HIPAA Compliance Tech Tips Part 1 of 2
COMMENTARY
Mike Semel
Semel Consulting
HIPAA Compliance can be a mystery. It can be even more mysterious when you don’t understand technology. When you dig deep and try to understand the tasks and procedures you need to protect electronic data you are likely to encounter technical terms—and IT buzzwords— that are confusing. Here are some tips you can use to ensure that your technology foundation is strong enough to support HIPAA compliance. Remember that HIPAA compliance is a fundamental requirement for you to earn and keep your Meaningful Use incentive money.
Overview
HIPAA protects any combination of something that can identify a patient along with anything related to their diagnosis or treatment, in any form– written, verbal, or electronic. The Security Rule provides a framework for protecting electronic Protected Health Information (ePHI.) HIPAA compliance was designed to be flexible enough to apply to health care organizations of all kinds and sizes. Some HIPAA Security Rule requirements are Required and others Addressable. Addressable specifications are sometimes confused as being Optional, which is not true. The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
Our advice if you want to achieve HIPAA Compliance is to assume that everything in the Security Rule is required, and you should set a very high bar if you decide not to implement an Addressable item. If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision and hope it stands up to a HIPAA audit or data breach investigation.
Speak Geek?
If you don’t understand the terms you should contact an IT Managed Services provider to help you evaluate your network. When it comes to surviving a HIPAA audit or data breach investigation, you need a professional. Like the specialists doctors refer patients to every day, and the tests that they order to see what is happening under a patient’s skin, your technology must be evaluated by someone with the proper skills and experience, who must look deep into your network to identify its strengths and weaknesses. Make sure they understand the HIPAA compliance requirements you face.
Business-class operating system
When you turn on a computer the first thing you encounter is the operating system, usually Windows or Macintosh. What you may not know is that there are different versions, with some having little no security built in to save costs and keep retail prices low. Consumer versions of Windows and Macintosh do not protect the data files stored on the device, and do not allow you to securely connect to a network. You need to have a business-class version of the operating system and make sure it is properly set up to protect stored data and to securely join a network. This means you should not be buying computers for your network from retail stores that offer low-cost consumer products. Make sure you achieve HIPAA compliance by purchasing professional models with business-class security.
Business-class E-mail
Webmail services like G-mail, Hotmail, Yahoo!, and those provided by your Internet Service Provider (ISP) are not secure enough to send Protected Health Information (PHI.) These services do not provide end-to-end e-mail security, and the vendors will not sign Business Associate Agreements. A small medical practice paid a $ 100,000 fine for using webmail and an online calendar for PHI. For HIPAA compliance you need to use a secure e-mail solution provided by a secure server you own; a secure Cloud e-mail or encryption service from a vendor that will sign a Business Associate Agreement; or by using the secure communications tools included in your certified Electronic Health Record (EHR) system. Faxes are OK between practices and pharmacies, unless your system converts the fax into an e-mail, which cannot be sent to a webmail account.
Secure Network Infrastructure
There are two ways to set up a Windows network, a Workgroup or a Domain. A peer-to-peer Workgroup is a loosely connected group of workstations. A Domain is centrally managed and includes security features. You cannot be compliant with many HIPAA requirements like Information System Activity Review, Unique User Identification, Audit Controls, and Person or Entity Authentication in a Workgroup. You need a Domain. You may need to purchase a server, convert your existing server into a Domain Controller, or create a secure network in the Cloud. A Workgroup is a deal-breaker if you have any protected data anywhere other than your certified EHR system. Keep in mind all the old files you still must retain.
Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) This article was originally published on 4Medapproved.com/HITSecurity.