack about every ten minutes.
Microsoft is making some long overdue and welcome changes to Outlook to include the Windows and the Web-based version. People who use either one will now see a “Coming Soon” option that allows users to toggle between the version they’ve got now and the new and improved version with the changes.