HIPAA compliance is possible for a small medical practice. While it might seem insurmountable, having a practice under 500 employees doesn’t exclude you from having the ability to achieve an acceptable level of compliance. You need to be willing to invest in compliance and create a culture of security among all of your staff.
This will not only save you from the regulatory fines you may receive by not being compliant, but it can also help prevent a costly cyber incident that has the potential to make your practice go bankrupt without the proper precautions. Keeping your patients healthy is your top priority. Keeping their data safe is an extension of that responsibility. In this post we will explore five ways you can improve HIPAA compliance in your small healthcare practice.
Safety Starts with a Security Risk Assessment
Your best defense against a HIPAA compliance violation or data incident is prevention. A Security Risk Assessment will analyze your systems, applications, infrastructure, and processes; identifying your vulnerabilities, and establishing opportunities for improvement. This is the foundation for formulating the documentation, policies, and procedures you need to support your practice. An in-depth Security Risk Assessment is a multi-layer, comprehensive look into your practice’s entire IT stack, evaluating and establishing risk mitigation tactics and technology solutions.
This is not a one-time project. Technology and your business are continually evolving; therefore, it is imperative to complete a Security Risk Assessment annually. If this is not part of your current operations, speak with your IT Managed Services provider about adding it as part of your services package.
Business Associate Agreements Are for More than You Might Think
Keeping your PHI secure takes a holistic approach. Because most practices utilize third-party entities and people not required by law to maintain HIPAA compliance, it is important to enter into a signed agreement with any third-party vendors you do business with. This document is called a Business Associate Agreement (BAA).
A BAA is a legal agreement between you and the parties to ensure your PHI is protected and helps keep your practice HIPAA compliant. Any entities you do business with who potentially have access to your PHI should enter into a BAA with your practice, for example: IT providers, EHR provider, your CPA, and even your phone service provider. Some cloud providers won’t sign a Business Associate Agreement. If you are using a cloud business telephone service, it’s wise to ask your provider to sign a BAA.
HHS has outlined the requirements at 45 CFR 164.504(e), for example (from HHS) the contract must include:
- Describe the permitted and required uses of protected health information by the business associate.
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
- Require the business associate to use appropriate safeguards to prevent the use or disclosure of the protected health information other than as provided for by the contract.
Should an incident occur, from HHS, your obligations include:
- Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.
- If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
This is not meant to serve as legal advice. As with any legal document, it is recommended you retain professional legal services when drafting your BAA.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) probably isn’t a new concept to you, considered the best-practice for securing access to everything from social media apps and email, to banking portals, it is now a mainstream security practice to protect and prevent hackers from accessing your credentials and whatever information and data lay behind them.
To prevent data breaches, and protect your PHI, a solid identity and access management (IAM) policy starts with implementing MFA across all your applications, including email. MFA authentication requires users to enter more than simply their username and password to gain access.
There are three standard MFA types:
Knowledge (something you know): Examples include a PIN, password
Possession (something you can access): Examples include codes sent to your email or mobile phone
Inherence (something you are): Examples include fingerprints, voice recognition, and other biometrics
When addressing accessibility protocols, there are two places to start implementing MFA:
- Computer login
Once you have the essentials covered, rolling out MFA on all apps is a great next step. Also worth exploring is SSO, or Single Sign-On. This gives users one login to access all applications. Whatever sign-on used, should already have an established MFA.
Cautious Communication
Communication tools (emails, fax, phones) are core to your practice’s operations, however going with the wrong solutions can put you at risk for a data breech or mishandling of PHI. Educating your staff on what can and cannot be sent via email, released over the phone, or fax is a good first step. Additionally, gaining your patients’ consent on how they receive correspondence that relates to their care. Opting-in to receive SMS appointment notifications, giving permission to email specific types of information about their care, etc.
Different communication tools provide different levels of security. Avoid using free email services like Gmail or Hotmail. Before selecting an email provider, understand the security levels offered under the plan you select, for example, data encryption, email backup, automatic log-off, and terminating/suspending credentials immediately after an employee no longer works for your practice. Moreover, you need a compliant fax solution. Either an old-fashioned paper fax machine or a compliant cloud fax. Even with a secure email solution, you should never send faxes directly through email.
Finally, providing the proper training and education for your staff on the rules they must abide by when involved in the transmission of electronic PHI, it is your responsibility for them to understand and manage their communications to ensure they stay in compliance with the HHS Security Rule.
Sharing is Not Caring
To achieve HIPAA compliance, employees should never have access to generic accounts shared by multiple people. For every system and application, each employee should have unique credentials that only a system administrator has access to change.
Your PHI is only protected when it remains within your carefully controlled infrastructure. Business should never be conducted on personal devices, even when working from outside the office. These personal devices won’t have the established security protocols and data encryption in place to protect your practice and achieve better HIPAA compliance. Some IT experts will advise encrypting mobile devices and laptop computers, but we advise encrypting all devices used to conduct business.
Are You Prepared?
HIPAA compliance, especially relating to IT infrastructure and systems, can be daunting, but it doesn’t have to be. Remi IT Solutions is here to help keep you safe and secure. Our clients enjoy peace of mind knowing they have the systems and processes in place to help safeguard their business operations and PHI. If you are missing any key components to protect your practice or patients, set up a time for a consultation with us by calling 401-240-1000 or booking a virtual meeting with us.
