If you work in, or own, a business that is related to medical services, then you know about HIPAA. The Health Insurance Portability and Accountability Act is a major federal law that has been evolving since it was signed into law in 1996. The goal of the law is to protect the private health information (PHI) of everyone who receives services from any kind of medical service provider. To this end, HIPAA compliance regulations are extensive, and touch almost every area of the operations of medical service providers.
Technology is not exempt from HIPAA regulations. In fact, technology requirements are specifically addressed by HIPAA in the Security Rule. Servers and computers, security cameras, backup devices, and even fax machines are just a few examples of how technology is used to transmit Protected Health Information, and are therefore covered by HIPAA regulations. By ignoring, underestimating, or otherwise not abiding by the Security Rule of HIPAA has left many healthcare organizations vulnerable to potential breaches, which can lead to a heavy financial penalty under the law.
Here are some key steps that medical offices should take right away to limit their liability, ensure compliance, and secure Protected Health Information:
Conduct a Risk Analysis of your medical practice as soon as possible. This analysis will look at all of the systems and procedures of your office and highlight areas of vulnerability. The analysis should be conducted by a trained professional from outside your organization. (Northbridge recommends HIPAAtrek – for more information visit, hipaatrek.com). Due to changes and additions in HIPAA regulations, if you conducted a risk analysis more than 5 years ago, a new assessment should be conducted.
Secure your data. All of the electronic patient information in your office must be protected against loss and corruption. This requires the use of a robust, compliant data backup and storage solution. It is recommended that data be backed up onsite and offsite. It is important to remember, however, that the transfer of protected information offsite must be done in way that meets compliance requirements. Backing your data up to a flash drive that you then take home with you would not be considered a compliant method of offsite backup! Northbridge can provide equipment and services to secure your patient data both locally and offsite in compliance with HIPAA regulations.
Purchase hardware devices and software with compliance in mind. Once you are able to get your network and equipment into compliance, adding the wrong piece of hardware in the future can take you right back out of compliance! From wireless access points to network routers and switches, compliance must be considered in your choice of network hardware. Any device that transmits protected health information must be compliant with HIPAA regulations.
Be careful who you do business with. HIPAA regulations dictate that the liability of a medical office extends to any other company they do business with that has access to their protected health information. Your office may be compliant, but if you have vendors, outside support staff, or partners who are not, then your compliance is at risk. A Business Associate Agreement should be in place between the medical office and any company that has access to health information of any kind. This agreement ensures that the practices of the business associate do not create a liability for the medical office. Of further note, the business associate must also ensure that any subcontractor that it uses to perform work at the medical office is also in compliance.
Northbridge Professional Technologies is working with HIPAA experts to help ensure that our products, services and practices are in compliance with HIPAA regulations. We are not HIPAA experts and the advice is in this blog is not intended to be a supplement for expert assistance in this complex area. Our goal is to ensure that the work we do with our medical clients helps them achieve and maintain compliance.
Northbridge and our partners are ready to assist you as you work to bring your medical office into compliance with HIPAA standards. Call us today at 618-565-0471.