If your experience is similar to that of most doctors who decide to take the plunge and start their own small medical practice, you probably had no idea how many non-medical things you have to take care of to ensure your fledgling business is setting out on the right foot. Securing a business loan, hiring a staff, finding office space and moving in—so much to do. Well, here’s another thing to worry about: compliance with the data security requirements of the Health Insurance Portability and Accountability Act (HIPAA).
When you’re the employee of a hospital or large healthcare network, HIPAA compliance is largely taken care of for you. When you own a small medical practice, the responsibility for protecting your patient’s sensitive health information (and protecting your own business from steep HIPAA penalties) rests squarely on your shoulders.
IT—computers, software, Internet connections, networks—is what makes most modern businesses run smoothly, and doubly so for medical practices, as paper-based patient records become a thing of the past. As you build your practice, choosing how to spend your IT investment is a huge decision. Part of the decision has to be ensuring that whatever configuration and vendors you go with, the protected heath information (PHI) of your patients is safe from falling into the wrong hands.
To help you make the right IT choices for your small medical practice, here is a checklist of the main HIPAA requirements for data security:
Area 1: Access Control
Access Control is tech-speak for the concept of allowing users access to the functions they need to perform their jobs—and none of the functions they don’t need. This limits the likelihood any user will jeopardize information security by using systems they have no business accessing. Here is what HIPAA requires in the area of access control:
- Unique user identifications. Every user on your system must have his or her unique login ID and you must be able to trace all activity back to one of these unique IDs.
- Emergency access procedure. There must be a plan in place to access the patient information you need in the event of an emergency. For example, to protect against a power outage, you could keep a fully charged laptop on hand equipped with a mobile hotspot.
- Offsite backups. In case all the data stored on servers or computers in your office is destroyed (by a natural disaster or otherwise) you must have up-to-date offsite backups ready to take over.
- Automatic logoffs. Your system should automatically log users off when their station is left unattended. This prevents unauthorized users from seeing information left open during somebody else’s session.
- Encryption. Digital information must be encrypted (basically, secured by a computerized secret code) as it’s transmitted within your practice.
Area 2: Audit Controls
When IT people talk about auditing, what they mean is the ability to record and examine activity by every user in every system. HIPAA prescribes no specific requirements for auditing, but a big part of complying with HIPAA is being able to determine when and if a security violation occurred. There are no requirements for how often audit reports should be reviewed or even what specific data should be gathered, but:
- A medical practice must keep, at minimum, basic audit reports.
- These reports should record when a totally unauthorized user (somebody outside the system entirely, like a hacker) logs in or attempts to log in.
Area 3: Integrity
Maintaining the integrity of your data means, from HIPAA’s point of view, that your data is neither altered nor destroyed except by someone who is authorized to do so.
- To maintain integrity, HIPAA requires that you have a mechanism to authenticate electronic protected health information (PHI). This could take the form of, for example, a function that can check the number of records in a database to ensure that nothing has been deleted without being properly accounted for.
- Backups are essential here, too, so you can recover any information that has been destroyed without authorization.
Area 4: Person or Entity Authentication
In the eyes of HIPAA, this is slightly different from the access controls requirements we discussed earlier. When we talk about person or entity authentication we’re talking about procedures that verify that a person (or entity) is who they say they are. All Internet users are familiar with this one. Think of the password you use to log in to your email or Facebook account.
- HIPAA’s minimum requirement is a password or personal identification number (PIN) that only the authorized user knows.
Area 5: Transmission Security
Transmission security refers to guarding against unauthorized access to protected information as it is being transmitted outside your practice—via email, over the web, etc. HIPAA’s requirements for transmission security include:
- Integrity controls. In this case, the integrity of the data means that it has not been modified during transmission. Standard network protocols should be used to ensure the data received is the same as the data sent.
- Encryption. Sending and receiving encrypted information to and from organizations outside of your practice can be tricky. For encryption to work, both the sender and receiver have to be using the same encryption and decryption method. For example a small medical practice like yours would have to encrypt patient information (like procedures performed) as it’s transmitted to and from insurance providers and other kinds of patient information (medications, for example) as it’s transmitted to and from another medical office. The encryption to and from the insurance office might be a different kind of encryption than to and from another medical office. So, the HIPAA requirement is to have in place as many kinds of encryption as necessary.
Find All This Overwhelming? Get Help
As you can see from this checklist, ensuring HIPAA compliance can be a monumental task for any owner of a small medical practice. And this is just the IT side. There are that aren’t strictly related to the IT tools you use, like drafting employee computer policies.
Often, your best bet it to find and work with an IT partner with special expertise in helping practices like yours achieve and maintain HIPAA compliance. This will allow you to move on to all the other things you need to do to establish your practice and keep it running. Call Envision IT today at 502-694-9446 to discuss how we can help your medical practice.