The Health Insurance Portability and Accountability Act (HIPAA) requires medical and dental practices to take the necessary measures to ensure protection of PHI since they are considered covered entities under HIPAA
HERE ARE SOME ITEMS THAT YOUR PRACTICE MUST HAVE IN PLACE
Training – All employees should be fully trained on HIPAA policies and guidelines, and on the standard operating procedures your office adopts for managing compliance.
Risk Assessment – The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is one of the Administrative Safeguards of the Security Rule, this is an internal process that documents all of your potential risks to data and outlines processes to mitigate each of the risks.
End Of Life Software and Hardware – According to HIPAA compliance regulations, running unsupported software and hardware poses a significant security risk to your healthcare business. Software and hardware (EOL) should be part of an asset management and change management process to reduce patient care interruptions and financial risks.
Software Maintenance – Operating system, devices and all software in general used by the practice need to be up to date, applying software patches is as important as updating virus definitions of anti-virus software and failing to make a timely update can leave whole networks open to hackers and cybercriminals.
Physical Access – Devices containing PHI should be protected from unauthorized use and potential theft, your servers should be secured on a rack or a proper enclosure, practice should implement methods to track who or when somebody enters the room where the server is located.
Network – Your network must have an appropriate firewall to defend your system from external threats and to limit internal access, wireless network’s should have proper physical, technical and administrative safeguard’s.
Mobile Devices – Practice must have policies and procedures in place to prevent unauthorized use, ensure the data cannot be altered or destroyed and controls to permit devices to be audited.
Passwords – Each employee should have a unique authentication, company should implement procedures for creating, changing, and safeguarding passwords.
Account lockout requirements – Under the technical safeguards of the HIPAA Security Rule (§164.312) there is an addressable implementation specification that covered entities should implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Secure Electronic Workstations – Screen privacy filters or other means to obscure monitors should be installed in more public areas, like reception desks. Easily visible monitors in the patient waiting room can lead to HIPAA violation if a patient decides to look at another’s information.
PHI Disposal – HIPAA law requires that you train your employees on how to dispose Protected Health Information (PHI), the rules also applies to proper disposal of equipment and media containing PHI.
Logs and Monitoring – HIPAA demands that logs are kept when critical data is accessed, from where, whom and what was done on the system. Computers must be routinely scanned to detect vulnerabilities, and to proactively resolve issues, continuous monitoring is required in order to provide security of your computers, network and systems.
Email and Cloud Storage – HIPAA rules require covered entities to properly implement access, auditing and integrity controls. Storing or sending medical records should be done using a properly configured HIPAA compliant application and a secure provider in order to restrict access, monitor and secure PHI.
Antivirus – You need a good managed business antivirus, make sure is been monitored, full scans are properly scheduled, program and virus definitions been updated as a daily basis and alerts configured.
Disaster Recovery Plan – Organizations must develop a HIPAA disaster recovery plan as part of this implementation process, redundancy should be in place for all critical systems
Employee Termination Policies – A HIPAA compliance plan should include protocols for deleting user accounts, changing keys, alarm codes, etc, when a user is terminated.
HIPAA Compliance Officer – Your full-scope plan for managing PHI should be written and available to the US Department of Health and Human Services on request. Also, an employee should be designated as the HIPAA compliance officer. This person should ensure that all employees understand the plan, and should hold everyone accountable for preventing HIPAA breaches.
Breach Notification Law – The HIPAA breach notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Contracts – For HIPAA compliance, your practice should have a contract on file with any business associate who is granted access to your patients’ files. The contract should clearly state how the associate is permitted to handle your patients’ protected information. It should also stipulate how they will protect the information. It should also include an explanation of the actions you require them to take in in the event of a HIPAA breach.
ITGLOBAL provides specialized IT services and support for medical and dental practices maintaining compliance with all HIPAA standards and requirements.
Please complete the following form form to be contacted by one of our specialists.
