C3 Blog

Can you trust Google Apps with your healthcare organization’s data?

Google products are known for their power, usability, and low cost, so it’s no wonder so many small businesses, fed up with the hassle and headache of maintaining their own IT systems, have migrated onto Google’s popular suite of cloud-based productivity apps.

But compliance has always been a sticking point for businesses considering a move to Google Apps, especially for businesses in the healthcare field, beholden to the rules of the Health Insurance Portability and Accountability Act (HIPAA).

Whenever we audit or consult for clients in the healthcare industry, we always ask if they think they are HIPAA compliant. More often than not, the answer is, “Of course we are.” And more often than not, they’re wrong.

The most frequent reason small healthcare businesses fail to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) is because they assume they are already compliant.

Your small medical practice doesn’t have much in common with mega-large hospitals and medical centers, except this: You’re as responsible for complying with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) as they are. You have to keep your patients’ personal health information—in all forms, hard copy and digital—as secure as they do.

That’s easy enough for the big guys, but you can’t afford the luxury of an on-site server room, a team of IT professionals, and a fulltime compliance officer. Maintaining your medical practice’s computer system is just one of the many hats you wear. How can you achieve HIPAA compliance without overwhelming yourself or spending money you don’t have?

Many small business owners are the ones obligated to wear the “IT hat” in their organization. And why not? When you’re a growing business, hiring IT help for daily operations just isn’t a high priority - or in the budget. Instead, with a little bit of research, many business owners feel they (or their office manager) can handle all the IT basics on their own or with on-call help.

But if your business transmits or stores credit card data, it is subject to PCI DSS compliance—and the do-it-yourself IT route gets complicated (and expensive) real fast.

This is Part 2 in a 2-part series on the 12 requirements of PCI DSS. For Part 1, click here.

Last week we started our review of the first 6 of the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Just to recap, these are the rules regarding information security that every business must follow if it wants to continue accepting credit or debit cards. Today we’ll be covering the final 6 requirements:

This is Part 1 in a 2-part series on the 12 requirements of PCI DSS.

If you run a small business that handles credit and debit cards, your business is subject to the rules of the Payment Card Industry Data Security Standard (PCI DSS). Most small business owners know by now that they need to be PCI compliant—but many aren’t sure what the PCI DSS even is, never mind how to comply.

PCI DSS (Payment Card Industry Data Security Standard) was created to protect cardholder data and prevent credit card fraud by requiring all merchants or businesses who transmit, process, or store credit card data to use strong technical safeguards.

There are 12 main requirements outlined in the official standards. In this post, we’ll tackle the first six:

As a small business owner in the healthcare industry, just hearing the term HIPAA (aka the Health Insurance Portability and Accountability Act of 1996) may evoke some anxiety.  While every business owner that I’ve worked with certainly wants to protect their clients’ sensitive health information (referred to as ePHI—electronic personal health information), most are unsure about the rules that are actually being outlined in HIPAA; they just know they need to be “HIPAA compliant.”

Fortunately, HIPAA allows for quite a bit of flexibility. The HIPAA Security Rule doesn’t actually put forth a list of strict, explicit requirements (a common misconception), rather it lists several general requirements, and leaves it up to the company to create and follow a policy that will meet those general needs.

When I speak to clients in the healthcare field (medical practices, dental offices, health insurance administrators), there’s one topic that comes up again and again: HIPAA compliance. Business owners and managers want to know how to put the right technical safeguards in place to secure their customers’ protected health information (PHI)—and meet all the guidelines of the Health Insurance Portability and Accountability Act (HIPAA).

But even with the best of intentions, most struggle with HIPAA compliance. After all, they’re trying to run a business or serve their patients, not become full-time IT experts.

If you’re a small business owner looking into data security options, it’s likely you’re hearing or reading quite a bit about ISO 27001. Data security standards can be quite confusing. Here’s a handy guide to help you better understand just what the ISO standards are (and why they matter to your business).