Technical Requirements You May Not Understand
HIPAA Compliance can be a mystery. It can be even more mysterious when you don’t understand technology. When you dig deep and try to understand the tasks and procedures you need to protect electronic data you are likely to encounter technical terms—and IT buzzwords— that are confusing. Here are some tips you can use to ensure that your technology foundation is secure enough to support HIPAA compliance. Remember that HIPAA compliance is a fundamental requirement for you to earn and keep your Meaningful Use incentive money. This article will contain some great HIPAA compliance tech tips.
HIPAA protects any combination of something that can identify a patient along with anything related to their diagnosis or treatment, in any form– written, verbal, or electronic. The Security Rule provides a framework for protecting electronic Protected Health Information (ePHI.) HIPAA compliance was designed to be flexible enough to apply to health care organizations of all kinds and sizes. Some HIPAA Security Rule requirements are Required and others Addressable. Addressable specifications are sometimes confused as being Optional, which is not true. The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
Our advice if you want to achieve HIPAA Compliance is to assume that everything in the Security Rule is required, and you should set a very high bar if you decide not to implement an Addressable item. If you believe that an Addressable specification is not reasonable or appropriate, you must document your decision and hope it stands up to a HIPAA audit or data breach investigation.
If you don’t understand the terms you should contact an IT Managed Services provider to help you evaluate your network. When it comes to surviving a HIPAA audit or data breach investigation, you need an IT professional. Like the specialists doctors refer patients to, and the tests that they order to see what is happening under a patient’s skin, your technology must be evaluated by someone with the proper skills and experience, who must look deep into your network to identify its strengths and weaknesses. Make sure they understand the HIPAA compliance requirements you face. One way is to ask if they employ a Certified HIPAA Security Professional.
Business-class operating system
When you turn on a computer the first thing you encounter is the operating system, usually Windows or Macintosh. What you may not know is that there are different versions, some with little or no security built in to save costs and keep prices low. Consumer versions of Windows and Macintosh do not protect the files stored on the device, and do not allow you to securely connect to a network. You need to have a business-class version of the operating system and make sure it is properly set up to protect stored data and to securely join a network. This means you should not be buying computers for your network from retail stores that offer low-cost consumer products. Make sure you achieve HIPAA compliance by purchasing professional models with business-class security. Also, Windows XP will be losing its security updates in April, 2014, which means that XP computers and medical instruments with imbedded XP computers will no longer be HIPAA compliant and will be at a high risk of being breached. Office 2003 is being retired and carries the same risks.