One of the problems with our increasingly technological world is that the speed at which our devices and services upgrade and make older versions obsolete can be dizzying. It feels like only an instant before the latest smartphone or flatscreen TV is being replaced with the bigger, better, faster model.
The same holds true in the world of hosting, data information, and server management. And while it can be tough to keep up for any type of business, it’s crucially important if your company is involved with health care IT and has to maintain HIPAA Compliance.
There are several aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but as it pertains to health care IT and the focus of this article, HIPAA compliance comes from your company’s ability to adhere to the strict national standards regarding electronic health care transactions, and identifying information for health care providers, employers, and health insurance plans.
As one might imagine with such a large piece of national legislation, there are a myriad of minimums that your company’s systems and operations must meet. And as one might also imagine, understanding and implementing exactly how said systems and operations must operate to be HIPAA compliant can quickly become quite a daunting task. Having a quick, clear, and easy 10-step HIPAA compliance checklist to run through can be a major help, which is we are doing in this article. We will also take a look at a series of hosting questions asked by an Atlantic.net healthcare client interested in learning more about the specifics of compliance.
- 10-Step HIPAA Checklist
- Spotlight: HIPAA Technology Provider Questions
- The Right HIPAA Information Technology Answers
10-Step HIPAA Checklist
- Name a Privacy and Security Officer
- Perform Periodic Vulnerability Reviews
- Create a Specific Policy for Email
- Create a Specific Mobile Policy
- Train Your Staff
- Develop a Privacy Notice
- Solidify Business Associate Relationships
- Establish a Protocol for Possible Breaches
- Make Sure the Privacy and Security Policies are Followed
If you want to know how to become HIPAA compliant, there are specific standardized technologies that you should have in place to properly protect Personal Health Information, or PHI, and avoid violations. We’ll dive more into the technological side in the spotlight section detailing a conversation with a client below.
In addition to those technical specifications, here are 10 additional actions you want to take as general HIPAA administrative safeguards. Although these tactics should not be considered exhaustive, each one will effectively reduce your liability and make it less likely that you will become a target of the Department of Health and Human Services (HHS):
“Healthcare organizations must develop, adopt and implement privacy and security policies and procedures,” said Becker’s Hospital Review. “They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.”
This is particularly important in today’s world, where cybercrime, in the form of brute force attacks, Distributed Denial of Service (DDoS) Attacks, and other forms of hacking have resulted in some of the biggest data breaches in history. And with the recent gigantic Anthem data breach, having air-tight security safeguards in place is paramount, as are having the proper protocols in place in the unfortunate event of a hack or breach.
Step #2 – Name a Privacy and Security Officer
Name one or two people who are knowledgeable on HIPAA compliance requirements for these roles. One of the most crucial aspects of being HIPAA compliant is ensuring that your data remains safe, secure, and most importantly, confidential. It makes sense that the person, or people, in charge of that data is an expert in the field. They can also help you set up air-tight policies (as mentioned in step #1 above) and implement the best possible procedures in case of an attack or system error.
Step #3 – Perform Periodic Vulnerability Reviews
You want to check and test your exposure to risk on a regular basis. If you find anything amiss, of course you need to correct it. Policies should be adjusted based on information from these assessments as well. After all, a chain is only as strong as its weakest link, so while even if the vast majority of your systems and are air-tight, it would only take one small mistake or oversight to cause massive problems. Hackers, cybercriminals, and even inadvertent employee mistakes could all spell major problems and possible violations if not shored up immediately.
Step #4 – Create a Specific Policy for Email
The HHS Office for Civil Rights, or OCR, has stated it wants to see user guidelines that are crafted to the particular situation, as exhibited by specific mobile and email policies. Interestingly enough, it does not state anywhere in the OCR regulations that PHI must only be sent and/or received via encrypted email, but it’s worth pointing out that your email system is HIPAA compliant and with the encryption of all messages. In addition, you can protect yourself from investigations with encrypted email.
In today’s world, email encryption is a relatively fast, easy, and painless process to implement, and many providers will offer it free of charge. It’s very much the time to look into, but if you decide that email encryption is not right for you at this point in time, you must at the very least inform your patients that asking for records through email puts them at risk.
Step #5 – Create a Specific Mobile Policy
Mobile devices are everywhere, and they get more omnipresent each and every year. Every side of the health care world, between providers and patients, uses mobile devices to check email and log into profiles. As such, it will greatly benefit you to create a strong policy to safeguard health data on mobile devices, such as smartphones and laptops, which are particularly susceptible to physical theft. The policy should address also what happens when a new device is added to or removed from the network.
