As a small business owner in the healthcare industry, just hearing the term HIPAA (aka the Health Insurance Portability and Accountability Act of 1996) may evoke some anxiety. While every business owner that I’ve worked with certainly wants to protect their clients’ sensitive health information (referred to as ePHI—electronic personal health information), most are unsure about the rules that are actually being outlined in HIPAA; they just know they need to be “HIPAA compliant.”
Fortunately, HIPAA allows for quite a bit of flexibility. The HIPAA Security Rule doesn’t actually put forth a list of strict, explicit requirements (a common misconception), rather it lists several general requirements, and leaves it up to the company to create and follow a policy that will meet those general needs.
1. Redundancy
HIPAA dictates that IT resources be fully available at all times. This means creating contingency plans and building in redundancies to be able to access your data in case of an emergency.
2. Up-to-date backups
This includes backups of the systems and their logs. If there’s a system failure, will you be able to restore needed data and files? HIPAA only requires that you back up your data – how often is up to you. For most organizations, you should be backing up your systems daily at a bare minimum.
3. Encryption
This means protecting health information by using a special algorithm that renders data useless to anyone without the code to unencrypt it. That way, even if a malicious party is able to intercept data, they still won’t be able to understand it.
4. Restricted physical access
It’s not only the virtual components of your IT infrastructure that need to be secure. The physical components need to be reasonably guarded against outside access, as well.
5. Access control and validation
There should be controls in place to restrict who can log on and what data they can access. Access to sensitive data should only be granted to employees who need it to perform their job duties. Plus, access should be immediately blocked should an employee be terminated from the company.
6. Logs—of everything
Logging and audits are a major part of HIPAA compliance. HIPAA doesn’t specify an exact length of time for keeping logs, so each businesses has to decide for itself what’s appropriate.
7. It’s not all IT
Remember, HIPAA compliance goes beyond IT. Even with technical safeguards in place, the weakest link in security is often human error. Train your employees in your HIPAA compliance policies, and make sure they understand the serious penalties for disclosing ePHI inappropriately.
If you’re looking for a way to achieve HIPAA compliance without too much of a headache on your part, consider moving your IT system to the cloud, where HIPAA compliance can be ensured and kept up-to-date by an expert provider. Read all about this option in our free guide, “HIPAA Compliance in the Cloud with a Hosted Desktop Solution.”
