Archive Monthly Archives: March 2015

Security Newsletter: HIPAA Compliance

If you work in the health industry then you're familiar with HIPAA(Health Insurance Portability and Accountability Act). HIPAA exists to protect the private health information and the rights of healthcare patients. And HIPAA enforces it by performing audits and keeping track of entities that fall under it's umbrella.

What puts you under HIPAA's umbrella? If you're considered a

- health plan provider

- healthcare clearinghouse or

- health care provider

Then you would fall under HIPAA's jurisdiction to enforce their policies on. But simply if you save patient charts and insurance in your office, then HIPAA wants to make sure you're handling it correctly.

Really, there's three categories of safeguards that HIPAA enforces. Physical, Administrative and Technical. Obviously since I'm an IT guy we'll be focusing on the technical guidelines. Now keep in mind that people spend a lot of time keeping up with constantly changing HIPAA regulations.

I'm not one of those people.

So we're going to be dipping our toes into the deep pool of HIPAA technical regulations, by briefly going over the four main points of the technical safeguards.

- Access Controls

This has to do with making sure that all access to data is protected with strong passwords. HIPAA likes to see policies in place that enforce strong passwords, and that require you to change your password every 60 to 90 days. Also if a laptop leaves the office with patient information on the hard drive, the hard drive needs to be encrypted.

- Audit Controls

HIPAA wants see that everytime someone logs in or out of the system and does something to the data there is a log that records it. Windows natively does a good job of logging that stuff. And typically if you're using a medical software for the patients records that is usually built in.

- Integrity

Here they're talking about the integrity of the data. HIPAA wants to see that you've taken good steps to protect the data and make sure that any changes to the data are ones you meant to make. Things like good and secure backups, a RAID to create redundancy and solid anti-virus are good examples.

- Person Authentication

This shows efforts to ensure that the person gaining access to the system is actual who they say they are. Things like not allowing people to share usernames and making sure only certain employees have keys to locked doors are things HIPAA likes to see here.

- Transmission Security

 And finally, in this section HIPAA wants to see that any patient information that is changed hands is done so securely. If it's emailed the email needs to be encrypted. If it's through the cloud, it needs to be through a VPN. If it's on a DVD it needs to be password protected. I think you get the idea.

HIPAA means business. They say that the privacy and rights of a healthcare patient are important to them and they're not afraid to fine you or put legal charges against you if they feel you pose a significant threat to that. I hope this has been helpful. If time goes by and you see that they have changed their stance on anything I've said please message me so I can keep this up to date.

Continue reading