5 HIPAA Standards & 5 New HIPAA Regulations For Medical Offices In Washington
Patient privacy and data security have been concerns for medical practices in Washington since 1996. That’s when HIPAA became a regulation that was strictly enforced by the U.S. Health and Human Services (HHS). In 2009, the HITECH Act was added. Finally, in 2013, the Omnibus Rules were implemented. These resulted in considerable changes in the way medical practices transmitted and stored electronic Protected Health Information (ePHI), with hefty fines and penalties for those who didn’t comply.
Adhere To These 5 Standards
There are five overarching standards discussed within the HIPAA Technical Safeguards that you must comply with:
- Access Control – Giving users rights and/or privileges to access and perform functions using information systems, applications, programs, or files.
- Audit Controls – Hardware, software, and/or procedural mechanisms that record and examine information system activity that contains or uses ePHI.
- Integrity Controls – Implementing policies and procedures for ePHI protection against alteration or destruction.
- Person or Entity Authentication – Ensuring a person’s identity before giving him or her ePHI access.
- Transmission Security – Guarding against unauthorized ePHI access when data is transmitted over an electronic communications network.
Comply With The HIPAA Security Rule
The HIPAA Security Rule offers a framework to protect ePHI. HIPAA regulations mandate that any patient identifiers in written, verbal, or electronic form be protected.
The Security Rule was enacted to be flexible in order to apply to all types and sizes of healthcare organizations. The rules fall under two categories: Required and Addressable. The Addressable category is sometimes confused as being optional – It’s not.
The US Department of Health & Human Services says:
“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
For your practice to achieve HIPAA compliance, everything in the Security Rule must be complied with, including the way you handle electronic health information. This means that you should set a high bar if you don’t implement an item that’s Addressable. In this case, you must document your decision for HIPAA.
However, there are many other considerations when it comes to information technology. You could still be in non-compliance when undergoing a data breach investigation or HIPAA audit if you’re not up-to-date with HIPAA Rules.
Comply With These 5 Newer HIPAA Rules
There are many practices in Washington that aren’t 100 percent compliant. This is because they aren’t informed about the newer rules that must be complied with. The following are newer regulations that you may not be aware of.
1. Encrypt Patient Data.
Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information. Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt them. Even if your data is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.
However, because HIPAA has defined encryption as an “addressable” concern, meaning, if it’s reasonable and appropriate, you must do it, some don’t believe that this is required – Again, it is. Encrypting your data is both reasonable and appropriate. Ask your IT service provider about the best ways to encrypt your patient data. Remember, you must encrypt it when it’s both in transit and at rest.
And, if you lose a laptop that contains ePHI or one is stolen, you’ll be in noncompliance unless the data AND device are encrypted. If you don’t, it’s mandated that you report the loss to the federal government for investigation and contact all of the patients whose data was stored in the device.
If the data AND device are encrypted and they’re lost, you won’t have to report this to the authorities nor to your patients. And remember that your IT provider can deploy Mobile Device Monitoring to wipe the data from a lost machine. They can also direct you to laptops that automatically self-encrypt when you turn them off or close the lid.
2. Back Up Patient Data Regularly.
Believe it or not, few medical offices realize that there are numerous HIPAA regulations that specifically address the need to back up patient data. Plus, your backups must be encrypted, and you must be able to readily recover and restore any lost data. ePHI must be backed up offsite, and backups must be tested for reliability on a regular basis. Unless your backups are stored on encrypted hard drives and removed from the office on a regular basis, you will be in noncompliance of HIPAA and exposed to data breaches.
Data breaches are devastating for a medical practice. When this happens, in addition to notifying the authorities, you will need to notify all patients in writing, and notify the local media. And, your practice will be listed on the HHS Breach Portal (Wall of Shame)
3. Don’t Send ePHI Over Email Or In Text Messages.
If you’re using webmail services like Gmail, Hotmail, Yahoo!, or those provided by your Internet Service Provider (ISP), you could be in breach of HIPAA regulations. These solutions aren’t encrypted nor are they secure enough for sending ePHI as they don’t provide end-to-end email security. When you send an email to another office this way, it doesn’t go directly to that person; it gets sent to multiple servers before reaching the final destination. Nor will these services sign the Business Associate Agreement (BAA) that HIPAA requires.
To ensure you comply with HIPAA regulations, you need to use either a:
- Secure email solution and server that you own;
- An email encryption service from a provider who will sign a BAA; or
- The communications tools in your secure and certified Electronic Health Record (EHR) system.
Faxes are fine to use with business associates and entities that also comply with HIPAA unless your system converts the fax into an email, but they shouldn’t be sent to a webmail account. And texting isn’t secure or HIPAA-compliant if you use a cellphone carrier’s system. You nor your staff should ever text ePHI or other patient information. And be sure that the answering service you use doesn’t send texts containing patient information. Remember, when your practice sends ePHI, you must encrypt your outbound emails. Your IT service company can help you do this.
4. Restrict Access To Patient Information.
You must ensure only authorized people can access patient information. And you must keep logs detailing who has access, when they accessed it, what they did with that data, etc.
Make sure that your computers are on Auto-Lock. HIPAA regulations require audit trails to identify which users are accessing and have accessed patient health records. This means that you must enforce security controls like having users log on and off by themselves, prohibiting the sharing of passwords, or piggy-backing (where multiple employees use a computer during a single session).
Automatic Logoff is also in the Addressable category under HIPAA, but the alternatives are expensive and very inconvenient. While you don’t have to do this, you must NEVER leave an unlocked computer when a patient is in the room. A doctor, assistant or staff member must be in the room at all times when a computer is unlocked and a patient is present.
If Automatic Logoff seems too annoying to you, remember that there are convenient ways to log on. Your Managed IT Provider can help you with this. They can make sure the computers you use have fingerprint readers or proximity cards.
In addition to ePHI, the Privacy Rule includes non-electronic data. Don’t leave patient charts and files laying out unattended. Don’t throw away old charts in the trash.
5. Set Up A Business-Grade Firewall
To access the Internet, you need a router or firewall. A router and firewall both direct traffic between two networks – your internal network and the Internet. A firewall also comes with security features. But this doesn’t mean that you should run out and purchase just any firewall.
A business-grade firewall can block unauthorized access. It will also filter the traffic from the Internet to prevent viruses and malware from getting into your computers. This is required for HIPAA compliance.
A Managed IT Service Provider can set this up properly, plus they can employ Remote Management and Monitoring that offers continual monitoring and maintenance of your network for security and reliability, and apply required updates and patches.
Ensure Your Practice Meets All The New HIPAA Requirements – Work With A Managed IT Service Provider
Practices that are interested in improving HIPAA compliance should consider working with a Managed Service Provider who is experienced in what medical practices in Washington require.
Managed Service Providers like Philantech3 offer everything discussed above and more. We specialize in providing HIPAA compliant IT services and solutions to medical practices in Washington. Plus, we will provide a signed Business Associate Agreement for your records as is mandatory for HIPAA compliance.
I am an IT professional with a broad depth of knowledge and experience as an IT planning consultant, with previous experience as a network engineer. I have 14+ years in the industry providing sustainable technology solutions for small to medium-sized businesses. I personally thrive on making systems more efficient and I am continually interested in ways to innovate using technology applications. I enjoy working closely with colleagues and clients to collaborate and provide a best fit solution for all IT-related needs. More recently I have assisted my workplace with an implementation of the Entrepreneurial Operating System (EOS) in the “Integrator” role, where I have assisted with optimizing company operations and improving cross-departmental functional systems.