Reliable HIPAA Compliance Services

Dedicated to Protecting Your Business with Robust HIPAA Compliance Solutions

24/7/365
Support

Proactive
Maintenance

Customized
Service

HIPAA IS A LEGAL REQUIREMENT

Everyone complains that the HIPAA Security Rule is inconvenient—which it is—but it doesn’t mean you can break the security rules in your medical office any more than you can break security rules at airports, government buildings, and sporting events. Here are a couple of examples of HIPAA Security Rule controls that we see medical practices ignoring on a regular basis:

Required Or Addressable Specifications

The HIPAA Security Rule’s Implementation Specifications are identified as being Required or Addressable. Addressable specifications are sometimes confused as being Optional, which is not true.

Creating Alternatives To Specifications

The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

Don't let the complexity of HIPAA Security Rule regulations lead to costly mistakes. Our experts can guide you through the compliance maze, ensuring your practice meets every requirement efficiently. Contact us today to get started!

Required HIPAA Controls

Required HIPAA Risk Analysis

The very first requirement in the HIPAA Security Rule. HIPAA doesn’t say much but the Office for Civil Rights (OCR) offers guidance for smaller practices and the National Institute of Standards and Technology (NIST) has a free 95-page guide.

Required HIPAA Risk Management

Many practices stop at the Risk Analysis and put it on the shelf in case of an audit. The HIPAA Security Rule requires you to document the actions you are going to take to reduce your risks or deal with them.

Required Healthcare Data Disaster Plan

“Establish (and implement as needed) procedures to restore any loss of data.” Think less than more. While common sense says every medical organization and business should have a plan to survive a disaster, the HIPAA Security Rule only cares about access to patient data. Document how you will recover access to your data and you will comply with the HIPAA Security Rule. Document how you will communicate with your staff, work from an alternate site, and operate after a disaster, and your organization will survive. It is important to have a back up plan for both on and off premise.

Required Business Associate Agreements

The HIPAA Security Rule in 2005 did not give the HIPAA enforcers power to penalize Business Associates for breaches. This all changed with the HIPAA Omnibus Final Rule in 2013. Business Associate Agreements with new wording are required. Covered Entities are liable for the compliance of their Business Associates, and their Business Associates’ subcontractors. Don’t stop with the paperwork. Since you are liable, you should validate that your vendors and their vendors comply with HIPAA.

Required Audit Controls

While everyone thinks their patient data is housed exclusively in their EHR system, it is all over the place—server folders, laptops, desktop computer hard drives, portable drives, and smartphones. The HIPAA Security Rule requires that access logs be created and stored for six years. To do this your network must be a Domain, not a Workgroup.

Addressable HIPAA Data Encryption

Encryption = No Data Breach. With all the reported data breaches why this isn’t Required by the HIPAA Security Rule is beyond me. Encrypting data is not expensive and a device with encrypted data that is lost or stolen is not reportable. Recently Advocate Health Care in Chicago had four computers stolen and breached 4 million records. An Omnicell technician had his laptop stolen and breached 68,000 records. Would you rather pay millions of dollars to notify patients and pay fines or a lot less to encrypt your devices? Don’t stop at laptops—encrypt everything from thumb drives to servers.

Required Unique User Identification

No shared logins and passwords are allowed by the HIPAA Security Rule — none. All systems that provide access to electronic Protected Health Information (ePHI) must be able to track users and what files they create, access, and modify. This includes IT staff and outsourced IT providers that access systems housing patient information.

Addressable Automatic Logoff/Lockout

“This is so inconvenient!” “It slows our doctors down!” “It’s such a pain to keep logging in!”

Bottom Line With HIPAA Security

Beware… the Meaningful Use Office of the National Coordinator (ONC) says, “It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis. If you want to pass an audit think twice about doing this yourself.

Our advice is to consider all HIPAA Security Rule Implementation Specifications Required. You will be compliant, more secure, and reduce the risk of a reportable data breach, millions of dollars in costs, and tons of grief.

Ready to Secure Your Practice? Our team of experienced professionals is here to ensure you meet every HIPAA requirement with precision.

Service Area

Boise, Idaho skyline

Treasure Valley IT proudly serves Boise and the surrounding cities. We are dedicated to supporting local businesses with our top-notch IT solutions, ensuring compliance and security for all our clients.

Contact Us Now for a HIPAA Compliance Consultation!