Much like the standards and regulations governing the practice of medicine, The HIPAA/HI-Tech Final Rule outlines the procedures and best practices concerning patient health information(PHI). HIPAA compliance standards come from The Department of Health and Human Services, and apply to all medical records including paper forms and electronic records(ePHI). Medical practices which fail to adhere to a policy of instituting and maintaining security procedures risk lawsuits tallying in the millions if a breach occurs.
- A signed Business Associate Agreement must be entered into between any medical practice handling PHI or ePHI and a company which they have allowed access to their facilities or hired to handle any of their record keeping (i.e. IT support, Cloud Services). This insures that the supporting company understands their responsibilities as outlined in HIPAA and HI-TECH.
- ePHI storage and backup systems must be rigorous and accessible to a degree which complies with the HI-TECH mandate that after a data failure exact copies must be recovered with in a 48 hour period, after which point a contingency plan needs to be acted upon.
- Security of patient records (PHI and ePHI) must be guarded. Use of encryption, firewalls, antivirus needs to be kept current with the latest technologies and the latest best practices in order to combat the growing number of sophisticated attacks coming from hackers and criminals.
- Emails regarding patients and patient records must be sent through an encryption system. It is vital that all employees of a medical practice understand that information may not be sent through an unprotected email service. This is one of the most common breaches of health record privacy, and is easily avoidable by using an encryption service to transfer records.
- Flash drives are another way patients records have been shared insecurely. A USB flashdrive is a vulnerable piece of hardware. Moving files within an office with a flashdrive is risky, but accepting outside flashdrives from patients or associated medical practices is a clear violation of HIPAA/HI-TECH best practices. A compromised USB device could bring down your network and open your network to outside breaches in a matter of seconds.
- Sharing passwords and using group passwords has become the adopted workflow in many offices. CTI will work with you to find the best workflow which combines usability and security for your practice.
- Old hardware used at a medical facility often contains sensitive information on the hard drives. Most methods of data erasure do not completely eliminate the information from drives. These storage devices need to be handled and destroyed securely in a manner which leaves them completely un-accessable.
- Constant and timely security updates to software is necessary in order to defeat network vulnerability. When a software vendor deems a title obsolete, patches and updates are no longer possible. Continuing to run outdated software puts a network at risk and is non-compliant according to the HIPAA HITECH act. Two notable obsolete software packages are Windows XP and Windows Server 2003. These operating systems must be replaced to conform with security standards laid out in the legislation.