HIPAA is proving to be a very expensive proposition to implement.  From regular risk assessments to auditing access logs, the regulation does much to confuse physicians into non-compliance by complicating the requirements.  The following guidelines are just basics to get you started, do not rely on them as your sole basis for HIPAA compliance.  Following these guidelines may not give you complete compliance but they’re a great way to potentially avoid a very costly and disruptive audit.

HIPAA IT Compliance Basics For Small Clinics:

  1. Perform an annual risk assessment.  Whether your practice has received meaningful use funds or not, you should still have an annual risk assessment performed, this is required under the law.  If your practice has received meaningful use funds, the CMMS (Centers for Medicare & Medicaid Supervision) will be scrutinizing you much more closely.  Annual risk assessments run from $1,200 per location up to $6,000.  Find a reputable provider and have one done – it is a small price to pay compared to the fines that will mount up.
  2. Remediate your risk assessment.  After your risk assessment is performed, engage your IT provider to remediate the issues.  If they are not remediated, the CMMS or OCR (Office of Civil Rights) will have no mercy on you if they find issues.
  3. Contract with a reputable, HIPAA Compliant IT provider.  It is very easy to determine whether an IT provider is going to be an asset or a liability.  An IT provider that is not HIPAA compliant, does not know how to help you maintain your HIPAA compliance.  The law also requires your business associates to be compliant.
  4. Secure business associate agreements.  Ensure that all of your business associates have a current and compliant business associate agreement on file with you.  Secondly, ensure that they also know what it means to be a business associate.
  5. Update your Notice of Privacy Practices.  Since this is prominently posted in your lobby, it should be updated with the required wording.  Failure to follow this simple step could trigger an audit!
  6. Educate your team.  You must train your entire staff annually.  In addition, everyone who works at your office should, at minimum, know the answers to the following:
    • Who is your HIPAA Compliance Officer?  (Could be privacy or security officer as well)
    • Location of HIPAA Security & Privacy policies. (Can be stored in digital format)
  7. Enforce Sanctions.  If your sanctions policy is not followed, it may cause interest to an auditor.
  8. Be prepared.  If you find yourself in a position where you need to send the OCR or CMMS your HIPAA Security & Privacy policies, be sure you can produce them by their deadline – their attorneys hate to wait.  They also hate having their fax machine tied up for hours, so make sure your policies are thorough!

HIPAA IT Basics:

  1. Use a privately hosted, HIPAA compliant e-mail service.  Gmail is NOT AN OPTION; do not consider it, entertain it, or ponder it.
  2. Consider where your files are stored and whether the storage location is compliant.  If your files contain PHI, you need to know several things at all times:
    • Who accessed the PHI?
    • When was it accessed?
    • Was it modified?
    • What did it look like before it was modified?

    If you can’t answer these questions, chances are the service is not compliant.  Again, Google Apps is NOT AN OPTION.

  3. Know what “minimum necessary” is and practice it.  The “minimum necessary” standard simply means that users should only have access to the minimum amount of data required to do their jobs.  Appropriate system security policies should be in place to ensure this standard is met.
  4. Use unique usernames, strong passwords, and DON’T write them down.  Let’s face it, passwords are annoying, but are absolutely necessary.  HIPAA requires that anyone who accesses your system be granted access via a unique username (so that #3 can be tracked) and with a unique password known only to them.  Remembering passwords can be challenging but not impossible.  Consider this funny cartoon on creating strong, easy to remember passwords.   If you must document the passwords, consider using a secure password vault such as Keepass or Pleasant Password Server.
  5. Backups need to be industrial-grade.  Take a moment to review our post regarding backups and then evaluate your current situation.  There are zero excuses for losing data these days.  Make sure you have a solid disaster recovery plan in place and test it regularly!  Depending on environmental factors, an online/offsite backup may be a requirement.
  6. Your network MUST be secure.  Inexpensive routers or those that come with your internet service are not appropriate in a HIPAA situation.  Additionally, wireless networks must be thoroughly scrutinized.  If you wish to provide, as a courtesy to patients, free wi-fi, take measures to secure it by segregating it from the clinic’s network.  All access (public and private) should be logged and reviewed regularly.  Sophos provides excellent protection and covers a network’s entry points with their UTM family of products.
  7. Use encryption when data is “in transit”.  If PHI must be transmitted across public networks or on storage devices, adopt an encryption policy.  According to experts, lost devices that are encrypted are (in cases where encryption methods are documented and followed) a non-event.
  8. Consider physical risks.  Items such as water heaters in the server room, unlocked doors, and network hardware out in the open (even active network ports in public areas) are a quick way to be compromised.  Be aware of these risks and take measures to remediate them – don’t become an anecdote.

As I said before, this isn’t an exhaustive list (yet it is probably one of my longest blog posts) but it should get you well underway to compliance.  How do you get all the way?  Call us, we’ve got an excellent contact for a complete, turnkey HIPAA Compliance solution!