HIPAA specifies a number of standards providing for patient health information (PHI) portability between providers and accountability for errors and data integrity. Much of compliance falls on your computer network and the procedures that you follow to ensure the security and privacy of your patient information.
A simplified list of compliance that your computer systems must meet is:
-Access to that network, and therefore to the patient information, must be restricted, with some sort of confirmation of identity.
-Information transfer of information must be controlled and restricted.
-Disposal of any computer media that contained patient information must be controlled.
-When an authorized user ceases access, or is fired from your organization, their access must be removed.
-Procedures must be in place to protect terminals against mistakes by users, such as an automatic time log off.
-All access to data must be logged, giving information on the point of access and the user who made that access.
-Methods must be in place to confirm data integrity, including both on-site and off-site backups.
-Every transfer of data must be secure, meaning at least encrypted.
-Data storage must be secure, meaning at least encrypted.
Recently Congress passed the high-tech act. This act imposes very large penalties for failure to comply with HIPAA.
Does your current IT company ensure your compliance? Have you regularly reviewed their work, to see that they meet the above basic checklist?
If you are not confident that you meet the electronic requirements of HIPAA, contact us. We’ll walk you through some basic checklists, review your network, confirm encryption and backups, and give you a roadmap to compliance.