HIPAA IT Compliance Is More Complicated Than In The Past
June 24th, 2018 by admin
There’s No Doubt That You Need An IT Provider With Expertise In HIPAA & HITECH
Why Is This? Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rules, and the scale of these regulations is staggering. Not only does ePHI have to be safeguarded, but any ePHI transmitted outside of an organization´s network, including what’s stored in the Cloud, must be compliant.The HHS Has Issued Guidance on Cloud Computing
With the proliferation and widespread adoption of cloud computing, HIPAA covered entities, and their business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of ePHI. The Department of Health and Human Services has responded with requirements here. However, with cloud computing evolving all the time, the HHS doesn’t endorse any specific technologies, so a lot is left to interpretation.- Is this something you want to deal with?
- Do you have the expertise?
- Do you have the time?
- What if you interpret the HHS cloud guidance incorrectly?
This Is Why You Need A HIPAA & HITECH Expert Like TOTLCOM
The same rules apply as if you were sharing ePHI in paper format. Plus, it’s up to you to conduct due diligence on your Business Associates, including your Cloud Services Provider (CSP). This presents a nightmare scenario for many healthcare practices and organizations. You must have a Business Associate Agreement for them and any other organization that stores or processes your ePHI. And, it’s their responsibility to notify you if a breach occursHow can you be sure they will?
This Can Be Nightmare Of Unprecedented Proportions For Small Healthcare Practices One of the concerning issues with HIPAA compliance today is that the Security Rule was published three years before cloud-based web services were launched, and 4 years before the first Apple iPhone was released. So, to thoroughly identify issues relating to electronic records and HIPAA compliance you must conduct an accurate assessment of today’s more complex potential risks and vulnerabilities. This is a huge task for healthcare organizations with many pitfalls along the way.How We Can Help
We Start By Conducting A HIPAA Risk Analysis For You And Your Business Associates HIPAA requires that both you and your business associates conduct an IT risk assessment. This will ensure you all are compliant with HIPAA’s technical standards. It will reveal areas where your organization’s ePHI could be at risk. The risk management process must include:- An evaluation of all system threats and vulnerabilities,
- A review of all security policies and procedures for HITECH/HIPAA compliance,
- Implementation of security safeguards to protect ePHI, and
- An analysis of how ePHI can be stored and protected at all times.
- Document policies and procedures detailing how ePHI will be protected,
- Provide these documents to your entire staff, and
- Require staff be trained to ensure they understand their individual roles and responsibilities in the enforcement of HIPAA policies and procedures.
We Can Train Your Employees
The HIPAA Security Rule mandates that all covered entities and their business associates must implement reoccurring HIPAA security awareness/training programs for their employees. This is to ensure ePHI is protected through administrative safeguards. The following 4 components must be addressed:- Protection from malicious software
- Log-in monitoring
- Security Reminders
- Password Management
We Can Also Help With Your HIPAA Business Associate Agreements (BAA)
A HIPAA BAA is a contract between you and your business associates. It’s mandatory and must be signed by all of your business associates verifying that they agree to protect ePHI and comply with all HIPAA Security Rules. Now that your CSPs are involved, (and you likely change them from time to time) this can be a tiresome task. Let the HIPAA Experts at TOTLCOM do this for you as well.What About Encryption Under The HIPAA Security Rule?
Encryption isn’t required under the HIPAA Security Rule. However, if a risk assessment determines that encryption is an appropriate safeguard, then encryption or an acceptable alternative safeguard must be implemented. 3 Benefits of Encryption Include:- If an encrypted device (desktops, USB drives, and laptops) containing ePHI is stolen, the breach doesn’t need to be reported by the business associate or covered entity.
- The liability of storing ePHI on laptops, desktops or portable devices is reduced with encryption.
- The cost of encryption is much less than the cost of a potential fine.
We Can Ensure Your Compliance With A Security Incident Response Plan (SIRP)
To ensure compliance with the HIPAA Omnibus Final Rule and the HIPAA Security Rule, you must implement a Security Incident Response Plan (SIRP). A SIRP outlines the steps to take in the event of an incident or security breach. You are required to maintain documentation for your risk assessment in order to prove that no breaches have occurred. The director of the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) reports that organizations with an SIRP in place will experience less severe or no monetary penalties in the event of a security breach. However, refusal to act or correct issues related to a breach will result in increased monetary penalties. It’s important to keep your SIRP updated and ensure that all employees recognize and report potential data breaches immediately. Your SIRP Should:- Define and Document the Incident
- Stop the Incident
- Perform an Immediate Risk Assessment
- Notify all Affected Individuals/Agencies
- Prevent the Occurrence of Further Incidents