Does Your Healthcare Organization Understand & Meet HIPAA Regulations & Rules?
As information technology continues to evolve, patient privacy continues to become an increasingly important concern for healthcare organizations. When you’re transferring patient information in digital format, there’s a wide range of risks to consider, including physical damage to computers, corruption due to malware, and even data theft from unauthorized access.
ECW Computers is here to clear up the confusion! If you’re not sure if you’re meeting HIPAA regulations and rules, we’ll help you understand what HIPAA compliance is all about! To learn more, read on or give us a call at {phone}.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to identify whether a healthcare organization was properly securing patient information. Essentially, HIPAA was enacted to ensure the confidentiality and security of patient records while developing standards for the healthcare industry.
So who does HIPAA apply to? In short, HIPAA applies to any healthcare provider or covered entity, including business associates, who electronically stores and transmits confidential health information pertaining to patients. As a healthcare provider or covered entity, it’s fundamental to establish:
- Appropriate physical, technical, and administrative safeguards for electronic protected health information.
- A data backup plan, a disaster recovery plan, and an emergency mode operation plan.
What happens to healthcare organizations and covered entities that don’t secure their electronic protected health information? Under the HITECH act, there are civil penalties for willful neglect – up to $250,000 with repeat/uncorrected violations up to $1.5 million. In addition, criminal penalties from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Fortunately, if you’re in compliance with HIPAA and securing electronic protected health information, you’re able to avoid these penalties while ensuring a high level of trust and confidence amongst your patients.
All About the HIPAA Security Rule…
Many healthcare organizations have questions about the HIPAA Security Rule – and we’re here to answer those questions! First of all, the HIPAA Security Rule applies to protected health information in electronic formats. Under the HIPAA Security Rule, healthcare organizations and covered entities are required to:
- Ensure the confidentiality, availability, and integrity of all electronic protected health information that’s created, maintained, or transmitted.
- Protect all electronic protected health information against anticipated threats or hazards to the security of the information.
- Safeguard against any anticipated use or disclosure of electronic protected health information.
While following the above requirements, healthcare organizations and covered entities may use a flexible approach to implementing safeguards and security measures; however, the following factors must be considered:
- The organization’s size, complexity, capabilities.
- The technical infrastructure, hardware, and software capabilities.
- The budget and the costs of security measures.
- The probability of potential risks.
In addition, healthcare organizations and covered entities must create a contingency plan to be prepared for disasters, such as viruses, malware, or natural disasters that result in data loss. When creating a contingency plan, it’s fundamental to establish and implement policies and procedures for responding appropriately to a disaster.
So how does a healthcare organization or covered entity create a contingency plan? Well, the plan must be implemented to include:
- A data backup plan: A data backup plan must be implemented to ensure electronic protected health information can be made into retrievable, exact copies.
- A disaster recovery plan: A disaster recovery plan must be implemented to ensure policies and procedures are in place to restore/recover copies of lost data.
- An emergency mode operation plan: An emergency mode operation plan must be implemented to enable continuous operation of critical business processes while operating after a disaster.
Plus, there are a few physical safeguards that must be in place, such as facility access controls, to maintain security. When implementing physical safeguards, it’s fundamental to ensure they:
- Limit physical access to electronic information systems and the facilities storing those systems.
- Allow facility access in support of restoration of lost data in the event of a disaster.
When it comes to technical safeguards, there’s a few important safeguards to implement, including:
- Encryption and decryption technologies for electronic protected health information.
- Audit controls to record activity involving systems that store/maintain electronic protected health information.
- Security measures to prevent unauthorized access to electronic protected health information that’s transmitted over the network.
Under the HIPAA Security Rule, healthcare organizations and covered entities must evaluate their IT systems while ensuring electronic protected health information is protected, recoverable, and secure.
All About the HIPAA Omnibus Rule…
The HIPAA Final Omnibus Rule, announced on January 17th, 2013, implements various privacy protections that expand and apply to healthcare organizations and covered entities, including business associates. Now, what “business associate” applies to might seem confusing, but essentially, a business associate is a person or entity that performs certain functions/activities involving the use or discloser of protected health information.
The Department of Health and Human Services (HHS) has a few great examples of what a “business associate” would be:
- A third party administrator that assists a healthcare organization or covered entity with processing claims.
- A CPA firm whose accounting services to a healthcare organization or covered entity involve accessing protected health information.
- An attorney whose legal services to a healthcare organization or covered entity involve accessing protected health information.
What doesn’t count as a “business associate?” Well, HIPAA includes a “conduit exception” for business associates, which exempts businesses that simply provide courier services, such as U.S. postal service and Internet service providers; however, those who maintain electronic protected health information, such as cloud backup or data storage providers, are considered business associates.
As a result, cloud backup or data storage providers are required to sign a business associate agreement with the healthcare organizations or covered entities they’re serving. The agreement must:
- Outline the business associate’s permitted and required uses of protected health information.
- State that the business associate will not use or further disclose the protected health information without permission.
- Require the business associate to implement appropriate safeguards to prevent unauthorized access to protected health information.
So where does ECW Computers come in? We offer cloud-based data protection services to keep healthcare organizations and covered entities in compliance while ensuring electronic protected health information is secure, reliable, and recoverable!
ECW Computers Offers Cloud-Based Data Protection Services to Keep You In Compliance with HIPAA Requirements & Rules!
When it comes to HIPAA compliance, it’s more important than ever before to ensure your IT support company can help you keep all of your electronic protected health information secure, reliable, and recoverable. Fortunately, our cloud-based data protection services include cloud backup, archiving, and recovery to automate the process of securely backing up and recovering files.
Ultimately, our cloud-based data protection services were created with healthcare providers and covered entities in mind; and we ensure you’re in compliance through:
- Security & encryption: During a backup, data is encrypted using 256-bit AES encryption technology, then each encrypted file is sent over the Internet via a secure channel using SSL technology, and stored in two redundant, level 4 SSAE 16 compliant, secure data centers that are located thousands of miles apart from each other and monitored around-the-clock with advanced security technology, including biometric access controls and backup generators, in place to ensure security.
- Logging & archiving: When a file is backed up, the file is recorded, as well as additional information and statistics regarding the backup, to create an audit log. The audit log allows us to verify that the file was successfully backed up, and if it wasn’t, we’re able to troubleshoot any issues that occurred. Plus, we receive an automated email notification for each backup that’s successful; and we have access to information regarding recent backups and total storage usage.
- Backup & recovery: The backup and recovery processes are automated to eliminate the need for manual data handling. Plus, backups will occur according to your unique needs and preferences, and restoring files is as simple as a few clicks of the mouse. Once restored, the files will be downloaded to the specified user’s computer, decrypted using a password, then restored to their original location. If a complete system failure occurs, a full recovery can be done in a few minutes.
Looking to consistently protect your patients’ electronic protected health information while complying with HIPAA requirements and rules? ECW Computers offers cloud-based data protection services to simplify the process of compliance! To learn more, give us a call at {phone} or send us an email at {email}.