A HIPAA covered entity is more than just a doctor’s office or hospital – its any business that comes in direct contact with a patient’s PII (personally identifiable information). This includes not only medical providers but law firms dealing with medical cases, health insurance companies and medical billing services. HIPAA is a mindset, a set of policies and procedures that are followed for doing business. That being said, there are some areas in IT that a covered entity should focus on.
IT areas of focus for HIPAA compliance:
- Risk Assessment. Have one. It is required. Without one you can’t identify your vulnerabilities and you can’t address those vulnerabilities. This is your foundation for the HIPAA mindset.
- Archiving logs of user transactions and event notifications. Who did what, when and where? These are the questions that have to be answered! Staff is a lot less likely to steal PII if they think they are being watched. You know people are paid to steal PII, right?
- Secure e-mail implementation. Does your staff know how to send PII securely via e-mail? Use encryption if you need to send PII. Use a system that’s easy to implement.
- Regular operating system and application updates for all computers. Computers should be updated weekly, and servers at least monthly. Its best to automate this process so its not forgotten. This automated process should provide notifications of what updates were successful and which were missed.
- Regularly scheduled vulnerability scans. Do them at least once a quarter and following any major IT changes. The vulnerability scan compares your IT environment to several reputable databases of vulnerabilities to identify issues that need to be addressed. Vulnerability software needs regular updates, so should be subscription-based.
- Policies & Procedures. Do you maintain a set of policies and procedures for handling and protecting PII? Although IT is included, it covers all aspects of the office right down to locking doors to sensitive areas and minimizing the view visitors have of your paperwork and computer screens.
- Quality firewall device with intrusion prevention system (IPS). IPS is subscription-based protection that is updated as new IT threats emerge.
- Good password policy. So critical! This includes not only how complex the passwords are, but how they are stored and end-user training on how to manage them.
- Internet restrictions. Keep the office computers focused on the business, not on games, shopping sites or social media. All of those sites are ripe with poor security that can lead to a breach of your data or a malware infection.
- Mobile device management. PII should not be on unsecured mobile devices. If you must use mobile devices, via technology, they can be secured.
- Laptop encryption. Windows 10 Pro includes encryption. A stolen or lost laptop is considered a breach. Even if you don’t think you store PII on that laptop, it is used to access email and cloud apps where PII is kept. So encrypt it.
- Endpoint Protection. This includes your paid antivirus/antimalware, 2-factor authentication for e-mail and electronic records. Also encryption for e-mails.
- Physical security. Keep the server room locked! Desktops should be locked down with password protection if left unattended. Can patients wander behind the counter and have easy access to patient information laying around?
Where can I find help with HIPAA?
Next Century Technologies has teamed up with HIPAA Secure Now! to bring comprehensive HIPAA compliance solutions and advice, at a reasonable price, to establishments that fall under HIPAA.
Call us at 859-245-0582 or click here to reach out to us.