Becoming and staying HIPAA compliant has become a daunting task and affects more than just medical offices and healthcare providers. Vendors of those healthcare companies must learn and implement policies when dealing with any aspect of patient or pharmaceutical data. HIPAA compliance has become more focused on the technology component as so much of what healthcare providers do revolves around accessing digital data.
HIPAA compliance, in a nutshell, is comprised of three main areas:
- Acceptable use of your technology devices and data
- A written plan for compliance
- Scheduled audits and updates for your technology use plan
Acceptable use of your technology devices and data
HIPAA compliance is based on “reasonable and consistent” practices and procedures to protect patient data. You need to be able to demonstrate to an auditor that your use of technology and access to digital (and written) patient data follows an “acceptable use” policy that you need to create and have accessible to each employee.
Start with a one-to-two page “Acceptable Use” document that each employee must read and sign. This document clearly outlines what data employees can access on their computers and what they can do with the data once accessed. You also need to train your employees on what happens if they see a possible violation of the Acceptable Use policy.
After you have the Acceptable Use policy, start working on the HIPAA checklist (available from the HIPAA federal website), which includes all the technology components involved with being compliant. If you aren’t sure, engage competent IT support so your plan is done right the first time and your exposure is minimized.
A written plan for compliance
One major part of HIPAA compliance is still the written plan. You need to have a written plan that details:
- Who is the “champion” (point person) of your facility
- Who will conduct the regular (usually quarterly) audits
- Who is responsible for training new employees
- Who keeps the log of user names and passwords
- Who is responsible for interfacing with outside IT support
- Who interfaces with your software vendors and informs your employees of changes and upgrades to your various software programs, etc.
The written plan and log file is one of the first items a HIPAA auditor will request. This shows that you are using reasonable practices and procedures, updated regularly, to ensure that patient data is protected. For our healthcare clients, the office manager is usually the person who is the “champion” and with whom we interact for compliance issues.
Scheduled audits and updates for your technology use plan
You need to be conducting an internal audit of your HIPAA compliance at least quarterly and when you terminate and/or hire new employees. Whenever an employee leaves, you need to immediately disable his/her computer account and change passwords. Backup their files and folders to your server and keep them for at least 1 year.
Your quarterly audit needs to be recorded in a logbook to show that you are conducting the audit and a brief summary of your findings. Be sure to include problems in the logbook followed by how you fixed it. This goes to show that you are proactive and working to constantly improve. You will want to contract (unless you have IT support available or on staff) with an IT services company to conduct the network audit. This procedure uses a software “probe” which scans your network for “holes” and “open doors” that could be a source for hackers (internal and external). This network audit should be completed quarterly as compliance issues can arise from the installation of new software and even software upgrades.
HIPAA compliance is rapidly becoming more technology-centric and involves more than just making sure everyone uses a password to log into their computer. Your network and Internet access can cause compliance issues and needs to be addressed before they become a problem. You can’t be too compliant when it comes to the devastation of a HIPAA audit. Your business continuity plan can go right out the window if/when you get audited and they find no plan, Acceptable Use document or log file showing that you have taken reasonable and prudent steps to ensuring compliance on your own.
About Accelera IT Solutions
Accelera IT Solutions is a Phoenix, Arizona-based provider of complete IT services and solutions including on-site support, remote support, data backup and replication (to our secure data center), consulting for HIPAA and PCI compliance, IT project management and cyber-security audits and planning. Accelera also specializes in hardware consulting and installation/setup of servers, workstation, laptops and desktops. Contact Accelera at 623-266-4190 or at www.acceleradata.com.