7 Steps to HIPAA Security Compliance
Your patient’s health information is the most important asset of your business. Keeping it protect is more important than ever.The following strategy will help you meet compliance.
The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at:http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf
In summary of David C. Kibbe, MD, MBA’s article
1. Understand why computer security is important.
If you need a simple answer to the question, “Why is computer security necessary and important?” the answer is “because everyone cares about the privacy and integrity of their health information.” The point of computer security is to prevent personal health information from falling into the wrong hands or being accidentally changed or destroyed.
2. Make sure your colleagues and employees take security as seriously as you do.
The HIPAA security standards require your practice to have written security policies and procedures, including those that cover personnel training and sanctions for security policy violations. Your office staff and colleagues must truly understand basic security logic and take their role in protecting patients’ privacy very, very seriously. Most security breaches occur when insiders exercise faulty judgment or fail to follow protocols in which they’ve been trained.
Consider two highly people-dependent areas of computer security: physical access and password management.
3. Monitor your information system devices that interact with protected health information in your office.
To assess your office’s current security risk, you have to know, in detail, the capabilities and weaknesses of your information systems. No two medical practices have exactly the same information system components, nor do they manage the flow of information exactly the same way. Some practices still manage most information on paper and have a single computer for billing and accounting purposes. However, most practices, even small ones, have complicated information technology environments that include multiple components. Ex. Firewall, PC’s, Modems, Switches etc.
Detailed examination of your entire system is an important step for three reasons.
o First, it’s required. HIPAA requires you to carry out such a risk analysis and base your new computer security policies and procedures on this analysis, which must be specific to your practice.
o Second, it’s the only reasonable way to assess your risk of security breaches in your current systems and protocols.
o Finally, this exercise can be valuable in the acquisition and use of EHR systems if your practice is moving in that direction.
The HIPAA security standards require your practice to appoint someone as the security manager, so you might want to assign these tasks the person or company monitoring your system. If you need your systems monitored contact Sentinel now (Click here) We offer full system monitoring and security vulnerability audits.
4. Prevention is the best reaction
One of my professors once told me that and it is so true. There are many ways data integrity can be affected; the most common is loss of data from some sort of emergency or disaster, including human error, mechanical hard disk failure, equipment damage due to flooding, or computer virus infection.
A solid computer-system contingency plan is made of a number of steps, including performing backups, preparing for continued operations in an emergency and recovering from a disaster.
5. Be certain that you have anti-virus software and keep it up to date.
Even if you are in solo practice and use only one laptop computer for all your data capture, storage and transmission – and therefore may not require a network firewall – you probably connect to the Internet for e-mail and Web browsing. In terms of risk to your computer’s data, connecting to the Internet is the most dangerous activity in which you can engage. Read my blog post on anti-virus for more information: Click me
6. Understand what encryption will do and when it is necessary.
Contrary to what many people are saying, the HIPAA security standards do not require e-mails, or any other transmission from a doctor’s office, to be encrypted. The standards do require your practice to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities. If they are, you should consider some form of encryption
7. Demand that your vendors fully understand the HIPAA security standards.
As you become better informed about computer security and the HIPAA security standards, you will realize the extent to which compliance makes you dependent on hardware, software, network and other information technology (IT) vendors. Their products and services, whether out-of-the-box computer hardware or hands-on-in-the-office IT services, will enable you to meet many of the security standards – or not.
These 7 steps should help you recognize what to look for in order to get HIPAA compliant. Remember to become and remain compliant you have to continuously make sure that every rule is being followed.
What are your thoughts? Any other suggestions? Post a comment below and share your thoughts.
About Edson Monteiro.
Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.