Are You Adhering to HIPAA Security Policies? What Your Small Practice Needs to Know.

To ensure HIPAA compliance and avoid heavy fines, your practice must develop internal policies and procedures supporting all aspects of HIPAA legislation. It is your responsibility to train staff in implementing and following HIPAA policies and procedures enforced by the U.S. Department of Health and Human Services. At any time, your business may be audited and will need to prove compliancy to avoid martial fines and potential criminal charges.

What are the requirements set forth under HIPAA regulation?

  1. Covered entities must put in place safeguards to protect private health information and ensure they do not use or disclose your health information improperly.
  2. Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  3. Covered entities must have procedures in place to limit who can view and access health information as well as implement training programs for employees about how to protect health information.
  4. Business associates of your practice also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

How can you protect your business against HIPAA violations and fines? For most small to mid-sized businesses, hiring a managed service provider experienced with HIPAA is the most reliable and cost-effective way to ensure compliancy.

Your service provider will assist you in establishing:

  • Physical safeguards that limit facility access and control without appropriate authorization. This includes establishing company policies about use and access to workstations and electronic media including: transferring, removing, disposing and re-using electronic media and electronic protected health information.
  • Technical safeguards that allow only the authorized to access electronic protected health data. Your managed service provider will set up access controls including: using unique user IDs, an emergency access procedure, automatic log off and secure data encryption and decryption.
  • Auditing reports and detailed tracking logs containing comprehensive records on hardware and software activity.
  • IT disaster recovery plans and offsite backup appliances. Having a backup server and detailed business continuity plan are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered within minutes of a server crash­­­­­.
  • Implementing transmission security safeguards required of HIPAA for compliance to protect against unauthorized public access of Electronic Personal Health Information (ePHI). This encompasses all methods of transmitting data; whether it be email, Internet, or even over a private network, such as a private cloud based server.