Is your medical office HIPAA compliant? Here are 8 HIPAA technical requirements you should address to avoid fines that could cost tens of thousands.
In recent years, there’s been cases of data leaks either through innocent cases losing a notebook or information to leak in the office. Tighter IT security measures and policies can help prevent unauthorized access to medical data. We’ve compiled a list in-line with the HIPAA and Omnibus technical requirements and regulations.
Review for HIPAA Compliance
- Assigning unique usernames– This helps to identify and track different users in Medical Office software containing patient health information.
- Contingency procedures for accessing medical data in an emergency– A well-documented procedure that can appropriately guide any authorized staff to access protected medical information.
- Logging off idle sessions– This is a good way to protect and minimize any unnecessary user load on the system, as well as preventing any potential unauthorized access to unattended endpoints.
- Encryption and decryption of data– Put into place an encryption and decryption process when accessing or externally sending out any sensitive medical information.
- Auditing systems– It’s strongly advised to run periodic audit controls on systems, including software, hardware, and not excluding, procedures, that use and hold confidential and sensitive medical information.
- EPHI Integrity– Prevent any alteration of destruction of protected medical information by implementing effective procedures and clear procedures.
- Authentication procedures– Authenticate authorized staff that are verified to be who they say they are and which are granted access to specific medical information.
- Securing external transmissions of data– Implement technical and updated security processes to protect data from unauthorized access, especially when transmitted via any type of electronic communications network.
Next Steps
Now that you have a better idea hipaa technical requirements within the IT portion of the HIPPA regulations. The next step is to take action and formulate your own policies and procedures.
Most changes in procedures can be delivered as onsite training for staff, which in our experience is very effective. You may have the best tools in the industry to protect data, however it is also what staff do within these procedures that matters. For example, staff may occasionally share usernames and passwords, or even write them down on a Post-It note and leave these on their desks, all of which are prone to social engineering types of compromises. Not only is this a risk, but it also makes it difficult to audit and trace any work or process carried out on endpoints.
For more ways to secure your medical office technology to ensure HIPAA compliance, contact your local IT professionals.
Thanks for the advice, which is yet again more of a reason that Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.