As with many things in life, HIPAA compliance is more a journey than a destination. Even once you’ve done the hard work of evaluating your practice for vulnerabilities, mitigating the risks, and documenting the whole process, it’s not enough to just put a stamp on your practice that says, Compliant!, and call it a day. You must invest time in ongoing training and awareness programs, stay on top of changes to personnel, technology, and the pertinent legislation You must continually measure and address any additional risk to patient records that may be introduced or uncovered as a result of these changes, and of course, keep a record of it all as you go HIPAA Compliance Service.
If you’ve done little more than buy a book, or roll out a few standard patient privacy forms, you’re behind the curve. Many practices will hire a consultant, or dedicate a current member of their staff to working through the process of analyzing and establishing compliance. Typically, smaller practices have a few less considerations to deal with than larger practices, but most of the requirements apply regardless of practice size.
The whole process makes for a long and winding road, but even a journey of a thousand miles begins with a few steps. Here are some technical safeguards your practice should have in place, or should be strongly considering for implementation in your quest for HIPAA compliance:
Use encryption software to protect ePHI on your server. We recently saw a practice lose a server to a theft during an overnight break-in. When your data is encrypted on the server hard drives, there’s no way for the thieves to access the ePHI stored there without the unique password you create, even though they have access to the drives.
Install antivirus software on all pc’s, tablets, notebooks and servers, AND keep it current. Hackers and data thieves are always plotting new ways to break into networks and collect sensitive data using Trojan horses, root kits, data miners and viruses. Protect your network’s data from their efforts with antivirus software and make sure it stays updated so you’re protected via the latest anti-virus signatures.
Create a backup and restore plan for your ePHI. Not only are you required to protect ePHI, you are also required to produce it for your patients in a timely manner should they request access to it. A good backup and restore plan can help you achieve both objectives. Make sure you not only have a good copy of the data, but periodically test the restoration of the data to make sure it hasn’t become corrupt. Ideally, you’ll have a copy of the data off-site as well, to protect against theft, fire, storm or electrical damage to your practice.
Create and maintain unique logins to your network and practice management application for each member of your staff. Unique logins are required in order to track who has accessed your systems, when they were accessed and what information was viewed. User logins should be disabled immediately when an employee is terminated or resigns.
Encrypt all outgoing emails that contain ePHI. This can be done through software installed on premises, or through a variety of hosted email providers. Emails can be intercepted both electronically and in person if anyone else has access to the patient’s computer. Encrypting your email insures that only the intended recipient is able to open and view the contents via a password they create.
Deploy a business-class firewall to protect your network. Many firewalls sold at big retailers that are sufficient for home use are not adequate for protecting a practice’s ePHI. You want a model that will perform IDS/IPS (intrusion detection services/intrusion prevention services) functions and proxy-based analysis of the data packets entering your network.
Restrict physical access to the server storing your ePHI. You should literally keep your server protected under lock and key. Whether you do that with a small locking cage, in a locked closet that houses networking equipment, or in a dedicated room that can be locked from general access, it’s important to protect your server in this way and maintain documentation that notes the “who”, “when” and “why” of physical access to the server. Just be sure the server also has adequate airflow to protect against the damages of overheating.
Create and sign a Business Associate (BA) agreement with any vendors that may have access to ePHI. The BA agreement will outline obligations of both parties with respect to things like protecting ePHI and reporting breaches. Should your practice become the subject of an investigation by the Office of Civil Rights (OCR) due to a breach, this will be one of the first things they ask you to produce.
This list of recommendations is in no way meant to be a comprehensive test of compliance. As mentioned, these are only a few small, yet vital measures designed to help protect your ePHI as you strive for complete HIPAA compliance. Implement them all, and you’ll be on your way. Skip any one of them, and you could be creating a vulnerability that leads to a breach and a visit from the OCR. In any case, the mandate for full HIPAA compliance is here.