HIPAA presents an amazing amount of challenges and problems for any entity falling under its umbrella. Now that more states are expanding the definition of a covered entity and/or business associate, it’s time to get serious about locking down your HIPAA data and looking for new ways to increase the security of your environment. Fortunately, technology gives us a helping hand with many of these hurdles and simple, often inexpensive solutions can dramatically improve your compliance efforts and help you avoid HIPAA violations. To that end, here are 10 technology tips that small medical practices—and larger ones too—should be implementing.
1. Mobile Device Management – The vast majority of e-mail providers and even some routers give you tools to control the mobile devices your employees use to access email. Use these tools to require passwords, automatic lockouts, and even remote wipes of company data from lost devices.
2. Security Risk Analysis Toolkit – HIPAA requires all covered entities to perform ongoing security risk analyses as part of their statutory compliance efforts. The Department of Health and Human Services released a free Security Risk Analysis Tool that dramatically simplifies this requirement. This tool is easy to use and gives you the ability to do company-wide analyses or narrow ones, such as changes in your IT infrastructure or a new product rollout.
3. E-mail Encryption – If you are not encrypting e-mails that contain PHI, you should. Encryption services are cheap and provide a secure method for you to send and transmit PHI. Services like Zixcorp make encryption easy to use and implement.
4. Secure Cloud Storage – If you use Dropbox or a service like it, you need to either encrypt the files before uploading them or use a service like Sookasa that will automate your encryption. In one of its most recent settlements, a company called SEMC got into big trouble for using an unencrypted and unsecured cloud site to store and exchange documents. Part of their problem was a failure to conduct a security risk assessment on the their digital document storage and handling.
5. Online HIPAA Management – HIPAA compliance programs are tough to manage, keep up-to-date, and track; use a service like HIPAA Trek. Services like this allow you to consolidate your HIPAA efforts into a single online portal, provide training, and produce easy reports for those pesky OCR auditors.
6. Data Encryption – If you use an Apple, activate FileVault. If you use a PC, there are a wealth of encryption programs out there. The bottom line is that you should never have a computer with PHI in an unencrypted state.
7. Automatic Logoff – Every single computer in your company should be set to automatically logoff after a short period of inactivity and computers in high non-employee traffic areas should require access cards, key fobs, or other devices that require physical token to log in.
8. Network Assessments – If you have never had a network assessment, find a local provider and get one performed. They are usually inexpensive, take a couple weeks, and will reveal a wealth of data and information about your network, devices, sysadmin health, patches, users, data flow, etc. These assessments are a vital part of any HIPAA compliance effort and should be done annually.
9. Encrypted Chat and Messaging – If you use text messages to communicate to clients or to other providers about clients, it needs to be secure and encrypted. Regular text is often stored on cell phone company servers for years and is rarely encrypted. There are a variety of providers out there based upon your needs; research and find the right one for you.
10. Remote Desktops and Virtual Computers – The technology and speed behind resources such as Microsoft Remote Desktop, Citrix, and VMWare makes the storage of real data (PHI) on computers obsolete and frankly unnecessarily risky. These programs allow you to work from anywhere, on any machine with nothing stored locally and every piece of data resting securely on the servers.
The key to any successful HIPAA compliance effort is prior planning and documentation. Any change to your HIPAA environment should be analyzed and reviewed before implementation, but the above tips should provide you with some easy technological steps to improving compliance.
- Most HIPAA Violations Stem from Network Server Breaches
- Essential Hardware for HIPAA compliance
- Barcode Scanner Deployment in a Healthcare Setting
Avoiding HIPAA Violations: 10 Simple Technology Tips is authored by Hudson Harris, a HIPAA attorney and privacy expert—read more about the intersection of HIPAA and technology at his blog, Legal Levity.