If you collect, process, store or transmit protected health information (PHI), including medical records, you will need to be able to pass a HIPAA audit to meet HIPAA compliance. To meet security safeguards, certain technologies and procedures are recommended in the industry, even if not specifically outlined by HIPAA standards.
The rules and regulations in the Code of Federal Regulations (CFR) that pertain to HIPAA dictate that Online Tech, as a business that deals with clients’ PHI, must:
- Protect the availability, integrity and confidentiality of PHI
- Have Business Associate Agreements (BAAs) with clients who have PHI
- Report any violations of PHI misuse to the OCR (the Office of Civil Rights that audits, fines and charges companies and individuals for HIPAA violations).
We deploy all of the following technology internally that helped us pass our own HIPAA audit, and allows us to offer HIPAA compliant hosting solutions in our HIPAA compliant data centers (we also happen to offer and recommend these services to our clients that need to be HIPAA compliant):
- Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access
- Managed Cloud Server (good to ensure high availability and access to data and applications)
- Separate database and web servers for production
- Separate test server (while the same for web and database, it is not the same for production)
- Offsite backup at a minimum, although disaster recovery is better
- SSL certificates and HTTPS for all web-based access to PHI (to ensure secure connections)
- Set up private IP addresses
- Encryption – best practice to do while it is stored in the database and especially in transport. PHI should be encrypted to the NIST standard, Advanced Encryption Standard (AES).
HIPAA compliance is about more than just deploying the right technology; it’s also about your own policies and procedures. What are some best practices for your company to do to meet HIPAA compliance?
- Documentation – write out data management, security, employee training and notification plans.
- Implement a password policy.
- Don’t use public FTP (File Transfer Protocol) to move your files.
- Only use VPN access for remote access.
- Implement login retry protection in your application.
- Document a tested and detailed disaster recovery plan to recover data in the event of a disaster.
If you still have questions about HIPAA compliance, register for our educational webinar series on achieving HIPAA compliance.
We encourage you to submit your questions about HIPAA compliance and the auditing process in advance for consideration during the webinar by emailing firstname.lastname@example.org.
Online Tech is hosting a three-part series of free educational webinars titled “A to Z to Achieving HIPAA Compliance” running October 25 – November 8, 2011. This webinar series is helpful for healthcare organizations that interact with patient information or vendors of covered entities that need guidance on becoming HIPAA compliant.
10/25/11 @ 2pm ET: Cost-Effective Protection Against HIPAA Enforcement
In the first webinar of the series, special guest speaker Joe Dylewski will discuss HIPAA enforcement and penalties in the event of a HIPAA violation and how to avoid a HIPAA breach using the most cost-effective methods.
Dylewski, a Certified HIPAA Security Specialist (CHSS) and Certified HIPAA Professional (CHP), has twenty-three years of IT professional experience with eight years spent exclusively in the healthcare industry. Serving as a former Healthcare IT Services Practice Director, Dylewski is now the current President of the ATMP (Applied Technology Methods and Practices) Group, offering HIPAA risk assessments and HIPAA compliance remediation solutions.
11/01/11 @ 2pm ET: Impact of HIPAA Compliance on Business Associates – Changes to Company Policies and Day-to-Day Operations
The second webinar of the series features Online Tech’s Risk Management Officer and Security Officer, Jason Yaeger and his experience guiding a company through a HIPAA audit. Yaeger will discuss the impact of HIPAA certification on his role, company policies, and day-to-day operations for employees of a HIPAA compliant data center.
11/08/11 @ 2pm ET: Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls
For the third webinar of the series, special guest speaker Tatiana Melnik will cover legal implications of BAAs (Business Associate Agreement) when patient information is shared, processed, or stored between companies.
As an attorney with the Dickinson Wright law firm, Melnik’s practice focuses on information technology, healthcare information technology, and intellectual property and privacy issues. In addition to being a member of the Michigan Bar Information Technology Law Council and Automation Alley Information Technology Committee, Melnik holds a JD from the University of Michigan Law School and a BS in Information Systems and BBA in International Business from the University of North Florida. Melnik presents at the upcoming Midwest HIMSS conference in November and at the Annual HIMSS conference in February.
Get more information and sign up today.