Step #6 – Train Your Staff
While not everyone on your team must be an industry leading expert in the finer technicalities of HIPAA (save those hires for your Security and Privacy Officer positions, as mentioned in Step #2), it will behoove you if your staff is comfortably familiar with the basic parameters of HIPAA. It has been shown numerous times by numerous studies that employees are consistently one of the biggest risks to a company’s cybersecurity – usually through a lack of knowledge of the proper protocols. Nobody wants to be the cause of a HIPAA violation, so it’s in your best interest to provide training to any new people who join your staff and occasional reviews (some say every six months) for continuing employees.
Step #7 – Develop a Privacy Notice
Step #8 – Solidify Business Associate Relationships
Odds are your business isn’t an island – you have a team of business associates that you work with on a regular basis. Even though they aren’t full time employees, you still need to make sure they adhere to any policies you’ve set forth. Harking back to the chain analogy used in Step #3, if your associates aren’t a strong link, it’s a problem. You need to make sure that a strong business associate agreement is signed with all relevant parties – including those that handle PHI, such as shredding companies.
Step #9 – Establish a Protocol for Possible Breaches
It’s critical to have a step-by-step system whenever you think a breach might have occurred. Even the most safeguarded and up-to-date systems are susceptible to breaches, so always view cybersecurity as two sides to the same coin – it’s important to invest and spend time on infrastructure and policies that will help prevent breaches and other forms of attacks, but the flip side is to always know that a breach is always a distinct possibility.
“The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred,” noted Becker’s. “If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.”
Step #10 – Make Sure the Privacy and Security Policies are Followed
Preparation is only half the battle – and important half to be sure, but what good is the best-laid plans if they aren’t followed? Ensuring that they are actively followed is critical. It needs to be a part of your company’s DNA and breathed into each and every operation your company undertakes. In addition to making sure the policies are well-known and followed by all your team members and all business associates, it should also be known that failure to adhere to said policies come with penalties. Make sure the consequences of failing to comply with your HIPAA compliance policies are both well-known and strict enough to ensure your staff does everything possible to follow them.
Spotlight: HIPAA Technology Provider Questions
This section spotlights a recent and actual question-and-answer exchange we had with a prospective healthcare client – we’ve of course anonymized and edited it for privacy. For brevity, we’ll skip the introductions and jump right into the Q&A. We hope this gives you some insight into some of the more technical aspects of HIPAA compliance, and how any company worth your time will have strong answers to each of these types of questions.
Have you been independently audited against the OCR HIPAA Audit Protocol?
Yes, I have attached our HIPAA audit for your review.
What particular IT services meet HIPAA compliant security standards for protecting PHI?
The following services fully meet HIPAA complaint security standards with regards to Personal Health Information, or PHI: Fully Managed Hardware Firewall; Encrypted VPN’s; Intrusion Detection System; Fully Managed Daily Encrypted Backup; Private Dedicated Server Environment with Self-Encrypted Storage (Virtualized or Non-Virtualized); and Anti-Virus Software.
Do you have documented policies and procedures?
Yes, but the Policies and Procedures are Proprietary Information. We only release the HIPAA Audit, BAA, DR Document, and SSAE 16 (SOC 2, Type 1 & 2) audit. (All are attached.)
Are your employees trained?
Do you have a thorough BAA (Business Associate Agreement) with documented and communicated policies?
Yes, and it is attached for your review.
What is the difference between regular server hosting and HIPAA compliant server hosting (structure-wise)?
The only fundamental difference is that HIPAA Compliant Hosting requires an Intrusion Detection System. It also requires all of the services listed above in the question regarding services meeting PHI protection protocols. HIPAA compliant hosting can include a Virtualized Private Dedicated Server environment but it cannot include Public Cloud / Private Cloud hosting services.
Why is the HIPAA compliant server hosting more expensive than regular server hosting?
Because of the technologies listed above and because you cannot remove any of these items from the hosting platform as you can with a non-HIPAA hosting environment.
The Right HIPAA Information Technology Answers
Every healthcare company must ask for advice when they work with IT providers, since any issues with the provider would pose a risk to their patients’ health information. After all, even going through a minor HIPAA violation can be disastrous to a health care IT organization.
Atlantic.Net is a trusted HIT provider. Our clients trust us because we are experts on the subject and are fully transparent in all communications, as evidenced by this customer testimonial below:
“Atlantic.Net’s reputation for 100% up-time, their secure infrastructure and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions Vice President Joseph Nompleggi.
Feel free to contact us today to see if we can help you meet your HIPAA compliance needs with any of our award winning HIPAA-Compliant Hosting or Dedicated Hosting.
This article updated with the latest information January 8, 2019.
By Moazzam Adnan