If you work in the healthcare field, you’re probably somewhat familiar with the Health Insurance Portability & Accountability Act (commonly known as HIPAA). What you may not know is that every year, the U.S. Department of Health and Human Service (HHS) Office for Civil Rights (OCR) conducts a number of compliance audits to ensure that covered entities are fulfilling their duties to adequately protect patient health information as required by HIPAA. Starting this year, the list of entities that can be audited was expanded to include small practices (those with less than 15 employees), and since the audit selection process is random it is important for your practice to be ready at all times.While the thought of having your practice selected for a HIPAA OCR audit can be daunting, there are a few key steps that can go a long way in making sure you’re prepared should you get selected.
Document your IT Security Policy and Incident Response Plan
Having a documented security policy an and Incident Response Plan (IRP) is the first step in making sure you are ready for an audit. There are lots of good resources, like this template published by the American Institute of Certified Public Accountants, that provide specific sections geared towards HIPAA related incident response. The HealthIT.gov website also has a specific section for Health Providers and Professionals that includes valuable free resources for you to ramp up your polices quickly. The HHS already requires that practices notify clients when a data breach occurs, so make sure at a minimum your policy covers notification procedures.
Secure Employee Workstations and Devices
Workstations within your practice, especially those in examination rooms and other unrestricted area, must be properly configured to prevent unauthorized access. Access to any workstation should always require a username and password that is unique to each employee. Shared accounts and passwords should never be used. Team members must be trained to always lock the screen when leaving a workstation unattended. These systems should also be configured with a relatively short screen locking timeout in case the machine is inadvertently left unattended without locking the screen.
Full disk encryption should also be used to protect any stored information in the event that the machine is physically removed from the office. The use of disk encryption is especially critical for portable devices, like laptops or iPads. iOS has many built-in features that can help ensure your data stays protected in the event that the device is lost or stolen.
You'll also need to make sure that your local network has been secured. All servers. file shares, and wireless networks should require login with user-specific usernames and passwords. Be careful if your wireless network uses only a single “shared” password for WiFi access. Doing so could mean that anyone who leaves your practice can still gain access to the wireless network after they leave (unless you change the wireless password).
Use Encrypted Communication for transmitting PHI
When transmitting PHI electronically, HIPAA requires that appropriate administrative, physical and technical safeguards be in place to ensure the confidentiality, integrity, and security of electronic patient health information. Most commercial Electronic Health Records (EHR) systems are designed for compliance with these requirements, however there may be cases where you need to transmit information outside of these systems.
It’s a good idea to compliment your practice’s email system with a “secure” method for exchanging data for cases where information must be transmitted outside of the EHR system. Email and file transfer solutions that leverage end-to-end encryption are the best choice, since it guarantees that the information will remain confidential regardless of where it gets stored. Be careful when using cloud storage providers, like Box and Sharefile, which do not provide end-to-end encryption on the files you share. Keep in mind that just because a vendor is willing to sign a Business Associate contract, your practice will still be impacted negatively if a breach occurs. This is another reason why solutions which offer end-to-end encryption are the best choice for exchanging patient information outside of your EHR system.
Educate Your Staff
A well prepared practice does more than just follow the rules, they go above and beyond to ensure that they meet the desires of the HHS and the OCR. To do this, it's best to educate all of your staff of the HIPAA rules, specifically the Privacy Rules. Having well prepared and informed employees makes your practice prepared and knowledgeable on important topics in the industry, ones the OCR looks closely at. Hold informational sessions and provide literature on the HIPAA rules and be sure to enforce them regularly to instill the idea of safety and security in your professional atmosphere.
A key part of your education process should focus on IT security awareness to prevent against phishing scams and other common techniques used by digital thieves. It should come as no surprise that humans are usually the weakest link when it comes to IT security, so making sure your team is well versed on the current IT security threats can go a long way in keeping your practice secure.
SendSafely: Simple to Use End-to-end Encryption for Email and File Transfer
If you are a Heathcare Professional or Business Associate looking for a simple to use email encryption and secure file transfer platform, consider taking a look at SendSafely. Our enterprise platform integrates seamlessly with Microsoft Exchange and Google Apps for Business.