HIPAA IT Compliance Is More Complicated Than In The Past

June 24th, 2018 by admin

There’s No Doubt That You Need An IT Provider With Expertise In HIPAA & HITECH

Why Is This? Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rules, and the scale of these regulations is staggering. Not only does ePHI have to be safeguarded, but any ePHI transmitted outside of an organization´s network, including what’s stored in the Cloud, must be compliant.

The HHS Has Issued Guidance on Cloud Computing

With the proliferation and widespread adoption of cloud computing, HIPAA covered entities, and their business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of ePHI. The Department of Health and Human Services has responded with requirements here. However, with cloud computing evolving all the time, the HHS doesn’t endorse any specific technologies, so a lot is left to interpretation.
  • Is this something you want to deal with?
  • Do you have the expertise?
  • Do you have the time?
  • What if you interpret the HHS cloud guidance incorrectly?

This Is Why You Need A HIPAA & HITECH Expert Like TOTLCOM

The same rules apply as if you were sharing ePHI in paper format. Plus, it’s up to you to conduct due diligence on your Business Associates, including your Cloud Services Provider (CSP). This presents a nightmare scenario for many healthcare practices and organizations. You must have a Business Associate Agreement for them and any other organization that stores or processes your ePHI. And, it’s their responsibility to notify you if a breach occurs

How can you be sure they will?

This Can Be Nightmare Of Unprecedented Proportions For Small Healthcare Practices One of the concerning issues with HIPAA compliance today is that the Security Rule was published three years before cloud-based web services were launched, and 4 years before the first Apple iPhone was released. So, to thoroughly identify issues relating to electronic records and HIPAA compliance you must conduct an accurate assessment of today’s more complex potential risks and vulnerabilities. This is a huge task for healthcare organizations with many pitfalls along the way.

How We Can Help

We Start By Conducting A HIPAA Risk Analysis For You And Your Business Associates HIPAA requires that both you and your business associates conduct an IT risk assessment. This will ensure you all are compliant with HIPAA’s technical standards. It will reveal areas where your organization’s ePHI could be at risk. The risk management process must include:
  • An evaluation of all system threats and vulnerabilities,
  • A review of all security policies and procedures for HITECH/HIPAA compliance,
  • Implementation of security safeguards to protect ePHI, and
  • An analysis of how ePHI can be stored and protected at all times.
To ensure compliance with HIPAA regulations, you and your business associates (including your IT provider) must:
  • Document policies and procedures detailing how ePHI will be protected,
  • Provide these documents to your entire staff, and
  • Require staff be trained to ensure they understand their individual roles and responsibilities in the enforcement of HIPAA policies and procedures.
Once risks have been detected and documented, we’ll assess your organization´s (and your business associates’) current IT security policies and practices. We’ll determine if certain risks must be addressed right away, and what measures can be implemented in the future.

We Can Train Your Employees

The HIPAA Security Rule mandates that all covered entities and their business associates must implement reoccurring HIPAA security awareness/training programs for their employees. This is to ensure ePHI is protected through administrative safeguards. The following 4 components must be addressed:
  1. Protection from malicious software
  2. Log-in monitoring
  3. Security Reminders
  4. Password Management
Don't worry. The HIPAA Experts at TOTLCOM can do this for you.

We Can Also Help With Your HIPAA Business Associate Agreements (BAA)

A HIPAA BAA is a contract between you and your business associates. It’s mandatory and must be signed by all of your business associates verifying that they agree to protect ePHI and comply with all HIPAA Security Rules. Now that your CSPs are involved, (and you likely change them from time to time) this can be a tiresome task. Let the HIPAA Experts at TOTLCOM do this for you as well.

What About Encryption Under The HIPAA Security Rule?

Encryption isn’t required under the HIPAA Security Rule. However, if a risk assessment determines that encryption is an appropriate safeguard, then encryption or an acceptable alternative safeguard must be implemented. 3 Benefits of Encryption Include:
  1. If an encrypted device (desktops, USB drives, and laptops) containing ePHI is stolen, the breach doesn’t need to be reported by the business associate or covered entity.
  2. The liability of storing ePHI on laptops, desktops or portable devices is reduced with encryption.
  3. The cost of encryption is much less than the cost of a potential fine.

We Can Ensure Your Compliance With A Security Incident Response Plan (SIRP)

To ensure compliance with the HIPAA Omnibus Final Rule and the HIPAA Security Rule, you must implement a Security Incident Response Plan (SIRP). A SIRP outlines the steps to take in the event of an incident or security breach. You are required to maintain documentation for your risk assessment in order to prove that no breaches have occurred. The director of the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) reports that organizations with an SIRP in place will experience less severe or no monetary penalties in the event of a security breach. However, refusal to act or correct issues related to a breach will result in increased monetary penalties. It’s important to keep your SIRP updated and ensure that all employees recognize and report potential data breaches immediately. Your SIRP Should:
  • Define and Document the Incident
Report any and all information regarding the incident, including what happened, who was involved, when it happened and when it was discovered. Document all aspects of the incident, especially who was affected.
  • Stop the Incident
Take necessary steps to stop the incident, such as disabling access to a lost smartphone or preventing further access to ePHI.
  • Perform an Immediate Risk Assessment
A risk assessment should be performed to determine whether ePHI has been disclosed, if so what was disclosed, and who must be notified.
  • Notify all Affected Individuals/Agencies
Breaches that affect over 500 individuals require a significantly increased number of notifications, with notifications sent to individual patients, HHS, and possibly the local media.
  • Prevent the Occurrence of Further Incidents
Increase your security in an attempt to reduce the risk of further incidences. The purpose of The SIRP is to ensure that the incident isn’t repeated in the future.   The process to comply with HIPAA and HITECH is long and complex. And with new technologies being adopted all the time, it will get more complex.  There’s no doubt that you need a HIPAA & HITECH Expert in Northern California. TOTLCOM, Inc. is that expert. For more information, or to schedule a HIPAA Risk Assessment for you or your business associations, contact us at (800) 300-5500 or complete our contact form on the Web.

Posted in: Uncategorized, Technology News, Information and Education


VoIP Desk Phone with TOTLCOM Voice and Data Systems Logo

More Accessible and Cost-Effective Business Telephone Services

Fill out the form to get started.

CA Licensed Contractor #475236

TOTLCOM, Inc. is one of the largest and most dependable IT companies serving Central & Northern California. We know businesses like yours need technology support in order to run highly-effective organizations. Leverage pro-growth technology services for your company now.

Cal. Civ. Code § 1798.102 - Do Not Sell My Personal Information