Grundig IT Newsletter
Computing News That You Can Use
HIPAA guidelines govern the handling of data by healthcare providers, medical businesses, and anyone who is working with them as a business associate. The HIPAA guidelines seek to protect the personal information of their clients – both health-related and otherwise – from being spread to those who do not need to know, including defining who you are allowed to transfer information to.
The exact guidelines for HIPAA are a massive list – and usually growing each year – but it can be boiled down to a few key core concepts:
First, identify what personal information is being handled by your business. You will want to know where information is generated (such as sensors, scanners, questionnaires, or tests); You will want to know where that information is stored – both physical and digital; and you will want to know how it gets from one place to another.
Second, you will need to have protections for all that data you are handling. This includes obvious methods such as malware protection on your servers, locking patient files in cabinets when not in use, and encrypting your company emails to prevent unauthorized reading. You’ll need to carefully choose any cloud storage solutions. And you will want to correctly destroy old documents and storage devices. In addition, it is important to restrict who has access to what information based on their needs, eliminate shared passwords and keep track of who has access to what information.
Third, you will need to have procedures in place for standard policy as well as data requests and emergency situations. Make a document for your patients to know what information is being gathered, and assure them of your protection of their data. You will want to be able to provide information to your patients when they request it, be able to safely pass it to other sources when the patient needs it, and in a case of damaged, lost, or stolen data, you need to have a prepared response plan – whether it be fire, flood, theft, or cybercrime.
Fourth, you need documentation. It is important to have someone who is in charge of security and compliance, and you want to document their tasks, their responsibilities, and you will want to have all your employees aware of their responsibilities, as well as the procedures for different instances. Regular security training is a strong choice, and annual updates of documentation after audits is important.
Fifth, you should regularly audit your procedures and your policies. Nobody is going to cover all the bases on their first go, and the laws for HIPAA evolve as the technology and knowledge changes. In addition, the annual audits are great opportunities to have your employees review their own part in the HIPAA compliance of your organization. Unfortunately, HIPAA compliance isn’t something that you can achieve once and consider it done for the business’s lifetime – it’s a process that needs to be reviewed and improved every year.
There are a number of useful tools you can access to help track the requirements
If these compliance restrictions feel too daunting at first, reach out to us at Grundig IT, and we can help you get started on the compliance journey, though we can help mostly with the technical part and less so with procedural aspects.
Tom Grundig – 925.528.9081 – Tom@grundigit.com