Contact Form

    Full Name (Required)

    Contact No. (Required)

    Email Address (Required)

    Areas of Interest (Required)


    Subject

    Message

    Contact Us

    [email protected]

    Worcester, MA | 866-304-4300

    Boston, MA | 508-365-3630

    Providence, RI | 401-735-1956

    Hartford, CT | 860-560-8000

    Compliance

    HIPAA Compliance

    Understanding HIPAA compliance is addressable, but not optional.

    The HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Rule is enforced by the United States Department of Health and Human Services (HHS) to safeguard PHI (Protected Health Information) – the private data of patients. Compliance of these rules with those in or involved with the healthcare industry has long been seen as inconvenient, but they are necessary. With the HHS cracking down with larger fines and more, and more cyber attacks targeting businesses and hospitals, HIPAA compliance is vital to your business.

    Understanding Required and Addressable HIPAA Controls

    HIPAA documentation is dense and can be hard to understand without an expert. Let us walk you through the required and addressable HIPAA controls, and what those two terms mean for HIPAA compliance.

    The specifications of HIPAA are either required or “addressable.” Required controls are firm – the government does not allow you to avoid them. However, it’s important to understand that addressable controls are not optional. As the HHS documents:

    “A covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

    This means that with each addressable specification, you must document any reasons you do not think it is reasonable or appropriate. We often see medical practices ignoring both required and addressable HIPAA controls – up until a cyberattack or HHS audit happens.

    HIPAA Controls – Required and Addressable

    HIPAA Risk Analysis – Required

     

    The first requirement of the HIPAA Security Rule, businesses must get a risk analysis done on their business. The National Institute of Standards and Technology (NIST) has a free 95-page guide. However, without professional assessment and compliance, organizations are much less likely to stand up to review.

    HIPAA Risk Management – Required

     

    Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them, a critical step that needs to be documented professionally and completely.

    Healthcare Data Disaster Plan – Required

     

    What’s your plan in the case of an incident? HIPAA requires businesses to “Establish (and implement as needed) procedures to restore any loss of data.” You need to document how you will protect and recover patient data at a minimum. Stronger plans include communication, alternative sites, and business operations afterward to keep your organization functioning.

    Audit Controls – Required

     

    While everyone thinks their patients’ data is housed exclusively in their EHR system, it is all over the place – server folders, laptops, desktop computer hard drives, portable drives and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years.

    HIPAA Data Encryption (Data at Rest) – Addressable

     

    Encryption of PHI data is one of the best ways to avoid data breaches. Many data breaches and HIPAA settlements originate from lost or stolen computers, laptops, servers, and thumb drives. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices?

    Business Associate Agreements – Required

     

    With the HIPAA Omnibus Final Rule of 2013, organizations are liable for the compliance of their “Business Associates” and the subcontractors of those associates. This means vendor management is more critical than ever – making sure that your vendors are actually complying with HIPAA rules with validation.

    Unique User Identification – Required

     

    No shared logins and passwords are allowed by the HIPAA Security Rule – none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers.

    Automatic Logoff/Lockout – Addressable

     

    An unlocked computer is a HIPAA violation waiting to happen. We’ll work with you to find the right solution to your organization, from types of lockouts to more convenient and fast ways to securely log back in, such as tokens and biometrics.

    Bottom Line with HIPAA Security

    Our advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.

     

    Learn More about Managed Healthcare IT

    One of the best ways of both reaching HIPAA Compliance and a better IT infrastructure is working with a managed service provider who understands both your needs and requirements.

    Triton Technologies

    Get an IT infrastructure that supports your patients and compliance. Meet with us today.