The HIPAA Security Rule offers a framework to protect ePHI (Protected Health Information). HIPAA regulations mandate that any patient identifiers in written, verbal or electronic form be protected.
The rule was enacted to be flexible in order to apply to all kinds and sizes of healthcare organizations. The rules fall under two categories: Required and Addressable. The Addressable category is sometimes confused as being optional. It’s not.
The US Department of Health & Human Services says:
“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
To achieve HIPAA Compliance, everything in the Security Rule must be complied with, including the way you handle electronic health information. This means that you should set a high bar if you don’t implement an item that’s Addressable. In this case, you must document your decision for HIPAA. However, there are many other considerations when it comes to information technology. You could still be in non-compliance when undergoing a data breach investigation or HIPAA audit if you’re not careful. You can’t take this chance.
What should you do?…
Just like referring patients to specialists for evaluations to ensure their health, you should refer your IT network to a professional Managed Service Provide who understands HIPAA compliance requirements for data storage and transfer.
If you don’t understand all the terms and regulations in the HIPAA Security Rule, or how they apply to electronic Protected Health Information, it’s advised that you contact an IT Managed Services company. They are best suited to evaluate your processes and procedures to determine if your network is HIPAA compliant. Relying on an IT professional who understands what HHS is looking for could mean the difference between passing a HIPAA audit and ending up on the HHS Wall of Shame.
In case you didn’t know, you shouldn’t be relying on consumer versions of Windows and Apple. There are different versions, and many don’t have the security built in that you need. The manufacturers do this to keep prices low.
Don’t buy computers for your healthcare business from retail stores that offer low-cost consumer products. To promote HIPAA compliance, ask your IT service company to provide computers and operating systems with the business-class security that you need. And ask them to set them up for you. Not only will you have the peace of mind that you’re doing everything that you can to protect ePHI, but your IT provider can usually get better prices on business-grade hardware and software than you can.
If you use consumer-based IT solutions that your files might not be secure. Nor will these products connect securely to your network. It’s essential that you use enterprise-based versions of operating systems. And you must ensure that they are set up properly to protect your ePHI and are securely joined to your network.
If you’re using webmail services like G-mail, Hotmail, Yahoo!, or those provided by your Internet Service Provider (ISP), you could be in breach of HIPAA regulations. These solutions aren’t secure enough for sending ePHI. That’s because they don’t provide end-to-end email security. Nor will they sign Business Associate Agreements (BAA) that you require.
To ensure you comply with HIPAA regulations, you need to use either a:
Faxes are OK to use between practices and pharmacies unless your system converts the fax into an email, but they shouldn’t be sent to a webmail account. And texting isn’t secure or HIPAA compliant if you use a cellphone carrier’s system. You nor your staff should ever text ePHI or other patient information. And be sure that the answering service you use doesn’t send texts containing patient information.
When setting up a Windows network, two different strategies are considered:
1. A Domain-based network where everything is centrally managed and that includes security features.
2. A peer-to-peer workgroup. This is a loosely connected group of workstations.
Can you guess which one you should use? Yes…The Domain-based network. This is required
to comply with HIPAA requirements like Unique User Identification, Person or Entity Authentication in a Workgroup, System Activity Reviews, and Audit Controls.
Your Managed IT Service Provider will provide a secure server or convert your existing one into a Domain Controller. They can also link you up to a secure IT system in the Cloud. Never use a Workgroup setup if you store or transmit ePHI outside your certified EHR system. And remember, you must log everything and retain these logs for 6 years. Your IT professional can ensure you do this as well.
Although encryption is considered to be in the Addressable category under HIPAA, if you lose a laptop, or one is stolen, you’ll be in noncompliance unless the data and device are encrypted. In this scenario, it’s mandated that you report the loss to the federal government for investigation and contact all of the patients whose data was stored in the device.
If the device and data are encrypted, and they’re lost, you won’t have to report this to the authorities nor your patients. Your IT provider can deploy Mobile Device Monitoring to wipe the data from a lost machine. And they can also direct you to laptops that automatically self-encrypt with you turn them off or close the lid.
It costs a lot less to encrypt a machine and data than it does to pay fines and penalties.
HIPAA regulations require audit trails to identify which users are accessing and have accessed patient health records. This means that you must enforce security controls like having users log on and off by themselves, prohibiting the sharing of passwords, or piggy-backing (where multiple employees use a computer during a single session).
Automatic Logoff is also in the Addressable category under HIPAA, but the alternatives are expensive and very inconvenient. While you don’t have to do this, you must NEVER leave an unlocked computer when a patient is in the room. The doctor or staff member must be in the room at all times when a computer is unlocked and a patient is present. Wouldn’t just be easier to have your IT provider set up Automatic Logoff?
If Automatic Logoff seems too annoying to you, remember that there are convenient ways to log on. Your Managed IT Provider can help you with this. They can make sure the computers you use have fingerprint readers or proximity cards.
To access the Internet, you need a router or firewall. A router and firewall both direct traffic between two networks–your internal network and the Internet. A firewall also comes with security features. But this doesn’t mean that you should run out and purchase just any firewall.
A business-grade firewall can block unauthorized access. It will also filter the traffic from the Internet to prevent viruses and malware from getting into your computers. This is required for HIPAA compliance.
A Managed IT Service provider can set this up properly, plus they can employ Remote Management and Monitoring that offers continual monitoring and maintain of your network for security and reliability, and to apply updates and patches.
Why do you need a business-grade firewall including the additional subscription-based features to properly protect your network? In 2013, a $400,000 fine was paid when a firewall stopped blocking unauthorized traffic, and 17,500 patient records were breached. You can probably figure out that an enterprise-grade firewall costs a lot less than a fine and the cost to notify your patients about a breach.
To be HIPAA compliant today requires healthcare organizations to either employ a full-time certified IT staff or arrange for service from a Managed IT Service provider.
Managed Service Providers like National Networks offer everything we discussed and more and for a fraction of the cost of employing a full-time IT staff (or the cost of fines, penalties and notifying patients about a data breach!).
When the $400,000 was assessed for the firewall that stopped blocking unauthorized traffic, the HIPAA enforcers noted that the problem had been going on for over 10 months. A properly implemented network with all the things we discussed above would have prevented this and alerted the IT Managed Service provider that there was a problem.
National Networks specializes in providing HIPAA-compliant IT service and solutions to healthcare companies in Louisiana and Texas. Plus we provide a signed Business Associate Agreement which is also mandatory for HIPAA compliance.
Managed IT Services = HIPAA Compliance
Don’t wait until you get audited. By then it will be too late. HIPAA Compliance is the law. Contact the teams at National Networks in Lake Charles, LA, or Nederland, TX, to learn about our Compliance and Managed IT Services for your healthcare business.
Did you find this article helpful? There are many others in our Blog.Published on 25th February 2019 by Shawn Maggio